Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561858
MD5:28e07d9ab0a04c2f660e2506117e63b5
SHA1:28c526b2130b829c389c0b7351ff4ad0e3d63d89
SHA256:c4b5efac85934e3ec9a0c11d14b0136c0b116366408193a8b7c32bdd1dffc5ce
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 28E07D9AB0A04C2F660E2506117E63B5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1780008217.00000000052A0000.00000004.00001000.00020000.00000000.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E458E20_2_00E458E2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E45D460_2_00E45D46
Source: file.exe, 00000000.00000002.1913081499.0000000000E36000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000002.1914182645.000000000110E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exeString found in binary or memory: &RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNe
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2789888 > 1048576
Source: file.exeStatic PE information: Raw size of ecosufqf is bigger than: 0x100000 < 0x2a3200
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1780008217.00000000052A0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.e30000.0.unpack :EW;.rsrc:W;.idata :W;ecosufqf:EW;pnlltuis:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2ae447 should be: 0x2ab33b
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: ecosufqf
Source: file.exeStatic PE information: section name: pnlltuis
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBA80D push ecx; mov dword ptr [esp], edi0_2_00FBA826
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBA80D push ebx; mov dword ptr [esp], 33FF8A17h0_2_00FBA84F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBA80D push edx; mov dword ptr [esp], esp0_2_00FBA886
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBA94B push esi; mov dword ptr [esp], ebx0_2_00FBA971
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBA94B push 58136DD5h; mov dword ptr [esp], edx0_2_00FBA9A2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBA94B push 3E8AFC7Fh; mov dword ptr [esp], ecx0_2_00FBA9B8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBA94B push 4D7695CFh; mov dword ptr [esp], ebx0_2_00FBAA3A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBA94B push 63A87610h; mov dword ptr [esp], ecx0_2_00FBAA66
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3D0E2 push ecx; mov dword ptr [esp], 02717D15h0_2_00E3D0EF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3D0E2 push 38FE6C4Ch; mov dword ptr [esp], edi0_2_00E3D896
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3D0E2 push ecx; mov dword ptr [esp], ebx0_2_00E3D89D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E420E2 push 03F7AFF0h; mov dword ptr [esp], ecx0_2_00E42105
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0104F109 push ebp; mov dword ptr [esp], eax0_2_0104F165
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB70D1 push edi; mov dword ptr [esp], 559D4D4Fh0_2_00FB70D3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB70D1 push ebp; mov dword ptr [esp], 03FE1300h0_2_00FB70E1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E410A1 push edx; mov dword ptr [esp], esi0_2_00E410A2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC90B6 push esi; mov dword ptr [esp], ecx0_2_00FC9B8F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC90A8 push 6CB614DDh; mov dword ptr [esp], eax0_2_00FC90AD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E410B1 push ebx; mov dword ptr [esp], 2CAA47B4h0_2_00E41457
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E410B1 push ebp; mov dword ptr [esp], eax0_2_00E42041
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E410B1 push ebx; mov dword ptr [esp], 7DD76519h0_2_00E4396C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E410B1 push ebx; mov dword ptr [esp], edi0_2_00E43A5B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB70AD push edi; mov dword ptr [esp], 7FAFA865h0_2_00FB70B3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDD071 push 422E3086h; mov dword ptr [esp], edx0_2_00FDD0C0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100D199 push 3B965D77h; mov dword ptr [esp], esp0_2_0100D1C7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3F050 push ebx; mov dword ptr [esp], 79ED0B64h0_2_00E3F10A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3F050 push ebx; mov dword ptr [esp], 725FC573h0_2_00E3F601
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E42050 push eax; mov dword ptr [esp], 420E4BB4h0_2_00E4205B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3F05E push ebx; mov dword ptr [esp], 79ED0B64h0_2_00E3F10A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3F05E push ebx; mov dword ptr [esp], 725FC573h0_2_00E3F601
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3D02F push 38FE6C4Ch; mov dword ptr [esp], edi0_2_00E3D896
Source: file.exeStatic PE information: section name: entropy: 7.805079736087947

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3E4FC second address: E3E510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jno 00007FA870BEAAD8h 0x0000000b popad 0x0000000c push eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3E510 second address: E3E514 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB5287 second address: FB5297 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA870BEAAD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBA69C second address: FBA6B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA87137DD68h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBA6B8 second address: FBA6C1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBABF1 second address: FBABF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDA69 second address: FBDA6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDB88 second address: FBDBB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jne 00007FA87137DD58h 0x0000000d popad 0x0000000e push eax 0x0000000f jp 00007FA87137DD5Eh 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push eax 0x0000001a push edx 0x0000001b js 00007FA87137DD58h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDC79 second address: FBDC7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDC7F second address: FBDC84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDC84 second address: FBDD2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA870BEAADEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jno 00007FA870BEAAE0h 0x00000010 nop 0x00000011 mov edi, 1EE8B0E8h 0x00000016 push 00000000h 0x00000018 movsx esi, ax 0x0000001b push 41298E7Dh 0x00000020 push eax 0x00000021 jo 00007FA870BEAAD8h 0x00000027 pushad 0x00000028 popad 0x00000029 pop eax 0x0000002a xor dword ptr [esp], 41298EFDh 0x00000031 mov dx, ax 0x00000034 push 00000003h 0x00000036 push 00000000h 0x00000038 push edx 0x00000039 call 00007FA870BEAAD8h 0x0000003e pop edx 0x0000003f mov dword ptr [esp+04h], edx 0x00000043 add dword ptr [esp+04h], 0000001Dh 0x0000004b inc edx 0x0000004c push edx 0x0000004d ret 0x0000004e pop edx 0x0000004f ret 0x00000050 mov edi, dword ptr [ebp+122D3CB3h] 0x00000056 push 00000000h 0x00000058 sub si, AA43h 0x0000005d movsx esi, bx 0x00000060 push 00000003h 0x00000062 jmp 00007FA870BEAAE7h 0x00000067 call 00007FA870BEAAD9h 0x0000006c push eax 0x0000006d push edx 0x0000006e push eax 0x0000006f push edx 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDD2A second address: FBDD2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDD2E second address: FBDD38 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA870BEAAD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDD38 second address: FBDD7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007FA87137DD56h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop edx 0x00000012 jbe 00007FA87137DD58h 0x00000018 popad 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d jmp 00007FA87137DD69h 0x00000022 mov eax, dword ptr [eax] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 jnl 00007FA87137DD56h 0x0000002d push ebx 0x0000002e pop ebx 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDE64 second address: FBDE78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA870BEAADBh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDE78 second address: FBDE92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA87137DD65h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDE92 second address: FBDEBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ecx 0x0000000c jmp 00007FA870BEAADFh 0x00000011 pop ecx 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007FA870BEAAD8h 0x0000001c push eax 0x0000001d pop eax 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDEBA second address: FBDF63 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA87137DD69h 0x00000008 jmp 00007FA87137DD63h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 jmp 00007FA87137DD68h 0x00000018 pop eax 0x00000019 pushad 0x0000001a or ecx, 19C0068Eh 0x00000020 cld 0x00000021 popad 0x00000022 push 00000003h 0x00000024 push 00000000h 0x00000026 push ebx 0x00000027 call 00007FA87137DD58h 0x0000002c pop ebx 0x0000002d mov dword ptr [esp+04h], ebx 0x00000031 add dword ptr [esp+04h], 00000014h 0x00000039 inc ebx 0x0000003a push ebx 0x0000003b ret 0x0000003c pop ebx 0x0000003d ret 0x0000003e js 00007FA87137DD57h 0x00000044 cmc 0x00000045 push 00000000h 0x00000047 sub esi, 0DC7C503h 0x0000004d push 00000003h 0x0000004f jmp 00007FA87137DD64h 0x00000054 push D6E8240Eh 0x00000059 push esi 0x0000005a push edi 0x0000005b push eax 0x0000005c pop eax 0x0000005d pop edi 0x0000005e pop esi 0x0000005f xor dword ptr [esp], 16E8240Eh 0x00000066 cld 0x00000067 lea ebx, dword ptr [ebp+124539BEh] 0x0000006d mov si, bx 0x00000070 xchg eax, ebx 0x00000071 push ecx 0x00000072 pushad 0x00000073 pushad 0x00000074 popad 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3711 second address: FB3717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3717 second address: FB371B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB371B second address: FB371F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB371F second address: FB3725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3725 second address: FB3743 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FA870BEAAD6h 0x0000000a jmp 00007FA870BEAAE4h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3743 second address: FB3774 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA87137DD61h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007FA87137DD5Ah 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 push esi 0x00000019 pop esi 0x0000001a popad 0x0000001b pushad 0x0000001c push edi 0x0000001d pop edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDD0FC second address: FDD108 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FA870BEAAD6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDD506 second address: FDD516 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA87137DD62h 0x00000008 jo 00007FA87137DD56h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDD516 second address: FDD51D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDD660 second address: FDD666 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDD666 second address: FDD66C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDD66C second address: FDD672 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDD910 second address: FDD947 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FA870BEAAEDh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA870BEAAE0h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDD947 second address: FDD94D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDDA91 second address: FDDAC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA870BEAAE6h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA870BEAAE4h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDDAC5 second address: FDDACB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDDACB second address: FDDAED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA870BEAAE6h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007FA870BEAAD6h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDDC4E second address: FDDC61 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA87137DD5Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDDF21 second address: FDDF49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA870BEAAE1h 0x00000007 jc 00007FA870BEAAE9h 0x0000000d jmp 00007FA870BEAADDh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE0A2 second address: FDE0B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA87137DD5Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE0B4 second address: FDE0C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE0C0 second address: FDE0C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE241 second address: FDE245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE245 second address: FDE253 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FA87137DD58h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE253 second address: FDE265 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA870BEAADDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE265 second address: FDE271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE271 second address: FDE29F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jp 00007FA870BEAAE5h 0x00000010 pushad 0x00000011 jnc 00007FA870BEAAD6h 0x00000017 jg 00007FA870BEAAD6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAAFFA second address: FAB008 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA87137DD56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE5D44 second address: FE5D4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE5D4A second address: FE5D4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE4CAA second address: FE4CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA870BEAAD6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9C12 second address: FE9C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnc 00007FA87137DD56h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9C1F second address: FE9C24 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9C24 second address: FE9C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9D6B second address: FE9D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA870BEAAD6h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA870BEAADDh 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9ECD second address: FE9ED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9ED1 second address: FE9ED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9ED7 second address: FE9EF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA87137DD69h 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEA098 second address: FEA0A2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA870BEAAD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEA37C second address: FEA3A3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA87137DD6Dh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007FA87137DD65h 0x0000000f jbe 00007FA87137DD5Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEA628 second address: FEA660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA870BEAAE8h 0x00000009 pop edi 0x0000000a je 00007FA870BEAAE8h 0x00000010 jmp 00007FA870BEAAE0h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEA660 second address: FEA67F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007FA87137DD63h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEB07B second address: FEB07F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEB07F second address: FEB085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEB229 second address: FEB241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA870BEAADCh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEB51E second address: FEB530 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA87137DD5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEB6FF second address: FEB703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEBC6F second address: FEBC73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEBF29 second address: FEBF2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC089 second address: FEC08F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC08F second address: FEC093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC093 second address: FEC0BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA87137DD66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007FA87137DD58h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC14F second address: FEC153 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FED07C second address: FED087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FA87137DD56h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FED087 second address: FED08D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDAA3 second address: FEDAAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FA87137DD56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FED08D second address: FED091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE2D2 second address: FEE2E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA87137DD5Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDAAD second address: FEDAB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE2E4 second address: FEE2F6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA87137DD56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE2F6 second address: FEE2FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEF430 second address: FEF450 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FA87137DD60h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007FA87137DD56h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0296 second address: FF02F6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FA870BEAAE6h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+1245303Eh], esi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007FA870BEAAD8h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 movsx edi, dx 0x00000033 push 00000000h 0x00000035 or di, BC37h 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d push esi 0x0000003e jnc 00007FA870BEAAD6h 0x00000044 pop esi 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEF450 second address: FEF45E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FA87137DD56h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF02F6 second address: FF0300 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA870BEAADCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF1907 second address: FF1911 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FA87137DD56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF1911 second address: FF1984 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA870BEAAD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jo 00007FA870BEAADAh 0x00000013 push ecx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pop ecx 0x00000017 nop 0x00000018 mov esi, dword ptr [ebp+122D39FBh] 0x0000001e push 00000000h 0x00000020 add dword ptr [ebp+122D1C73h], ebx 0x00000026 jmp 00007FA870BEAADBh 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007FA870BEAAD8h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 0000001Bh 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 mov dword ptr [ebp+12453A68h], edi 0x0000004d jl 00007FA870BEAAD6h 0x00000053 xchg eax, ebx 0x00000054 jmp 00007FA870BEAADAh 0x00000059 push eax 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF1984 second address: FF1988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF1988 second address: FF1991 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF1991 second address: FF1997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF48DE second address: FF48EC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF48EC second address: FF48F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF48F2 second address: FF496C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA870BEAAD8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007FA870BEAAD8h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 stc 0x00000028 push 00000000h 0x0000002a movzx ebx, ax 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007FA870BEAAD8h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 0000001Ch 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 mov ebx, 7B146C1Ah 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 jmp 00007FA870BEAAE4h 0x00000057 push ecx 0x00000058 pop ecx 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF7852 second address: FF787C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA87137DD68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f jbe 00007FA87137DD5Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF4B2A second address: FF4B2F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF5A75 second address: FF5B62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA87137DD66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jbe 00007FA87137DD6Dh 0x00000010 jnp 00007FA87137DD67h 0x00000016 jmp 00007FA87137DD61h 0x0000001b nop 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007FA87137DD58h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 00000016h 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 jmp 00007FA87137DD5Ah 0x0000003b push dword ptr fs:[00000000h] 0x00000042 call 00007FA87137DD5Ch 0x00000047 push esi 0x00000048 or dword ptr [ebp+122D1E65h], esi 0x0000004e pop edi 0x0000004f pop ebx 0x00000050 mov dword ptr fs:[00000000h], esp 0x00000057 jng 00007FA87137DD75h 0x0000005d jl 00007FA87137DD6Fh 0x00000063 jmp 00007FA87137DD69h 0x00000068 adc ebx, 71005B30h 0x0000006e mov eax, dword ptr [ebp+122D1731h] 0x00000074 pushad 0x00000075 jo 00007FA87137DD5Bh 0x0000007b xor ax, 05EBh 0x00000080 push ebx 0x00000081 jmp 00007FA87137DD66h 0x00000086 pop ebx 0x00000087 popad 0x00000088 push FFFFFFFFh 0x0000008a mov dword ptr [ebp+122D2B34h], ebx 0x00000090 push eax 0x00000091 je 00007FA87137DD79h 0x00000097 push eax 0x00000098 push edx 0x00000099 push eax 0x0000009a push edx 0x0000009b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF6C00 second address: FF6C06 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF5B62 second address: FF5B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF6C06 second address: FF6C1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA870BEAADAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF8C1F second address: FF8C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF9C40 second address: FF9C46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFAC83 second address: FFAC9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA87137DD67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFBBE2 second address: FFBBE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFBBE7 second address: FFBBED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFBBED second address: FFBBFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFBBFB second address: FFBC05 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA87137DD56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFE897 second address: FFE89F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10019E2 second address: 10019E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD9DC second address: FFDA65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FA870BEAADCh 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007FA870BEAAD8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 push dword ptr fs:[00000000h] 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 mov dword ptr [ebp+122D1D7Ch], ecx 0x0000003c mov eax, dword ptr [ebp+122D1585h] 0x00000042 push 00000000h 0x00000044 push ecx 0x00000045 call 00007FA870BEAAD8h 0x0000004a pop ecx 0x0000004b mov dword ptr [esp+04h], ecx 0x0000004f add dword ptr [esp+04h], 00000014h 0x00000057 inc ecx 0x00000058 push ecx 0x00000059 ret 0x0000005a pop ecx 0x0000005b ret 0x0000005c add dword ptr [ebp+1247F2EFh], edx 0x00000062 xor dword ptr [ebp+12451869h], ebx 0x00000068 push FFFFFFFFh 0x0000006a sub dword ptr [ebp+122D2127h], ecx 0x00000070 xor di, 3D61h 0x00000075 push eax 0x00000076 pushad 0x00000077 push eax 0x00000078 push edx 0x00000079 push ebx 0x0000007a pop ebx 0x0000007b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFEA13 second address: FFEAC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA87137DD56h 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d jmp 00007FA87137DD60h 0x00000012 nop 0x00000013 mov bh, ch 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007FA87137DD58h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 00000018h 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 call 00007FA87137DD63h 0x0000003b jmp 00007FA87137DD61h 0x00000040 pop ebx 0x00000041 mov dword ptr fs:[00000000h], esp 0x00000048 push 00000000h 0x0000004a push ecx 0x0000004b call 00007FA87137DD58h 0x00000050 pop ecx 0x00000051 mov dword ptr [esp+04h], ecx 0x00000055 add dword ptr [esp+04h], 00000017h 0x0000005d inc ecx 0x0000005e push ecx 0x0000005f ret 0x00000060 pop ecx 0x00000061 ret 0x00000062 mov dword ptr [ebp+122D1D13h], eax 0x00000068 mov eax, dword ptr [ebp+122D0DF9h] 0x0000006e push FFFFFFFFh 0x00000070 mov edi, 320F8690h 0x00000075 mov di, 6F31h 0x00000079 nop 0x0000007a pushad 0x0000007b push eax 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFDA65 second address: FFDA7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA870BEAAE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFFB43 second address: FFFB4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1001B44 second address: 1001BE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007FA870BEAADFh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 jmp 00007FA870BEAADFh 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007FA870BEAAD8h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 00000015h 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 mov dword ptr [ebp+122D2754h], edx 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 push 00000000h 0x00000045 push eax 0x00000046 call 00007FA870BEAAD8h 0x0000004b pop eax 0x0000004c mov dword ptr [esp+04h], eax 0x00000050 add dword ptr [esp+04h], 0000001Dh 0x00000058 inc eax 0x00000059 push eax 0x0000005a ret 0x0000005b pop eax 0x0000005c ret 0x0000005d mov eax, dword ptr [ebp+122D049Dh] 0x00000063 push FFFFFFFFh 0x00000065 mov ebx, eax 0x00000067 nop 0x00000068 pushad 0x00000069 jmp 00007FA870BEAAE0h 0x0000006e push eax 0x0000006f push edx 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1001BE3 second address: 1001BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100396F second address: 10039B3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA870BEAAE6h 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f stc 0x00000010 push 00000000h 0x00000012 mov edi, 1308FD4Ah 0x00000017 push eax 0x00000018 pushad 0x00000019 jmp 00007FA870BEAAE2h 0x0000001e jnp 00007FA870BEAADCh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1001BE7 second address: 1001BEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1001BEB second address: 1001BF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1001BF8 second address: 1001BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1001BFC second address: 1001C0A instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA870BEAAD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1001C0A second address: 1001C0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1007B51 second address: 1007B78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA870BEAADBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FA870BEAAE0h 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100B986 second address: 100B98A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100B98A second address: 100B994 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA870BEAAD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100B994 second address: 100B9B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007FA87137DD56h 0x0000000d jmp 00007FA87137DD5Eh 0x00000012 jne 00007FA87137DD56h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100BB4D second address: 100BB53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100BB53 second address: 100BB70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA87137DD67h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100BCED second address: 100BCF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100BCF3 second address: 100BD01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100BD01 second address: 100BD1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA870BEAAE2h 0x00000007 jns 00007FA870BEAAD6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100BD1D second address: 100BD29 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA87137DD5Eh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100E5C5 second address: 100E5CF instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA870BEAAD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100E5CF second address: 100E5EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FA87137DD56h 0x0000000a jmp 00007FA87137DD61h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100E5EA second address: 100E5EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D81B second address: 101D821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102373B second address: 102375E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA870BEAAE7h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102375E second address: 1023762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1023762 second address: 1023766 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1023766 second address: 102376E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022B0E second address: 1022B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FA870BEAADAh 0x0000000b jmp 00007FA870BEAAE7h 0x00000010 popad 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022E28 second address: 1022E34 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022E34 second address: 1022E38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1027E31 second address: 1027E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10280F8 second address: 10280FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10283AB second address: 10283B1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10283B1 second address: 10283C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007FA870BEAADFh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10283C9 second address: 10283E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA87137DD61h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D8EC second address: 102D8F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D8F0 second address: 102D8F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C75C second address: 102C761 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF2AD5 second address: FD2CD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 stc 0x0000000a lea eax, dword ptr [ebp+1248881Ah] 0x00000010 mov dword ptr [ebp+122D2E20h], edi 0x00000016 push eax 0x00000017 jmp 00007FA87137DD69h 0x0000001c mov dword ptr [esp], eax 0x0000001f jmp 00007FA87137DD5Ah 0x00000024 call dword ptr [ebp+122D1E25h] 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f jmp 00007FA87137DD69h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF2BFB second address: FF2C01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF2C01 second address: FF2C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF2F9B second address: FF2F9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF3123 second address: FF312D instructions: 0x00000000 rdtsc 0x00000002 je 00007FA87137DD56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF32CD second address: FF32D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF32D1 second address: FF32D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF33B5 second address: FF33BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FA870BEAAD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102CFCA second address: 102CFD7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA87137DD56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102CFD7 second address: 102CFF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 pushad 0x0000000a jg 00007FA870BEAAD6h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jne 00007FA870BEAAD6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D430 second address: 102D434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D434 second address: 102D447 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA870BEAADDh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1031512 second address: 1031526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA87137DD5Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1031526 second address: 103152A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10372FB second address: 1037303 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10361AC second address: 10361B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10361B0 second address: 10361BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10361BB second address: 10361C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnp 00007FA870BEAAE2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10361C8 second address: 10361CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036490 second address: 1036494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036494 second address: 1036498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10365D7 second address: 10365EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA870BEAAE3h 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10365EF second address: 1036622 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA87137DD5Ch 0x00000008 js 00007FA87137DD62h 0x0000000e jbe 00007FA87137DD56h 0x00000014 je 00007FA87137DD56h 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FA87137DD5Fh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103677C second address: 103679E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007FA870BEAAD6h 0x00000010 jmp 00007FA870BEAAE2h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103679E second address: 10367B0 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA87137DD56h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10371A1 second address: 10371A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1035AF8 second address: 1035B05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007FA87137DD56h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1035B05 second address: 1035B0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1035B0B second address: 1035B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F50B second address: F9F528 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA870BEAAE9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F528 second address: F9F52C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103DD52 second address: 103DD56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D90A second address: 103D915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA44AA second address: FA44B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA44B0 second address: FA44CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA87137DD67h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104095C second address: 104096B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA870BEAAD6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10478C1 second address: 10478D3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA87137DD56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FA87137DD56h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10478D3 second address: 10478D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046179 second address: 1046192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA87137DD5Eh 0x00000009 jne 00007FA87137DD56h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10462F5 second address: 10462FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10462FE second address: 1046336 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA87137DD56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FA87137DD5Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 jl 00007FA87137DD56h 0x00000019 jmp 00007FA87137DD66h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104672D second address: 1046733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10468AA second address: 10468BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA87137DD5Bh 0x00000007 push ecx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF37A3 second address: FF37A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1047580 second address: 104758A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA87137DD56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104C0BA second address: 104C0BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104F188 second address: 104F1A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FA87137DD56h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FA87137DD5Ch 0x00000011 pushad 0x00000012 popad 0x00000013 push edx 0x00000014 pop edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104F1A7 second address: 104F1AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1050D5B second address: 1050D6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jnc 00007FA87137DD56h 0x0000000c jne 00007FA87137DD56h 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1050D6E second address: 1050D7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA870BEAADBh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1050D7E second address: 1050D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10587A3 second address: 10587AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10587AB second address: 10587B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10587B0 second address: 10587B7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1056973 second address: 105698E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA87137DD64h 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1056AD6 second address: 1056AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FA870BEAAD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1056AE0 second address: 1056B08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA87137DD5Bh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FA87137DD5Ch 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 jng 00007FA87137DD56h 0x0000001a pop edi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1056B08 second address: 1056B34 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA870BEAAE2h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA870BEAAE4h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1056F20 second address: 1056F24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1057988 second address: 10579BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FA870BEAAE3h 0x0000000d pop ecx 0x0000000e jo 00007FA870BEAADCh 0x00000014 je 00007FA870BEAAD6h 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e js 00007FA870BEAAD6h 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10579BC second address: 10579C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10579C0 second address: 10579CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10579CB second address: 10579F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA87137DD56h 0x0000000a pop edi 0x0000000b push ebx 0x0000000c jmp 00007FA87137DD61h 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 ja 00007FA87137DD56h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105DFEC second address: 105DFF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105E2FC second address: 105E30E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FA87137DD5Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1069CC4 second address: 1069CF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007FA870BEAAD6h 0x0000000c popad 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FA870BEAAE9h 0x00000015 push ecx 0x00000016 push eax 0x00000017 pop eax 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1069CF1 second address: 1069CFB instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA87137DD5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1069FB9 second address: 1069FBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1069FBD second address: 1069FC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106A139 second address: 106A13D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106A2FC second address: 106A306 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FA87137DD56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10696F2 second address: 10696F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106DEDB second address: 106DF07 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA87137DD5Ch 0x00000008 jbe 00007FA87137DD56h 0x0000000e jne 00007FA87137DD5Eh 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jl 00007FA87137DD64h 0x0000001c jnp 00007FA87137DD5Eh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1074284 second address: 1074288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1074288 second address: 1074292 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA87137DD56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1074292 second address: 10742A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FA870BEAADEh 0x0000000c jne 00007FA870BEAAD6h 0x00000012 push edx 0x00000013 pop edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10742A9 second address: 10742CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA87137DD64h 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e jc 00007FA87137DD5Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10742CE second address: 10742D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1075CFD second address: 1075D23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FA87137DD56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d pushad 0x0000000e jmp 00007FA87137DD5Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 ja 00007FA87137DD56h 0x0000001b jc 00007FA87137DD56h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1075D23 second address: 1075D36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA870BEAADBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1075D36 second address: 1075D3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9DB72 second address: F9DB76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9DB76 second address: F9DB8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA87137DD63h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FACAA4 second address: FACABC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA870BEAAE2h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1086E3C second address: 1086E46 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA87137DD56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108E3A9 second address: 108E3BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA870BEAADCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108E3BA second address: 108E3C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 je 00007FA87137DD5Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D0D1 second address: 108D0D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D0D5 second address: 108D10D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FA87137DD62h 0x0000000e jmp 00007FA87137DD5Ch 0x00000013 jmp 00007FA87137DD5Ah 0x00000018 popad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FA87137DD5Eh 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1097B49 second address: 1097B53 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA870BEAAE2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1097B53 second address: 1097B59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A2E22 second address: 10A2E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A2E28 second address: 10A2E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA87137DD68h 0x0000000a pushad 0x0000000b jo 00007FA87137DD56h 0x00000011 jmp 00007FA87137DD5Ah 0x00000016 jg 00007FA87137DD56h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jg 00007FA87137DD56h 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A2E67 second address: 10A2E95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA870BEAAE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a je 00007FA870BEAB1Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007FA870BEAAD6h 0x00000018 jp 00007FA870BEAAD6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A1758 second address: 10A1770 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA87137DD62h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A1770 second address: 10A1779 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A1B76 second address: 10A1B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A1B7D second address: 10A1B93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA870BEAAE1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A1B93 second address: 10A1B99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A1D16 second address: 10A1D22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jns 00007FA870BEAAD6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A6954 second address: 10A6958 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A6958 second address: 10A695E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A64E7 second address: 10A650E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jl 00007FA87137DD56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA87137DD69h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A668B second address: 10A66C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA870BEAAE6h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA870BEAAE9h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A66C4 second address: 10A66C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B046C second address: 10B0476 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA870BEAAD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C19E0 second address: 10C19F4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA87137DD56h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jno 00007FA87137DD58h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C19F4 second address: 10C1A38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA870BEAAE6h 0x00000007 jg 00007FA870BEAADAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 jmp 00007FA870BEAAE4h 0x00000017 pop ecx 0x00000018 jp 00007FA870BEAADEh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C1A38 second address: 10C1A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5BF8 second address: 10C5BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5BFC second address: 10C5C16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA87137DD5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007FA87137DD5Ah 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5C16 second address: 10C5C4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FA870BEAAD6h 0x00000009 jp 00007FA870BEAAD6h 0x0000000f popad 0x00000010 jmp 00007FA870BEAADBh 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push esi 0x00000019 je 00007FA870BEAAD6h 0x0000001f pushad 0x00000020 popad 0x00000021 pop esi 0x00000022 pushad 0x00000023 push ecx 0x00000024 pop ecx 0x00000025 push edx 0x00000026 pop edx 0x00000027 popad 0x00000028 ja 00007FA870BEAADCh 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C6207 second address: 10C621E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA87137DD56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007FA87137DD58h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C621E second address: 10C6224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C9DB8 second address: 10C9DE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA87137DD67h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FA87137DD5Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C9DE8 second address: 10C9DEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C9DEC second address: 10C9DF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C9DF2 second address: 10C9E0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA870BEAAE2h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D2508 second address: 10D2547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA87137DD56h 0x0000000a popad 0x0000000b pushad 0x0000000c jl 00007FA87137DD6Eh 0x00000012 jmp 00007FA87137DD68h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007FA87137DD61h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C9AC7 second address: 10C9ACD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C9C53 second address: 10C9C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jbe 00007FA87137DD5Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CAD1E second address: 10CAD26 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CAD26 second address: 10CAD2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CAD2E second address: 10CAD3C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CAD3C second address: 10CAD40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CAD40 second address: 10CAD46 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CAD46 second address: 10CAD4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CAD4C second address: 10CAD75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA870BEAAE7h 0x00000009 jmp 00007FA870BEAADEh 0x0000000e rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E3DD9D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E3DE84 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1007BC5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: FF2C7A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 107BC35 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E420FB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E42224 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5480000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 56A0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 54C0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBA94B rdtsc 0_2_00FBA94B
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1704Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019D40 GetSystemInfo,VirtualAlloc,0_2_01019D40
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBA94B rdtsc 0_2_00FBA94B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3B998 LdrInitializeThunk,0_2_00E3B998
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, file.exe, 00000000.00000002.1913425424.0000000001005000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: "Program Manager

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping641
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		261
Virtualization/Sandbox Evasion		Security Account Manager261
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS23
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Software Packing		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Bypass User Account Control		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1561858
Start date and time:2024-11-24 14:55:09 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 24s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: file.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.529968454035193
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'789'888 bytes
MD5:28e07d9ab0a04c2f660e2506117e63b5
SHA1:28c526b2130b829c389c0b7351ff4ad0e3d63d89
SHA256:c4b5efac85934e3ec9a0c11d14b0136c0b116366408193a8b7c32bdd1dffc5ce
SHA512:e5ce9fb164ae86dea4b23ff8bb9f8ba6238bcc97e5f2f9102d98ec77357e99dff4b2e5ccadb488baf34116e3ad4be16248f450c5405bfb59aa7687282eaf34f9
SSDEEP:24576:aeCV3Xaze1kxcABn/0UYSvcQe7lvboa7c4+37me9sEs1tfCmPpAfNFk0+cGk8Q0H:Iday1kz9/sJsaKVFky3WAsK/h2+7Qn
TLSH:B9D52B92A90671CBEC8E177495A7CD4A9A7D03B5073148C3A868FDBA7D73CC132B6D24
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............+.. ...`....@.. .......................@+.....G.*...`................................

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x6b0000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FA8707DE87Ah
pshufw mm5, qword ptr [edx], 00h
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007FA8707E0875h
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax+00000000h], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop ds
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc eax
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x12001836c02fe1ad3139ba9ec571ffaf6534False0.9320746527777778data7.805079736087947IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ecosufqf0xa0000x2a40000x2a3200e9649d1c287c78155e541c4a7b280672unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
pnlltuis0x2ae0000x20000x40042749ef283022d47ec707c17e477559dFalse0.7451171875data5.954043207536442IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2b00000x40000x22000c5e7affcff894ee7aea906b70407c87False0.06307444852941177DOS executable (COM)0.7540944201879068IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:08:56:10
Start date:24/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0xe30000
File size:2'789'888 bytes
MD5 hash:28E07D9AB0A04C2F660E2506117E63B5
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:6.2%
    Dynamic/Decrypted Code Coverage:4.5%
    Signature Coverage:5.6%
    Total number of Nodes:287
    Total number of Limit Nodes:20
    execution_graph 6759 5480d48 6760 5480d93 OpenSCManagerW 6759->6760 6762 5480ddc 6760->6762 6763 5481308 6764 5481349 ImpersonateLoggedOnUser 6763->6764 6765 5481376 6764->6765 6766 1019d40 GetSystemInfo 6767 1019d60 6766->6767 6768 1019d9e VirtualAlloc 6766->6768 6767->6768 6781 101a08c 6768->6781 6770 1019de5 6771 1019eba 6770->6771 6772 101a08c VirtualAlloc GetModuleFileNameA VirtualProtect 6770->6772 6773 1019ed6 GetModuleFileNameA VirtualProtect 6771->6773 6780 1019e7e 6771->6780 6774 1019e0f 6772->6774 6773->6780 6774->6771 6775 101a08c VirtualAlloc GetModuleFileNameA VirtualProtect 6774->6775 6776 1019e39 6775->6776 6776->6771 6777 101a08c VirtualAlloc GetModuleFileNameA VirtualProtect 6776->6777 6778 1019e63 6777->6778 6778->6771 6779 101a08c VirtualAlloc GetModuleFileNameA VirtualProtect 6778->6779 6778->6780 6779->6771 6783 101a094 6781->6783 6784 101a0c0 6783->6784 6785 101a0a8 6783->6785 6787 1019f58 2 API calls 6784->6787 6791 1019f58 6785->6791 6788 101a0d1 6787->6788 6793 101a0e3 6788->6793 6796 1019f60 6791->6796 6794 101a0f4 VirtualAlloc 6793->6794 6795 101a0df 6793->6795 6794->6795 6797 1019f73 6796->6797 6798 1019fb6 6797->6798 6800 101a5ab 6797->6800 6804 101a5b2 6800->6804 6802 101a5fc 6802->6798 6804->6802 6805 101a4b9 6804->6805 6809 101a76c 6804->6809 6808 101a4ce 6805->6808 6806 101a58e 6806->6804 6807 101a558 GetModuleFileNameA 6807->6808 6808->6806 6808->6807 6811 101a780 6809->6811 6810 101a798 6810->6804 6811->6810 6812 101a8bb VirtualProtect 6811->6812 6812->6811 6813 1011604 6820 100f942 GetCurrentThreadId 6813->6820 6815 1011610 6816 101162e 6815->6816 6822 1010054 6815->6822 6818 101165f GetModuleHandleExA 6816->6818 6819 1011636 6816->6819 6818->6819 6821 100f95a 6820->6821 6821->6815 6823 10100a2 6822->6823 6824 1010065 6822->6824 6823->6816 6824->6823 6826 100fef5 6824->6826 6828 100ff22 6826->6828 6827 1010028 6827->6824 6828->6827 6829 100ff50 PathAddExtensionA 6828->6829 6830 100ff6b 6828->6830 6829->6830 6835 100ff8d 6830->6835 6838 100fb96 6830->6838 6832 100ffd6 6832->6827 6833 100ffff 6832->6833 6834 100fb96 lstrcmpiA 6832->6834 6833->6827 6837 100fb96 lstrcmpiA 6833->6837 6834->6833 6835->6827 6835->6832 6836 100fb96 lstrcmpiA 6835->6836 6836->6832 6837->6827 6839 100fbb4 6838->6839 6840 100fbcb 6839->6840 6842 100fb13 6839->6842 6840->6835 6843 100fb3e 6842->6843 6844 100fb70 lstrcmpiA 6843->6844 6845 100fb86 6843->6845 6844->6845 6845->6840 6846 101ad44 6848 101ad50 6846->6848 6849 101ad62 6848->6849 6854 1010fa1 6849->6854 6852 101ad8a 6862 1011008 6854->6862 6856 1010fb6 6856->6852 6857 101a901 6856->6857 6859 101a995 6857->6859 6860 101a912 6857->6860 6858 101a5ab 2 API calls 6858->6860 6859->6852 6860->6858 6860->6859 6861 101a76c VirtualProtect 6860->6861 6861->6860 6864 1011015 6862->6864 6867 101102b 6864->6867 6865 1011033 6870 1011100 6865->6870 6871 1011113 6865->6871 6866 1011050 6869 100f942 GetCurrentThreadId 6866->6869 6867->6865 6867->6866 6881 101afb3 6867->6881 6872 1011055 6869->6872 6903 1010e40 6870->6903 6874 1011131 LoadLibraryExA 6871->6874 6875 101111d LoadLibraryExW 6871->6875 6876 1010054 2 API calls 6872->6876 6880 10110d7 6874->6880 6875->6880 6877 1011066 6876->6877 6877->6865 6878 1011094 6877->6878 6883 1010980 6878->6883 6907 101afc2 6881->6907 6884 10109a6 6883->6884 6885 101099c 6883->6885 6915 10101d3 6884->6915 6885->6880 6892 10109f6 6893 1010a23 6892->6893 6901 1010aa0 6892->6901 6925 10103b1 6892->6925 6929 101064c 6893->6929 6896 1010a2e 6896->6901 6934 10105c3 6896->6934 6899 1010a83 6899->6901 6902 101a901 2 API calls 6899->6902 6901->6885 6942 1011192 6901->6942 6902->6901 6904 1010e4b 6903->6904 6905 1010e5b 6904->6905 6906 1010e6c LoadLibraryExA 6904->6906 6905->6880 6906->6905 6908 101afd2 6907->6908 6909 100f942 GetCurrentThreadId 6908->6909 6913 101b024 6908->6913 6910 101b03a 6909->6910 6911 1010054 2 API calls 6910->6911 6912 101b04c 6911->6912 6912->6913 6914 1010054 2 API calls 6912->6914 6914->6913 6916 10101ef 6915->6916 6918 1010248 6915->6918 6917 101021f VirtualAlloc 6916->6917 6916->6918 6917->6918 6918->6885 6919 1010279 VirtualAlloc 6918->6919 6920 10102be 6919->6920 6920->6901 6921 10102f6 6920->6921 6924 101031e 6921->6924 6922 1010395 6922->6892 6923 1010337 VirtualAlloc 6923->6922 6923->6924 6924->6922 6924->6923 6926 10103cc 6925->6926 6928 10103d1 6925->6928 6926->6893 6927 1010404 lstrcmpiA 6927->6926 6927->6928 6928->6926 6928->6927 6931 1010758 6929->6931 6932 1010679 6929->6932 6931->6896 6932->6931 6944 101015e 6932->6944 6952 101126f 6932->6952 6935 10105ec 6934->6935 6936 101062d 6935->6936 6937 1010604 VirtualProtect 6935->6937 6936->6899 6936->6901 6938 101ac08 6936->6938 6937->6935 6937->6936 6939 101acd5 6938->6939 6940 101ac24 6938->6940 6939->6899 6940->6939 6941 101a76c VirtualProtect 6940->6941 6941->6940 6977 101119e 6942->6977 6945 1010fa1 17 API calls 6944->6945 6946 1010171 6945->6946 6947 10101c3 6946->6947 6949 101019a 6946->6949 6951 10101b7 6946->6951 6948 1011192 2 API calls 6947->6948 6948->6951 6950 1011192 2 API calls 6949->6950 6949->6951 6950->6951 6951->6932 6954 1011278 6952->6954 6955 1011287 6954->6955 6956 101128f 6955->6956 6958 100f942 GetCurrentThreadId 6955->6958 6957 10112bc GetProcAddress 6956->6957 6959 10112b2 6957->6959 6960 1011299 6958->6960 6960->6956 6961 10112a9 6960->6961 6963 1010cd0 6961->6963 6964 1010dbc 6963->6964 6965 1010cef 6963->6965 6964->6959 6965->6964 6966 1010d2c lstrcmpiA 6965->6966 6967 1010d56 6965->6967 6966->6965 6966->6967 6967->6964 6969 1010c19 6967->6969 6970 1010c2a 6969->6970 6971 1010c5a lstrcpyn 6970->6971 6976 1010cb5 6970->6976 6973 1010c76 6971->6973 6971->6976 6972 101015e 16 API calls 6974 1010ca4 6972->6974 6973->6972 6973->6976 6975 101126f 16 API calls 6974->6975 6974->6976 6975->6976 6976->6964 6978 10111ad 6977->6978 6980 100f942 GetCurrentThreadId 6978->6980 6982 10111b5 6978->6982 6979 1011203 FreeLibrary 6985 10111ea 6979->6985 6981 10111bf 6980->6981 6981->6982 6983 10111cf 6981->6983 6982->6979 6986 1010b80 6983->6986 6987 1010be3 6986->6987 6988 1010ba3 6986->6988 6987->6985 6988->6987 6990 100f73c 6988->6990 6991 100f745 6990->6991 6992 100f75d 6991->6992 6994 100f723 6991->6994 6992->6987 6995 1011192 GetCurrentThreadId FreeLibrary 6994->6995 6996 100f730 6995->6996 6996->6991 6997 e418c2 6999 e40e12 6997->6999 6998 e40e52 6999->6998 7001 1019ee1 6999->7001 7002 1019eef 7001->7002 7003 1019f0f 7002->7003 7005 101a1b1 7002->7005 7003->6998 7006 101a1c1 7005->7006 7008 101a1e4 7005->7008 7007 101a5ab 2 API calls 7006->7007 7006->7008 7007->7008 7008->7002 7009 fc64b0 7010 fc9050 LoadLibraryA 7009->7010 7011 fba94b LoadLibraryA 7012 fba95e 7011->7012 7013 10114b1 7015 10114bd 7013->7015 7016 10114d1 7015->7016 7018 10114f9 7016->7018 7019 1011512 7016->7019 7021 101151b 7019->7021 7022 101152a 7021->7022 7023 1011532 7022->7023 7024 100f942 GetCurrentThreadId 7022->7024 7025 10115e3 GetModuleHandleA 7023->7025 7026 10115d5 GetModuleHandleW 7023->7026 7027 101153c 7024->7027 7030 101156a 7025->7030 7026->7030 7028 1011557 7027->7028 7029 1010054 2 API calls 7027->7029 7028->7023 7028->7030 7029->7028 7031 1011ed1 7033 1011eef 7031->7033 7032 1012059 7033->7032 7039 1011898 7033->7039 7035 101204e 7036 101268d 3 API calls 7035->7036 7036->7032 7038 1011f2c 7038->7035 7045 101268d 7038->7045 7042 10118a5 7039->7042 7040 10119a0 7040->7038 7041 10118de CreateFileA 7043 101192a 7041->7043 7042->7040 7042->7041 7043->7040 7047 101175b CloseHandle 7043->7047 7049 1012696 7045->7049 7048 101176f 7047->7048 7048->7040 7050 100f942 GetCurrentThreadId 7049->7050 7051 10126a2 7050->7051 7052 10126cb 7051->7052 7053 10126bb 7051->7053 7055 10126d0 CloseHandle 7052->7055 7057 1011782 7053->7057 7056 10126c1 7055->7056 7060 100f7ed 7057->7060 7061 100f803 7060->7061 7062 100f81d 7061->7062 7064 100f7d1 7061->7064 7062->7056 7065 101175b CloseHandle 7064->7065 7066 100f7e1 7065->7066 7066->7062 7067 101ad90 7069 101ad9c 7067->7069 7070 101adae 7069->7070 7075 1010fba 7070->7075 7072 101adbd 7073 101add6 7072->7073 7074 101a901 GetModuleFileNameA VirtualProtect 7072->7074 7074->7073 7077 1010fc6 7075->7077 7078 1010fdb 7077->7078 7079 1011008 17 API calls 7078->7079 7080 1010ff9 7078->7080 7079->7080 7081 fba80d LoadLibraryA 7082 fba824 7081->7082 7082->7082 7083 54810f0 7084 5481131 7083->7084 7086 1012696 3 API calls 7084->7086 7085 5481151 7086->7085 7087 1011159 7088 1010fa1 17 API calls 7087->7088 7089 101116c 7088->7089 7090 5481510 7091 5481558 ControlService 7090->7091 7092 548158f 7091->7092 7093 101acda 7095 101ace6 7093->7095 7096 101acf8 7095->7096 7097 101a901 2 API calls 7096->7097 7098 101ad0a 7097->7098 7099 101207c 7101 1012093 7099->7101 7100 10120fc CreateFileA 7103 1012141 7100->7103 7101->7100 7102 1012190 7101->7102 7103->7102 7104 101175b CloseHandle 7103->7104 7104->7102 7105 e3f4fd 7106 e3f82b VirtualAlloc 7105->7106 7107 e3f77b 7106->7107 7107->7106

    Executed Functions

    Function 01019D40 Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 113 1019d40-1019d5a GetSystemInfo 114 1019d60-1019d98 113->114 115 1019d9e-1019de7 VirtualAlloc call 101a08c 113->115 114->115 119 1019ecd-1019ed2 call 1019ed6 115->119 120 1019ded-1019e11 call 101a08c 115->120 127 1019ed4-1019ed5 119->127 120->119 126 1019e17-1019e3b call 101a08c 120->126 126->119 130 1019e41-1019e65 call 101a08c 126->130 130->119 133 1019e6b-1019e78 130->133 134 1019e9e-1019eb5 call 101a08c 133->134 135 1019e7e-1019e99 133->135 138 1019eba-1019ebc 134->138 139 1019ec8 135->139 138->119 140 1019ec2 138->140 139->127 140->139
    APIs
    • GetSystemInfo.KERNELBASE(?,-11495FEC), ref: 01019D4C
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 01019DAD
    Memory Dump Source
    • Source File: 00000000.00000002.1913477781.0000000001016000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
    • Associated: 00000000.00000002.1913050716.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913081499.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913098176.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913119374.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913258578.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913273749.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913332700.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913348020.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913367612.0000000000FDE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913382666.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913404334.0000000000FF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913425424.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913443304.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913502158.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913520002.0000000001029000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913586655.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913623507.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913778844.0000000001036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913798565.0000000001038000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913819449.000000000103F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913872882.0000000001041000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913895480.0000000001050000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913912216.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913936580.0000000001052000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913952902.0000000001056000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913968946.0000000001057000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913983998.000000000105B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914001486.0000000001063000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914016050.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914031610.0000000001065000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914047383.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914090235.00000000010C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914104568.00000000010C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010D0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914151114.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914166662.00000000010E0000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: c2828d15dfb7930f0927f47d82dc874192314bf419de69498a2df7b817be6f3a
    • Instruction ID: 93c0bbe20e5656a6844e4d9daf65b50bdf50dbee899e6da2a7c2784f65e0eb71
    • Opcode Fuzzy Hash: c2828d15dfb7930f0927f47d82dc874192314bf419de69498a2df7b817be6f3a
    • Instruction Fuzzy Hash: 434103B2E40206AFE339DF64C945F96BBECBB08741F1104A6A243CA4D6E77691D48B94
    Function 00FBA94B Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 141 fba94b-fba958 LoadLibraryA 142 fba95e-fbaab0 141->142
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1913298210.0000000000FB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
    • Associated: 00000000.00000002.1913050716.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913081499.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913098176.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913119374.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913258578.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913273749.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913332700.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913348020.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913367612.0000000000FDE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913382666.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913404334.0000000000FF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913425424.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913443304.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913477781.0000000001016000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913502158.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913520002.0000000001029000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913586655.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913623507.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913778844.0000000001036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913798565.0000000001038000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913819449.000000000103F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913872882.0000000001041000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913895480.0000000001050000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913912216.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913936580.0000000001052000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913952902.0000000001056000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913968946.0000000001057000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913983998.000000000105B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914001486.0000000001063000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914016050.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914031610.0000000001065000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914047383.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914090235.00000000010C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914104568.00000000010C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010D0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914151114.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914166662.00000000010E0000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: b0f24c2a79ad6c67572540daa4a2d37c6911d3f6e5eb8dd15c7072e169d40849
    • Instruction ID: 8fe395be66bfe5137a49999e76aab06adca5971bdc22ff633181ab8e751ca74b
    • Opcode Fuzzy Hash: b0f24c2a79ad6c67572540daa4a2d37c6911d3f6e5eb8dd15c7072e169d40849
    • Instruction Fuzzy Hash: 74314AB250C710AFE7056F19D8817BABBE5FF54720F16482DE6C586640E63548809B97
    Function 00E3B998 Relevance: .0, Instructions: 32COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1913098176.0000000000E3A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
    • Associated: 00000000.00000002.1913050716.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913081499.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913119374.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913258578.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913273749.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913332700.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913348020.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913367612.0000000000FDE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913382666.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913404334.0000000000FF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913425424.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913443304.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913477781.0000000001016000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913502158.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913520002.0000000001029000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913586655.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913623507.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913778844.0000000001036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913798565.0000000001038000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913819449.000000000103F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913872882.0000000001041000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913895480.0000000001050000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913912216.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913936580.0000000001052000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913952902.0000000001056000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913968946.0000000001057000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913983998.000000000105B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914001486.0000000001063000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914016050.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914031610.0000000001065000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914047383.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914090235.00000000010C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914104568.00000000010C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010D0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914151114.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914166662.00000000010E0000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 82b6b6fa116ff9dc96d66aef7ae1078dfb7120ad1b85eeb0e90ce6aaa3ad37f6
    • Instruction ID: 306b51d05e7367f3440893ef22c87935141903f16c8247cbcc1a1cd513e19535
    • Opcode Fuzzy Hash: 82b6b6fa116ff9dc96d66aef7ae1078dfb7120ad1b85eeb0e90ce6aaa3ad37f6
    • Instruction Fuzzy Hash: 00F027129085418ED3025A3884693A46E61ABC6304F19E8D58383EB296D3280881D390
    Function 01011015 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 01011126
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 0101113A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1913425424.0000000001005000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
    • Associated: 00000000.00000002.1913050716.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913081499.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913098176.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913119374.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913258578.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913273749.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913332700.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913348020.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913367612.0000000000FDE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913382666.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913404334.0000000000FF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913443304.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913477781.0000000001016000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913502158.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913520002.0000000001029000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913586655.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913623507.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913778844.0000000001036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913798565.0000000001038000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913819449.000000000103F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913872882.0000000001041000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913895480.0000000001050000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913912216.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913936580.0000000001052000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913952902.0000000001056000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913968946.0000000001057000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913983998.000000000105B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914001486.0000000001063000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914016050.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914031610.0000000001065000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914047383.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914090235.00000000010C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914104568.00000000010C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010D0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914151114.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914166662.00000000010E0000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: bf244f51098f1461c5de724f34f5bf4bb42a38acf66c36b1da81cf993a7748d1
    • Instruction ID: e45fd2340bb036a988d46c309ef65e0c46ecea7c0954a40e0dd20181f4cc61b4
    • Opcode Fuzzy Hash: bf244f51098f1461c5de724f34f5bf4bb42a38acf66c36b1da81cf993a7748d1
    • Instruction Fuzzy Hash: 4931E03190424AFFEF2AAF64D900BEDBBB5FF14340F0041A5FA8256168C77999A0DB91
    Function 0101151B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 40 101151b-101152c call 1010e7f 43 1011532 40->43 44 1011537-1011540 call 100f942 40->44 45 10115cb-10115cf 43->45 51 1011574-101157b 44->51 52 1011546-1011552 call 1010054 44->52 47 10115e3-10115e6 GetModuleHandleA 45->47 48 10115d5-10115de GetModuleHandleW 45->48 50 10115ec 47->50 48->50 56 10115f6-10115f8 50->56 53 1011581-1011588 51->53 54 10115c6 call 100f9ed 51->54 59 1011557-1011559 52->59 53->54 57 101158e-1011595 53->57 54->45 57->54 61 101159b-10115a2 57->61 59->54 60 101155f-1011564 59->60 60->54 62 101156a-10115f1 call 100f9ed 60->62 61->54 63 10115a8-10115bc 61->63 62->56 63->54
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,010114AD,?,00000000,00000000), ref: 010115D8
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,010114AD,?,00000000,00000000), ref: 010115E6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1913425424.0000000001005000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
    • Associated: 00000000.00000002.1913050716.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913081499.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913098176.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913119374.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913258578.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913273749.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913332700.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913348020.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913367612.0000000000FDE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913382666.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913404334.0000000000FF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913443304.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913477781.0000000001016000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913502158.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913520002.0000000001029000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913586655.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913623507.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913778844.0000000001036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913798565.0000000001038000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913819449.000000000103F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913872882.0000000001041000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913895480.0000000001050000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913912216.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913936580.0000000001052000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913952902.0000000001056000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913968946.0000000001057000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913983998.000000000105B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914001486.0000000001063000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914016050.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914031610.0000000001065000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914047383.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914090235.00000000010C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914104568.00000000010C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010D0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914151114.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914166662.00000000010E0000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: 7e722692ed380357eeb75ac1e39e7011a6aea411325e4410094c3f675c606294
    • Instruction ID: 051d72cc5e2d3e421065f6fe0a29d95466fba2fbdfa1b2d8b424eab7e44eb363
    • Opcode Fuzzy Hash: 7e722692ed380357eeb75ac1e39e7011a6aea411325e4410094c3f675c606294
    • Instruction Fuzzy Hash: B9114871105606EBEB79AF38C809BAD7EE4BF10344F084211A787484E9C779A6E4CAE1
    Function 0100FEF5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 67 100fef5-100ff25 69 1010050-1010051 67->69 70 100ff2b-100ff40 67->70 70->69 72 100ff46-100ff4a 70->72 73 100ff50-100ff62 PathAddExtensionA 72->73 74 100ff6c-100ff73 72->74 77 100ff6b 73->77 75 100ff95-100ff9c 74->75 76 100ff79-100ff88 call 100fb96 74->76 79 100ffa2-100ffa9 75->79 80 100ffde-100ffe5 75->80 83 100ff8d-100ff8f 76->83 77->74 84 100ffc2-100ffd1 call 100fb96 79->84 85 100ffaf-100ffb8 79->85 81 1010007-101000e 80->81 82 100ffeb-1010001 call 100fb96 80->82 87 1010030-1010037 81->87 88 1010014-101002a call 100fb96 81->88 82->69 82->81 83->69 83->75 94 100ffd6-100ffd8 84->94 85->84 89 100ffbe 85->89 87->69 93 101003d-101004a call 100fbcf 87->93 88->69 88->87 89->84 93->69 94->69 94->80
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 0100FF57
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1913425424.0000000001005000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
    • Associated: 00000000.00000002.1913050716.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913081499.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913098176.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913119374.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913258578.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913273749.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913332700.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913348020.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913367612.0000000000FDE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913382666.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913404334.0000000000FF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913443304.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913477781.0000000001016000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913502158.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913520002.0000000001029000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913586655.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913623507.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913778844.0000000001036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913798565.0000000001038000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913819449.000000000103F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913872882.0000000001041000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913895480.0000000001050000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913912216.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913936580.0000000001052000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913952902.0000000001056000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913968946.0000000001057000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913983998.000000000105B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914001486.0000000001063000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914016050.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914031610.0000000001065000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914047383.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914090235.00000000010C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914104568.00000000010C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010D0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914151114.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914166662.00000000010E0000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: a7a852deb2b951af27be682dae2b1cf715b9aa5353b63dd3afef8c402e5b9d3f
    • Instruction ID: 49ce6d3f65aa33a3f4cce60a5dfc691b0d2c3eb7c2db173026baeccdbf59a6fc
    • Opcode Fuzzy Hash: a7a852deb2b951af27be682dae2b1cf715b9aa5353b63dd3afef8c402e5b9d3f
    • Instruction Fuzzy Hash: 4031FB31A0060ABFEF62DF98CD08B9EBBB6FF44704F000095FA81A5494D77695A5EF90
    Function 01011604 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 98 1011604-1011617 call 100f942 101 101165a-101166e call 100f9ed GetModuleHandleExA 98->101 102 101161d-1011629 call 1010054 98->102 108 1011678-101167a 101->108 105 101162e-1011630 102->105 105->101 107 1011636-101163d 105->107 109 1011643 107->109 110 1011646-1011673 call 100f9ed 107->110 109->110 110->108
    APIs
      • Part of subcall function 0100F942: GetCurrentThreadId.KERNEL32 ref: 0100F951
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 01011668
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1913425424.0000000001005000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
    • Associated: 00000000.00000002.1913050716.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913081499.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913098176.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913119374.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913258578.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913273749.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913332700.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913348020.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913367612.0000000000FDE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913382666.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913404334.0000000000FF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913443304.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913477781.0000000001016000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913502158.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913520002.0000000001029000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913586655.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913623507.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913778844.0000000001036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913798565.0000000001038000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913819449.000000000103F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913872882.0000000001041000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913895480.0000000001050000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913912216.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913936580.0000000001052000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913952902.0000000001056000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913968946.0000000001057000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913983998.000000000105B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914001486.0000000001063000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914016050.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914031610.0000000001065000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914047383.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914090235.00000000010C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914104568.00000000010C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010D0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914151114.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914166662.00000000010E0000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleThread
    • String ID: .dll
    • API String ID: 2752942033-2738580789
    • Opcode ID: 273b5e84c778e2c59420d5488b858c9e99884bc1cea08f4edea5632e073109e7
    • Instruction ID: a1f170600e6008c87d4bd836a3657d8cda6f6a49e103a530ad4a3baf65ba93d1
    • Opcode Fuzzy Hash: 273b5e84c778e2c59420d5488b858c9e99884bc1cea08f4edea5632e073109e7
    • Instruction Fuzzy Hash: D3F09071200206AFEB25DF68C845FED3BA5FF28344F048411FF8645099C736C890DA10
    Function 0101A76C Relevance: 1.6, APIs: 1, Instructions: 112COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 145 101a76c-101a77a 146 101a780-101a792 145->146 147 101a79d-101a7a7 call 101a601 145->147 146->147 151 101a798 146->151 152 101a7b2-101a7bb 147->152 153 101a7ad 147->153 154 101a8fc-101a8fe 151->154 155 101a7c1-101a7c8 152->155 156 101a7d3-101a7da 152->156 153->154 155->156 159 101a7ce 155->159 157 101a7e0 156->157 158 101a7e5-101a7f5 156->158 157->154 158->154 160 101a7fb-101a807 call 101a6d6 158->160 159->154 163 101a80a-101a80e 160->163 163->154 164 101a814-101a81e 163->164 165 101a845-101a848 164->165 166 101a824-101a837 164->166 167 101a84b-101a84e 165->167 166->165 171 101a83d-101a83f 166->171 169 101a8f4-101a8f7 167->169 170 101a854-101a85b 167->170 169->163 172 101a861-101a867 170->172 173 101a889-101a8a2 170->173 171->165 171->169 174 101a884 172->174 175 101a86d-101a872 172->175 179 101a8a8-101a8b6 173->179 180 101a8bb-101a8c3 VirtualProtect 173->180 177 101a8ec-101a8ef 174->177 175->174 176 101a878-101a87e 175->176 176->173 176->174 177->167 181 101a8c9-101a8cc 179->181 180->181 181->177 183 101a8d2-101a8eb 181->183 183->177
    Memory Dump Source
    • Source File: 00000000.00000002.1913477781.0000000001016000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
    • Associated: 00000000.00000002.1913050716.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913081499.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913098176.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913119374.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913258578.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913273749.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913332700.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913348020.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913367612.0000000000FDE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913382666.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913404334.0000000000FF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913425424.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913443304.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913502158.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913520002.0000000001029000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913586655.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913623507.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913778844.0000000001036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913798565.0000000001038000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913819449.000000000103F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913872882.0000000001041000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913895480.0000000001050000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913912216.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913936580.0000000001052000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913952902.0000000001056000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913968946.0000000001057000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913983998.000000000105B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914001486.0000000001063000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914016050.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914031610.0000000001065000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914047383.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914090235.00000000010C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914104568.00000000010C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010D0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914151114.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914166662.00000000010E0000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0525fbed8fcb23a8ab0bd002f3290291bc72708804671403a6078ea1e772c658
    • Instruction ID: cc6c8c8f530249b8e0677789febac4ebc90a3c01177246cfd86a9ea46e2a0c73
    • Opcode Fuzzy Hash: 0525fbed8fcb23a8ab0bd002f3290291bc72708804671403a6078ea1e772c658
    • Instruction Fuzzy Hash: 7941AF71F02286EFEB25CF18C944BAE7BF1FF04314F108095E982AB596C339A991CB51
    Function 0101207C Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 185 101207c-101208d 186 1012093-10120a7 call 100fa20 185->186 187 10120bc-10120c5 call 100fa20 185->187 197 10121aa 186->197 198 10120ad-10120bb 186->198 192 10121a2-10121a5 call 100fa45 187->192 193 10120cb-10120dc call 101185e 187->193 192->197 201 10120e2-10120e6 193->201 202 10120fc-101213b CreateFileA 193->202 200 10121b1-10121b5 197->200 198->187 206 10120f9 201->206 207 10120ec-10120f8 call 10168e6 201->207 203 1012141-101215e 202->203 204 101215f-1012162 202->204 203->204 209 1012195-101219d call 10116ed 204->209 210 1012168-101217f call 100f762 204->210 206->202 207->206 209->197 210->200 217 1012185-1012190 call 101175b 210->217 217->197
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 01012131
    Memory Dump Source
    • Source File: 00000000.00000002.1913425424.0000000001005000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
    • Associated: 00000000.00000002.1913050716.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913081499.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913098176.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913119374.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913258578.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913273749.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913332700.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913348020.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913367612.0000000000FDE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913382666.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913404334.0000000000FF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913443304.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913477781.0000000001016000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913502158.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913520002.0000000001029000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913586655.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913623507.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913778844.0000000001036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913798565.0000000001038000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913819449.000000000103F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913872882.0000000001041000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913895480.0000000001050000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913912216.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913936580.0000000001052000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913952902.0000000001056000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913968946.0000000001057000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913983998.000000000105B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914001486.0000000001063000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914016050.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914031610.0000000001065000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914047383.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914090235.00000000010C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914104568.00000000010C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010D0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914151114.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914166662.00000000010E0000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 0945ee26eb772913618aa45af462d2a14c61c48acb31b96c7bd46a370de54adc
    • Instruction ID: 45bfab0ccb4cd1e16d444ce4c610e596ca68880046d727bf998d3983c6e89ccf
    • Opcode Fuzzy Hash: 0945ee26eb772913618aa45af462d2a14c61c48acb31b96c7bd46a370de54adc
    • Instruction Fuzzy Hash: 1631CB75A00206FFEB61DF68DC44F9DBBB8FB44314F208269FA05AA195C7799A41CB10
    Function 00FBA80D Relevance: 1.6, APIs: 1, Instructions: 92libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 220 fba80d-fba80f LoadLibraryA 221 fba824-fba943 220->221 223 fba946 221->223 223->223
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1913298210.0000000000FB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
    • Associated: 00000000.00000002.1913050716.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913081499.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913098176.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913119374.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913258578.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913273749.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913332700.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913348020.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913367612.0000000000FDE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913382666.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913404334.0000000000FF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913425424.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913443304.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913477781.0000000001016000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913502158.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913520002.0000000001029000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913586655.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913623507.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913778844.0000000001036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913798565.0000000001038000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913819449.000000000103F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913872882.0000000001041000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913895480.0000000001050000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913912216.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913936580.0000000001052000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913952902.0000000001056000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913968946.0000000001057000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913983998.000000000105B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914001486.0000000001063000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914016050.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914031610.0000000001065000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914047383.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914090235.00000000010C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914104568.00000000010C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010D0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914151114.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914166662.00000000010E0000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 6e266c6299cab1bd26cc3272c96776ab52e208d9d64181788a9828b295dfdea4
    • Instruction ID: 550b7f8dd2dfab4c067b1da6f9b37ca390503963178114d76af3d30c618e5b40
    • Opcode Fuzzy Hash: 6e266c6299cab1bd26cc3272c96776ab52e208d9d64181788a9828b295dfdea4
    • Instruction Fuzzy Hash: BA31C2B251C700AFE712BF19D8816BAFBE5FF54311F06482DE6C482610EB3588908B9B
    Function 01011898 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 224 1011898-10118a7 call 100fa20 227 10119ad 224->227 228 10118ad-10118be call 101185e 224->228 230 10119b4-10119b8 227->230 232 10118c4-10118c8 228->232 233 10118de-1011924 CreateFileA 228->233 234 10118db 232->234 235 10118ce-10118da call 10168e6 232->235 236 101192a-101194b 233->236 237 101196f-1011972 233->237 234->233 235->234 236->237 245 1011951-101196e 236->245 238 10119a5-10119a8 call 10116ed 237->238 239 1011978-101198f call 100f762 237->239 238->227 239->230 247 1011995-10119a0 call 101175b 239->247 245->237 247->227
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 0101191A
    Memory Dump Source
    • Source File: 00000000.00000002.1913425424.0000000001005000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
    • Associated: 00000000.00000002.1913050716.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913081499.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913098176.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913119374.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913258578.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913273749.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913332700.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913348020.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913367612.0000000000FDE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913382666.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913404334.0000000000FF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913443304.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913477781.0000000001016000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913502158.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913520002.0000000001029000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913586655.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913623507.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913778844.0000000001036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913798565.0000000001038000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913819449.000000000103F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913872882.0000000001041000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913895480.0000000001050000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913912216.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913936580.0000000001052000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913952902.0000000001056000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913968946.0000000001057000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913983998.000000000105B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914001486.0000000001063000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914016050.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914031610.0000000001065000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914047383.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914090235.00000000010C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914104568.00000000010C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010D0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914151114.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914166662.00000000010E0000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: c32da5a2c947160be41bd7d47a5daf5f82457caf39eac26d9b937c68e20bf53b
    • Instruction ID: 38cefbde4f8a2eb54dac9e80f442ad4af51ccd12709a07e5ec7bceac66295214
    • Opcode Fuzzy Hash: c32da5a2c947160be41bd7d47a5daf5f82457caf39eac26d9b937c68e20bf53b
    • Instruction Fuzzy Hash: 5531D575600205BBEB759F68DC45F9DB7B9EF40724F208269F721EA0D1C3B9A141CB14
    Function 0101A4B9 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 251 101a4b9-101a4c8 252 101a4d4-101a4e8 251->252 253 101a4ce 251->253 255 101a5a6-101a5a8 252->255 256 101a4ee-101a4f8 252->256 253->252 257 101a595-101a5a1 256->257 258 101a4fe-101a508 256->258 257->252 258->257 259 101a50e-101a518 258->259 259->257 260 101a51e-101a52d 259->260 262 101a533 260->262 263 101a538-101a53d 260->263 262->257 263->257 264 101a543-101a552 263->264 264->257 265 101a558-101a56f GetModuleFileNameA 264->265 265->257 266 101a575-101a583 call 101a415 265->266 269 101a589 266->269 270 101a58e-101a590 266->270 269->257 270->255
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 0101A566
    Memory Dump Source
    • Source File: 00000000.00000002.1913477781.0000000001016000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
    • Associated: 00000000.00000002.1913050716.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913081499.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913098176.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913119374.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913258578.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913273749.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913332700.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913348020.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913367612.0000000000FDE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913382666.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913404334.0000000000FF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913425424.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913443304.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913502158.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913520002.0000000001029000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913586655.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913623507.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913778844.0000000001036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913798565.0000000001038000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913819449.000000000103F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913872882.0000000001041000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913895480.0000000001050000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913912216.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913936580.0000000001052000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913952902.0000000001056000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913968946.0000000001057000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913983998.000000000105B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914001486.0000000001063000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914016050.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914031610.0000000001065000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914047383.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914090235.00000000010C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914104568.00000000010C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010D0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914151114.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914166662.00000000010E0000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: 2c5e33305cde1d356c552d4e4c639eb8d76bc2ed7c3b68ac93d88986d42b2280
    • Instruction ID: cfc7a7e0ced4d4646d9e9c365dca988c1382e319dc9f439181d83fc8729edd14
    • Opcode Fuzzy Hash: 2c5e33305cde1d356c552d4e4c639eb8d76bc2ed7c3b68ac93d88986d42b2280
    • Instruction Fuzzy Hash: DB11E971B07265DFEB724A188C48BEF77BCAF48718F1040D1E9859B049DB78D9C48BA1
    Function 05480D43 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 271 5480d43-5480d97 274 5480d99-5480d9c 271->274 275 5480d9f-5480da3 271->275 274->275 276 5480dab-5480dda OpenSCManagerW 275->276 277 5480da5-5480da8 275->277 278 5480ddc-5480de2 276->278 279 5480de3-5480df7 276->279 277->276 278->279
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05480DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1915982424.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5480000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 50db7747f8f4c23c269dc5fac2bdea3ce473a363e9a43888cb618851aa733c63
    • Instruction ID: 81029bbb50f1e0aea08832c2a92e49e9dbc27779636e630a3f65d192df63f93b
    • Opcode Fuzzy Hash: 50db7747f8f4c23c269dc5fac2bdea3ce473a363e9a43888cb618851aa733c63
    • Instruction Fuzzy Hash: 872134B6C102189FCB10DF99D889BDEFBF4FB88320F14825AD809AB344C734A544CBA4
    Function 05480D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 281 5480d48-5480d97 283 5480d99-5480d9c 281->283 284 5480d9f-5480da3 281->284 283->284 285 5480dab-5480dda OpenSCManagerW 284->285 286 5480da5-5480da8 284->286 287 5480ddc-5480de2 285->287 288 5480de3-5480df7 285->288 286->285 287->288
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05480DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1915982424.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5480000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 34653fa8bed6c45f8c5912d0f84d501335d0f43c7231f77b6a7f3c6673b62d07
    • Instruction ID: e92840c8796a1753717de793cf4746ec6c3cda336e62c4f3740ff07dc1cb970d
    • Opcode Fuzzy Hash: 34653fa8bed6c45f8c5912d0f84d501335d0f43c7231f77b6a7f3c6673b62d07
    • Instruction Fuzzy Hash: 7B2144B6C102189FCB10DF99D888BDEFBF4FB88320F14825AD809AB344C734A544CBA4
    Function 05481510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 290 5481510-548158d ControlService 292 548158f-5481595 290->292 293 5481596-54815b7 290->293 292->293
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05481580
    Memory Dump Source
    • Source File: 00000000.00000002.1915982424.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5480000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 784d2673dfb62e1f37536f3189f5d1c083a8499c3f731c57316572bb756496b3
    • Instruction ID: a80cc11248d19e5e457ee2b4b283bb7dc8edb862bc7aea287fa9a80aee1fa85b
    • Opcode Fuzzy Hash: 784d2673dfb62e1f37536f3189f5d1c083a8499c3f731c57316572bb756496b3
    • Instruction Fuzzy Hash: 051114B19003498FCB20DF9AD484BDEFBF4EB48320F10802AE919A3340D378A644CFA5
    Function 05481509 Relevance: 1.6, APIs: 1, Instructions: 53serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 295 5481509-5481550 296 5481558-548158d ControlService 295->296 297 548158f-5481595 296->297 298 5481596-54815b7 296->298 297->298
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05481580
    Memory Dump Source
    • Source File: 00000000.00000002.1915982424.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5480000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: f17b820a8b66fb950b8ad2facb7170e4cbb0780debead7fe5631a23bc172a8e2
    • Instruction ID: e61ca88243de68419cbdea35079159e134060c5e22068053354097e7ab92d25c
    • Opcode Fuzzy Hash: f17b820a8b66fb950b8ad2facb7170e4cbb0780debead7fe5631a23bc172a8e2
    • Instruction Fuzzy Hash: 502106B59003498FDB10CFAAD545BEEBBF4FB48311F10842AE519A7240D338A644CFA5
    Function 05481301 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05481367
    Memory Dump Source
    • Source File: 00000000.00000002.1915982424.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5480000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 488e7425252fbd80701a72f09a74f933877547f43b812d714c818170dacbb528
    • Instruction ID: f3b0abb815db6622946301a2dd3555a949ebf1626024af20110288db0ede70f8
    • Opcode Fuzzy Hash: 488e7425252fbd80701a72f09a74f933877547f43b812d714c818170dacbb528
    • Instruction Fuzzy Hash: 541113B18003498FDB20DF9AD845BEEBBF4EF49324F24846AD518A3350D778A544CFA5
    Function 05481308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05481367
    Memory Dump Source
    • Source File: 00000000.00000002.1915982424.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5480000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 41aea0ed5f307a0b6ee138eee813790676472fb4215c4ce9d40f26991549cac9
    • Instruction ID: c35bb973866e755eba6968a8fe8c6a2113fc840424fdf04aa3a619707cc69d5e
    • Opcode Fuzzy Hash: 41aea0ed5f307a0b6ee138eee813790676472fb4215c4ce9d40f26991549cac9
    • Instruction Fuzzy Hash: 401125B18003498FDB20DF9AD445BEEBBF4EB48320F20846AD518A3240C778A544CBA5
    Function 00FC64B0 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
    • Associated: 00000000.00000002.1913050716.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913081499.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913098176.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913119374.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913258578.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913273749.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913332700.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913348020.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913367612.0000000000FDE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913382666.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913404334.0000000000FF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913425424.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913443304.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913477781.0000000001016000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913502158.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913520002.0000000001029000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913586655.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913623507.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913778844.0000000001036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913798565.0000000001038000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913819449.000000000103F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913872882.0000000001041000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913895480.0000000001050000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913912216.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913936580.0000000001052000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913952902.0000000001056000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913968946.0000000001057000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913983998.000000000105B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914001486.0000000001063000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914016050.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914031610.0000000001065000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914047383.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914090235.00000000010C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914104568.00000000010C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010D0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914151114.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914166662.00000000010E0000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 7e6a776510267b1f410b3a0589b92e5ffeb182e73d042b5156febab196640e82
    • Instruction ID: 8c3ea327fe8cce4c6a5a22a0873d15f48447525ae7c23b775c65f3cacdbb8169
    • Opcode Fuzzy Hash: 7e6a776510267b1f410b3a0589b92e5ffeb182e73d042b5156febab196640e82
    • Instruction Fuzzy Hash: 42E07EB244CA00DFE702BF29D8867ADB7E0EF98310F02082EDAC583910D6342491DE87
    Function 0100FB13 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1913425424.0000000001005000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
    • Associated: 00000000.00000002.1913050716.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913081499.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913098176.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913119374.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913258578.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913273749.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913332700.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913348020.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913367612.0000000000FDE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913382666.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913404334.0000000000FF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913443304.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913477781.0000000001016000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913502158.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913520002.0000000001029000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913586655.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913623507.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913778844.0000000001036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913798565.0000000001038000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913819449.000000000103F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913872882.0000000001041000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913895480.0000000001050000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913912216.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913936580.0000000001052000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913952902.0000000001056000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913968946.0000000001057000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913983998.000000000105B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914001486.0000000001063000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914016050.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914031610.0000000001065000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914047383.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914090235.00000000010C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914104568.00000000010C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010D0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914151114.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914166662.00000000010E0000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: d7547f16ec792b612e0beca86559e9864c08247c018ff90a17eb497352108e95
    • Instruction ID: 81c19a575d4fb43ee6c79c39a045c2c14b77d2d9a697b79aee6103cbaa1ccf12
    • Opcode Fuzzy Hash: d7547f16ec792b612e0beca86559e9864c08247c018ff90a17eb497352108e95
    • Instruction Fuzzy Hash: C101E835A0050ABFEF229FA4CC04DDEBFBAEF49350F0041A5A545A40A0D7328A61EF60
    Function 0101A0E3 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,0101A0DF,?,?,01019DE5,?,?,01019DE5,?,?,01019DE5), ref: 0101A103
    Memory Dump Source
    • Source File: 00000000.00000002.1913477781.0000000001016000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
    • Associated: 00000000.00000002.1913050716.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913081499.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913098176.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913119374.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913258578.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913273749.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913332700.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913348020.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913367612.0000000000FDE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913382666.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913404334.0000000000FF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913425424.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913443304.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913502158.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913520002.0000000001029000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913586655.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913623507.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913778844.0000000001036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913798565.0000000001038000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913819449.000000000103F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913872882.0000000001041000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913895480.0000000001050000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913912216.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913936580.0000000001052000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913952902.0000000001056000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913968946.0000000001057000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913983998.000000000105B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914001486.0000000001063000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914016050.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914031610.0000000001065000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914047383.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914090235.00000000010C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914104568.00000000010C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010D0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914151114.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914166662.00000000010E0000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 1845648b11b1529094823d54f0e9dab91865e826d5c836fd1cb9c684472e9450
    • Instruction ID: 28deaa7a20d5f87f0917b55b683d4189c53a038c42b593b6c3f6bd4aae06aa46
    • Opcode Fuzzy Hash: 1845648b11b1529094823d54f0e9dab91865e826d5c836fd1cb9c684472e9450
    • Instruction Fuzzy Hash: 11F0D1B1A01205EFD7208F08CD05B98BBE0FF59791F1180A5F58AAB6A1E3B594C08B50
    Function 01012696 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0100F942: GetCurrentThreadId.KERNEL32 ref: 0100F951
    • CloseHandle.KERNELBASE(01012059,-11495FEC,?,?,01012059,?), ref: 010126D4
    Memory Dump Source
    • Source File: 00000000.00000002.1913425424.0000000001005000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
    • Associated: 00000000.00000002.1913050716.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913081499.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913098176.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913119374.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913258578.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913273749.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913332700.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913348020.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913367612.0000000000FDE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913382666.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913404334.0000000000FF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913443304.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913477781.0000000001016000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913502158.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913520002.0000000001029000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913586655.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913623507.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913778844.0000000001036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913798565.0000000001038000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913819449.000000000103F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913872882.0000000001041000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913895480.0000000001050000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913912216.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913936580.0000000001052000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913952902.0000000001056000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913968946.0000000001057000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913983998.000000000105B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914001486.0000000001063000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914016050.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914031610.0000000001065000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914047383.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914090235.00000000010C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914104568.00000000010C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010D0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914151114.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914166662.00000000010E0000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleThread
    • String ID:
    • API String ID: 3305057742-0
    • Opcode ID: 6ada03d935a55eaf94fc0a5f2b01c2f560151b1c6756105924f6e80fe9e6d9df
    • Instruction ID: d0da97e1d8098b27e1841b6d4857c76a458a9bd6092face6dc2c31f42e348d8a
    • Opcode Fuzzy Hash: 6ada03d935a55eaf94fc0a5f2b01c2f560151b1c6756105924f6e80fe9e6d9df
    • Instruction Fuzzy Hash: 6CE04F76204147B7EE22BBB9D908D8E2F6CAFB4284B004522A18695098DA28C592DA61
    Function 00E3F4FD Relevance: 1.3, APIs: 1, Instructions: 20memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 00E3F844
    Memory Dump Source
    • Source File: 00000000.00000002.1913098176.0000000000E3A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
    • Associated: 00000000.00000002.1913050716.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913081499.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913119374.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913258578.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913273749.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913332700.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913348020.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913367612.0000000000FDE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913382666.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913404334.0000000000FF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913425424.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913443304.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913477781.0000000001016000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913502158.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913520002.0000000001029000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913586655.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913623507.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913778844.0000000001036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913798565.0000000001038000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913819449.000000000103F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913872882.0000000001041000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913895480.0000000001050000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913912216.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913936580.0000000001052000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913952902.0000000001056000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913968946.0000000001057000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913983998.000000000105B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914001486.0000000001063000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914016050.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914031610.0000000001065000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914047383.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914090235.00000000010C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914104568.00000000010C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010D0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914151114.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914166662.00000000010E0000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 38c59ce789bd1dfcb793fbc1f2089eb958cef2b9eda42d4a76853e0214639bf2
    • Instruction ID: 8af92be34aae59a104be5c75d0f0380ab4c41317dce44244b0398e7eb65edf0a
    • Opcode Fuzzy Hash: 38c59ce789bd1dfcb793fbc1f2089eb958cef2b9eda42d4a76853e0214639bf2
    • Instruction Fuzzy Hash: 4EE04F75918500DFE305BF39C8097BE7BA1EB94310F505638DEC5A7254D2311825CA56
    Function 0101175B Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,0100F7E1,?,?), ref: 01011761
    Memory Dump Source
    • Source File: 00000000.00000002.1913425424.0000000001005000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
    • Associated: 00000000.00000002.1913050716.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913081499.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913098176.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913119374.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913258578.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913273749.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913332700.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913348020.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913367612.0000000000FDE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913382666.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913404334.0000000000FF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913443304.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913477781.0000000001016000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913502158.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913520002.0000000001029000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913586655.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913623507.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913778844.0000000001036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913798565.0000000001038000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913819449.000000000103F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913872882.0000000001041000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913895480.0000000001050000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913912216.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913936580.0000000001052000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913952902.0000000001056000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913968946.0000000001057000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913983998.000000000105B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914001486.0000000001063000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914016050.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914031610.0000000001065000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914047383.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914090235.00000000010C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914104568.00000000010C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010D0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914151114.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914166662.00000000010E0000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 171cc5901095bc0a96cab95c652d08b75be2d0f1426fa1532ff9bd436bbfc83c
    • Instruction ID: 5ffeab0fe990da83e81967f198f8b78f179ffc1e7270c005188919ec44b4c031
    • Opcode Fuzzy Hash: 171cc5901095bc0a96cab95c652d08b75be2d0f1426fa1532ff9bd436bbfc83c
    • Instruction Fuzzy Hash: E4B09B3500510977CB41BF55DC0584D7F69FF752947008111F54544430C776D561D790

    Non-executed Functions

    Function 00E45D46 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1913098176.0000000000E3A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
    • Associated: 00000000.00000002.1913050716.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913081499.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913119374.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913258578.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913273749.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913332700.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913348020.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913367612.0000000000FDE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913382666.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913404334.0000000000FF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913425424.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913443304.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913477781.0000000001016000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913502158.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913520002.0000000001029000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913586655.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913623507.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913778844.0000000001036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913798565.0000000001038000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913819449.000000000103F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913872882.0000000001041000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913895480.0000000001050000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913912216.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913936580.0000000001052000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913952902.0000000001056000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913968946.0000000001057000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913983998.000000000105B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914001486.0000000001063000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914016050.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914031610.0000000001065000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914047383.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914090235.00000000010C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914104568.00000000010C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010D0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914151114.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914166662.00000000010E0000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
    Similarity
    • API ID:
    • String ID: j$pD-7
    • API String ID: 0-2832694843
    • Opcode ID: 4b9b382d94855f5e4d16a1bff9b240b152f2d0055c4f0b7f5083452d9b2e59e4
    • Instruction ID: 4e7384d6b86b63faf88dc35a34a6ed1fc66af8c454f6ab85ace43c89183efbfe
    • Opcode Fuzzy Hash: 4b9b382d94855f5e4d16a1bff9b240b152f2d0055c4f0b7f5083452d9b2e59e4
    • Instruction Fuzzy Hash: 6D51BEB3F1122547F3504D29CC983A27293DBE5321F2F42788E586B7C9E87E9D4A5384
    Function 00E458E2 Relevance: .3, Instructions: 320COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1913098176.0000000000E3A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
    • Associated: 00000000.00000002.1913050716.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913067242.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913081499.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913119374.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913258578.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913273749.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913298210.0000000000FC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913332700.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913348020.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913367612.0000000000FDE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913382666.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913404334.0000000000FF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913425424.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913443304.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913477781.0000000001016000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913502158.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913520002.0000000001029000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913586655.000000000102A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913623507.000000000102E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913778844.0000000001036000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913798565.0000000001038000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913819449.000000000103F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913872882.0000000001041000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913895480.0000000001050000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913912216.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913936580.0000000001052000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913952902.0000000001056000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913968946.0000000001057000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1913983998.000000000105B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914001486.0000000001063000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914016050.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914031610.0000000001065000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914047383.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914090235.00000000010C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914104568.00000000010C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914121664.00000000010D0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914151114.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1914166662.00000000010E0000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e30000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d257262ce536dc420e63862e389c72fc5d42ad4523e4a2fd750c87f8e66434d4
    • Instruction ID: d79871493f3699341463627d4da690658d4a0934c4d0a3145512d5125f094cff
    • Opcode Fuzzy Hash: d257262ce536dc420e63862e389c72fc5d42ad4523e4a2fd750c87f8e66434d4
    • Instruction Fuzzy Hash: 23B17DB3E192A04FF3160A25DC243917B629B92314F1F41BACD88EB3D6D87E5C4A8395