Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1562760
MD5:1d51ecc205590f39930d9c4685aed827
SHA1:eeb3ef56179a8534e6a8f3279491a59d6afc5ffe
SHA256:8b3ca7da6a1d9976e10e0b1913b91ef8916d2852f04fb39f8a9875f6bfe50bbb
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4488 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 1D51ECC205590F39930D9C4685AED827)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC9C70 CryptVerifySignatureA,0_2_00CC9C70
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.1952667009.0000000000AF2000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1819519753.0000000004E70000.00000004.00001000.00020000.00000000.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C6D0040_2_00C6D004
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7A0270_2_00C7A027
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C705DB0_2_00C705DB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C705F70_2_00C705F7
Source: file.exe, 00000000.00000002.1952681649.0000000000AF6000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2754048 > 1048576
Source: file.exeStatic PE information: Raw size of gowrbknw is bigger than: 0x100000 < 0x29a600
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.1952667009.0000000000AF2000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1819519753.0000000004E70000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.af0000.0.unpack :EW;.rsrc:W;.idata :W;gowrbknw:EW;knmkcqxr:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2b04cf should be: 0x2a0a3e
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: gowrbknw
Source: file.exeStatic PE information: section name: knmkcqxr
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFEAEB push ecx; mov dword ptr [esp], esi0_2_00AFF636
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFED14 push 7685E086h; mov dword ptr [esp], edi0_2_00AFED26
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFD0A1 push 14D8FC3Dh; mov dword ptr [esp], edi0_2_00AFD0A6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7D0D3 push ecx; mov dword ptr [esp], ebp0_2_00C7D0E3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7B0DF push esi; mov dword ptr [esp], esp0_2_00C7B0F9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D530CB push eax; mov dword ptr [esp], 7FDF9D58h0_2_00D53118
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D530CB push ecx; mov dword ptr [esp], ebx0_2_00D5316C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C6F0E7 push es; retf 0_2_00C6F0F3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B03092 push ecx; mov dword ptr [esp], 7EF996F6h0_2_00B02970
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C71087 push 05C11271h; mov dword ptr [esp], ebx0_2_00C710A3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C71087 push edx; mov dword ptr [esp], edi0_2_00C710B2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C71087 push 590FB073h; mov dword ptr [esp], eax0_2_00C7117E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C71087 push edi; mov dword ptr [esp], ebp0_2_00C711D3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7108F push 05C11271h; mov dword ptr [esp], ebx0_2_00C710A3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7108F push edx; mov dword ptr [esp], edi0_2_00C710B2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7108F push 590FB073h; mov dword ptr [esp], eax0_2_00C7117E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7108F push edi; mov dword ptr [esp], ebp0_2_00C711D3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7909B push edx; mov dword ptr [esp], 3BCF0628h0_2_00C7909C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7E0A6 push 2F0B715Eh; mov dword ptr [esp], ebp0_2_00C8166E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7E0A6 push esi; mov dword ptr [esp], ebx0_2_00C8167D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFF0CB push edx; mov dword ptr [esp], ecx0_2_00AFF35D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C6E0B4 push ecx; mov dword ptr [esp], ebx0_2_00C6E21F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C6E0BF push ecx; mov dword ptr [esp], ebx0_2_00C6E21F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7E0BB push ecx; mov dword ptr [esp], ebx0_2_00C7E0C2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C6E047 push 465F66D1h; mov dword ptr [esp], ecx0_2_00C6E056
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C6E047 push 58F69E50h; mov dword ptr [esp], ecx0_2_00C6E2A7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFD02B push eax; mov dword ptr [esp], edx0_2_00AFD04F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8004D push 168959A1h; mov dword ptr [esp], esi0_2_00C80063
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7D04F push esi; mov dword ptr [esp], 4A3F2C3Fh0_2_00C7DDB2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7E056 push edi; mov dword ptr [esp], 7BF988A2h0_2_00C7EE0A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7E056 push ecx; mov dword ptr [esp], eax0_2_00C7F1C8
Source: file.exeStatic PE information: section name: entropy: 7.821919776172025

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFE352 second address: AFE363 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5AEDA second address: C5AEDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5AEDE second address: C5AEE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5AEE4 second address: C5AEF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34B2F1EAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C708BB second address: C708BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C708BF second address: C708D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34B2F1ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F7F34B2F1EEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C746DA second address: C746E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74742 second address: C74779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F7F34B2F1F7h 0x0000000a popad 0x0000000b nop 0x0000000c mov cx, 0845h 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+122D35EAh], eax 0x00000018 call 00007F7F34B2F1E9h 0x0000001d push eax 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74779 second address: C7479E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7F34CEB139h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7479E second address: C747C5 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7F34B2F1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 jmp 00007F7F34B2F1EFh 0x00000015 jo 00007F7F34B2F1ECh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74A2D second address: C74A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7F34CEB12Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74A42 second address: C74A6A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dword ptr [ebp+122D3217h], ecx 0x0000000f push 00000000h 0x00000011 movzx ecx, cx 0x00000014 push C7C07B5Ch 0x00000019 push ebx 0x0000001a pushad 0x0000001b jmp 00007F7F34B2F1EBh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74A6A second address: C74AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 add dword ptr [esp], 383F8524h 0x0000000d mov dword ptr [ebp+122D1DA5h], edx 0x00000013 push 00000003h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F7F34CEB128h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f mov esi, eax 0x00000031 push 00000000h 0x00000033 mov edx, 02FE2362h 0x00000038 push 00000003h 0x0000003a clc 0x0000003b push 6B4487C2h 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F7F34CEB12Eh 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74AC1 second address: C74B28 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 54BB783Eh 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F7F34B2F1E8h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 jp 00007F7F34B2F1F7h 0x0000002f jmp 00007F7F34B2F1F1h 0x00000034 sub dword ptr [ebp+122D2ABAh], edi 0x0000003a lea ebx, dword ptr [ebp+1244A64Dh] 0x00000040 jmp 00007F7F34B2F1F3h 0x00000045 push eax 0x00000046 push edi 0x00000047 push ebx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C686FF second address: C6871B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7F34CEB136h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6871B second address: C6872E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jo 00007F7F34B2F1E6h 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6872E second address: C68747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7F34CEB126h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007F7F34CEB126h 0x00000013 jbe 00007F7F34CEB126h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C68747 second address: C6874B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6874B second address: C68757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F7F34CEB126h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9283C second address: C92840 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C92840 second address: C92846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C92AD2 second address: C92AD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C92AD8 second address: C92AF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7F34CEB135h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C92AF3 second address: C92B1B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7F34B2F1E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7F34B2F1F8h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C930CA second address: C930CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C93501 second address: C93505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C93640 second address: C93644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C93644 second address: C93648 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C937B2 second address: C937B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C937B8 second address: C937C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C94106 second address: C9410C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9410C second address: C94110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C94110 second address: C9411B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9411B second address: C94150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop ebx 0x0000000a pushad 0x0000000b jmp 00007F7F34B2F1F4h 0x00000010 jmp 00007F7F34B2F1F3h 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C942AA second address: C942B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C942B0 second address: C942B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C942B4 second address: C942D3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F7F34CEB136h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C942D3 second address: C9430C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jbe 00007F7F34B2F1ECh 0x0000000d popad 0x0000000e pushad 0x0000000f jng 00007F7F34B2F1ECh 0x00000015 jmp 00007F7F34B2F1EEh 0x0000001a push eax 0x0000001b push edx 0x0000001c push edx 0x0000001d pop edx 0x0000001e jp 00007F7F34B2F1E6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C946E2 second address: C946E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C946E6 second address: C946EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C946EC second address: C9470D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34CEB137h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9470D second address: C94711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C94711 second address: C94742 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34CEB138h 0x00000007 jmp 00007F7F34CEB135h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C94742 second address: C94758 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7F34B2F1EAh 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F7F34B2F1E6h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C98810 second address: C98814 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9C09B second address: C9C0AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34B2F1EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9FE09 second address: C9FE48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34CEB137h 0x00000007 jnp 00007F7F34CEB126h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F7F34CEB134h 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 jbe 00007F7F34CEB126h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA066A second address: CA068F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jo 00007F7F34B2F1E6h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7F34B2F1F3h 0x00000011 jp 00007F7F34B2F1E6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA07B2 second address: CA07C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F34CEB131h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA19AC second address: CA19B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F7F34B2F1E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA1F6E second address: CA1F79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7F34CEB126h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA25BC second address: CA25C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA28AC second address: CA28B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA28B0 second address: CA28B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA28B4 second address: CA28BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA2A90 second address: CA2A94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA2A94 second address: CA2A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA2A9A second address: CA2AA4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7F34B2F1ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA2AA4 second address: CA2AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F7F34CEB128h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA2AB5 second address: CA2ACE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F34B2F1F5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA2FC7 second address: CA2FCC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA2FCC second address: CA2FD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA3A14 second address: CA3A18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA4B04 second address: CA4B6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007F7F34B2F1E6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f sub dword ptr [ebp+122D2C66h], esi 0x00000015 push 00000000h 0x00000017 mov si, ax 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007F7F34B2F1E8h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 00000018h 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 call 00007F7F34B2F1F8h 0x0000003b mov edi, dword ptr [ebp+122D386Ch] 0x00000041 pop esi 0x00000042 xchg eax, ebx 0x00000043 push eax 0x00000044 push edx 0x00000045 jc 00007F7F34B2F1ECh 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA4B6A second address: CA4B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5371 second address: CA538A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F34B2F1F4h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA538A second address: CA538F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA6225 second address: CA622A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA622A second address: CA623F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F7F34CEB126h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA623F second address: CA62D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7F34B2F1F9h 0x00000008 je 00007F7F34B2F1E6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F7F34B2F1E8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c sub dword ptr [ebp+122D32B6h], ecx 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ebp 0x00000037 call 00007F7F34B2F1E8h 0x0000003c pop ebp 0x0000003d mov dword ptr [esp+04h], ebp 0x00000041 add dword ptr [esp+04h], 00000016h 0x00000049 inc ebp 0x0000004a push ebp 0x0000004b ret 0x0000004c pop ebp 0x0000004d ret 0x0000004e or di, 0E91h 0x00000053 push 00000000h 0x00000055 jng 00007F7F34B2F1ECh 0x0000005b xchg eax, ebx 0x0000005c jng 00007F7F34B2F1F0h 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 jnl 00007F7F34B2F1E8h 0x0000006b pushad 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C55F11 second address: C55F1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F7F34CEB126h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C55F1B second address: C55F62 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007F7F34B2F1FCh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 jbe 00007F7F34B2F1ECh 0x00000017 jl 00007F7F34B2F1E6h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F7F34B2F1F2h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA84C3 second address: CA84D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F34CEB12Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA906F second address: CA90CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 nop 0x00000007 or si, 98C1h 0x0000000c mov di, 431Dh 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F7F34B2F1E8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007F7F34B2F1E8h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 00000017h 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 mov dword ptr [ebp+1246E03Fh], edi 0x0000004e xchg eax, ebx 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 pushad 0x00000053 popad 0x00000054 push edx 0x00000055 pop edx 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA90CF second address: CA90F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34CEB135h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d jbe 00007F7F34CEB126h 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA90F3 second address: CA90F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA9B87 second address: CA9B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA98AD second address: CA98B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA98B2 second address: CA98C3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jbe 00007F7F34CEB126h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB7DA second address: CAB7E4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7F34B2F1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAE2DB second address: CAE2DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAE2DF second address: CAE2E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAE2E3 second address: CAE2E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB22DD second address: CB22EA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB1463 second address: CB1469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB22EA second address: CB234A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F7F34B2F1F0h 0x0000000a popad 0x0000000b nop 0x0000000c mov dword ptr [ebp+12450FA8h], esi 0x00000012 push 00000000h 0x00000014 mov dword ptr [ebp+124483D5h], ebx 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007F7F34B2F1E8h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 00000016h 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 mov edi, 48A3B980h 0x0000003b pushad 0x0000003c mov bx, dx 0x0000003f jg 00007F7F34B2F1ECh 0x00000045 popad 0x00000046 xchg eax, esi 0x00000047 push ecx 0x00000048 push esi 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB152F second address: CB1549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jnp 00007F7F34CEB126h 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edi 0x00000012 jo 00007F7F34CEB12Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB33C8 second address: CB33D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F7F34B2F1ECh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB247B second address: CB248E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34CEB12Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB33D4 second address: CB346A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 jmp 00007F7F34B2F1F5h 0x0000000d pop eax 0x0000000e jmp 00007F7F34B2F1EAh 0x00000013 popad 0x00000014 nop 0x00000015 mov edi, 03E7EB72h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007F7F34B2F1E8h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 0000001Ah 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 or dword ptr [ebp+122D3217h], edi 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push edi 0x00000041 call 00007F7F34B2F1E8h 0x00000046 pop edi 0x00000047 mov dword ptr [esp+04h], edi 0x0000004b add dword ptr [esp+04h], 00000016h 0x00000053 inc edi 0x00000054 push edi 0x00000055 ret 0x00000056 pop edi 0x00000057 ret 0x00000058 xor ebx, 15FFCE0Ah 0x0000005e xor dword ptr [ebp+122D1E4Dh], edi 0x00000064 mov dword ptr [ebp+122D2ABAh], esi 0x0000006a xchg eax, esi 0x0000006b jl 00007F7F34B2F1F4h 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB248E second address: CB254A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 nop 0x00000007 push edi 0x00000008 mov edi, eax 0x0000000a pop edi 0x0000000b jmp 00007F7F34CEB134h 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007F7F34CEB128h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 0000001Dh 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007F7F34CEB128h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 00000015h 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 add dword ptr [ebp+122D334Ch], edx 0x00000058 mov eax, dword ptr [ebp+122D0AE1h] 0x0000005e pushad 0x0000005f jmp 00007F7F34CEB130h 0x00000064 sub eax, 5FD92E01h 0x0000006a popad 0x0000006b push FFFFFFFFh 0x0000006d jbe 00007F7F34CEB12Ch 0x00000073 push eax 0x00000074 jnc 00007F7F34CEB144h 0x0000007a push eax 0x0000007b push edx 0x0000007c jmp 00007F7F34CEB132h 0x00000081 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB346A second address: CB346E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB346E second address: CB348C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7F34CEB135h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB363F second address: CB3643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB52B0 second address: CB52B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB52B6 second address: CB52BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB52BC second address: CB52C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB54B0 second address: CB5562 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34B2F1F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp], eax 0x0000000d add dword ptr [ebp+122D1EB8h], esi 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F7F34B2F1E8h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 jmp 00007F7F34B2F1F3h 0x00000039 push ecx 0x0000003a and bx, A9BEh 0x0000003f pop edi 0x00000040 mov dword ptr fs:[00000000h], esp 0x00000047 xor dword ptr [ebp+122D35EAh], eax 0x0000004d sub edi, dword ptr [ebp+122D39F8h] 0x00000053 mov eax, dword ptr [ebp+122D1431h] 0x00000059 sub dword ptr [ebp+122D1D5Ah], ecx 0x0000005f push FFFFFFFFh 0x00000061 jnp 00007F7F34B2F1FDh 0x00000067 push esi 0x00000068 jmp 00007F7F34B2F1F5h 0x0000006d pop edi 0x0000006e js 00007F7F34B2F1ECh 0x00000074 xor dword ptr [ebp+122D30E8h], esi 0x0000007a nop 0x0000007b push ecx 0x0000007c push eax 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB830B second address: CB8312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB8312 second address: CB8384 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34B2F1EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F7F34B2F1E8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 or ebx, dword ptr [ebp+122D26CEh] 0x0000002c push 00000000h 0x0000002e mov bl, al 0x00000030 call 00007F7F34B2F1F0h 0x00000035 js 00007F7F34B2F1ECh 0x0000003b sub dword ptr [ebp+122D32C0h], ecx 0x00000041 pop edi 0x00000042 push 00000000h 0x00000044 jnl 00007F7F34B2F1E9h 0x0000004a push eax 0x0000004b push esi 0x0000004c push eax 0x0000004d push edx 0x0000004e jng 00007F7F34B2F1E6h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB8384 second address: CB8388 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB64C3 second address: CB6545 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F7F34B2F1E8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 mov ebx, dword ptr [ebp+122D392Ch] 0x0000002b push dword ptr fs:[00000000h] 0x00000032 sub ebx, dword ptr [ebp+122D38ECh] 0x00000038 adc di, 52CFh 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 mov di, dx 0x00000047 mov eax, dword ptr [ebp+122D03F5h] 0x0000004d adc bx, EA08h 0x00000052 mov ebx, dword ptr [ebp+122D2ACEh] 0x00000058 push FFFFFFFFh 0x0000005a jmp 00007F7F34B2F1EBh 0x0000005f nop 0x00000060 push ecx 0x00000061 jmp 00007F7F34B2F1F1h 0x00000066 pop ecx 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB6545 second address: CB654C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB654C second address: CB6551 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBA253 second address: CBA268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F34CEB131h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBA268 second address: CBA27B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7F34B2F1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB9502 second address: CB9595 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov dword ptr [ebp+122D1D7Ah], edi 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F7F34CEB128h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e mov dword ptr fs:[00000000h], esp 0x00000035 push 00000000h 0x00000037 push edx 0x00000038 call 00007F7F34CEB128h 0x0000003d pop edx 0x0000003e mov dword ptr [esp+04h], edx 0x00000042 add dword ptr [esp+04h], 0000001Bh 0x0000004a inc edx 0x0000004b push edx 0x0000004c ret 0x0000004d pop edx 0x0000004e ret 0x0000004f sub dword ptr [ebp+122D334Ch], edx 0x00000055 mov eax, dword ptr [ebp+122D15F1h] 0x0000005b push FFFFFFFFh 0x0000005d mov di, cx 0x00000060 nop 0x00000061 push eax 0x00000062 jmp 00007F7F34CEB12Fh 0x00000067 pop eax 0x00000068 push eax 0x00000069 pushad 0x0000006a pushad 0x0000006b jmp 00007F7F34CEB12Ah 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB9595 second address: CB95A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F7F34B2F1E6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBA3D8 second address: CBA472 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34CEB134h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D1E33h], esi 0x00000012 push dword ptr fs:[00000000h] 0x00000019 and di, 44AFh 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 js 00007F7F34CEB139h 0x0000002b jns 00007F7F34CEB133h 0x00000031 mov eax, dword ptr [ebp+122D1745h] 0x00000037 push 00000000h 0x00000039 push ebp 0x0000003a call 00007F7F34CEB128h 0x0000003f pop ebp 0x00000040 mov dword ptr [esp+04h], ebp 0x00000044 add dword ptr [esp+04h], 0000001Ch 0x0000004c inc ebp 0x0000004d push ebp 0x0000004e ret 0x0000004f pop ebp 0x00000050 ret 0x00000051 push FFFFFFFFh 0x00000053 or dword ptr [ebp+122D1F36h], eax 0x00000059 push eax 0x0000005a pushad 0x0000005b pushad 0x0000005c pushad 0x0000005d popad 0x0000005e jc 00007F7F34CEB126h 0x00000064 popad 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007F7F34CEB12Dh 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBB46A second address: CBB470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBB470 second address: CBB474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBB474 second address: CBB478 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBB478 second address: CBB4FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F7F34CEB128h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 push dword ptr fs:[00000000h] 0x0000002c mov dword ptr [ebp+122D3116h], ebx 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 mov ebx, edi 0x0000003b mov bx, D426h 0x0000003f mov eax, dword ptr [ebp+122D03EDh] 0x00000045 push 00000000h 0x00000047 push ebx 0x00000048 call 00007F7F34CEB128h 0x0000004d pop ebx 0x0000004e mov dword ptr [esp+04h], ebx 0x00000052 add dword ptr [esp+04h], 00000019h 0x0000005a inc ebx 0x0000005b push ebx 0x0000005c ret 0x0000005d pop ebx 0x0000005e ret 0x0000005f xor dword ptr [ebp+122D251Eh], esi 0x00000065 push FFFFFFFFh 0x00000067 nop 0x00000068 jl 00007F7F34CEB138h 0x0000006e push eax 0x0000006f push edx 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBB4FC second address: CBB500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBB500 second address: CBB50F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7F34CEB126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBB50F second address: CBB52F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F7F34B2F1F8h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBD37A second address: CBD3E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 jmp 00007F7F34CEB133h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F7F34CEB128h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b xchg eax, esi 0x0000002c pushad 0x0000002d push ecx 0x0000002e jmp 00007F7F34CEB136h 0x00000033 pop ecx 0x00000034 pushad 0x00000035 push edx 0x00000036 pop edx 0x00000037 push eax 0x00000038 pop eax 0x00000039 popad 0x0000003a popad 0x0000003b push eax 0x0000003c pushad 0x0000003d jl 00007F7F34CEB128h 0x00000043 push eax 0x00000044 pop eax 0x00000045 pushad 0x00000046 push edi 0x00000047 pop edi 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBC48D second address: CBC491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBC491 second address: CBC497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBC497 second address: CBC49C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBD537 second address: CBD53D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC2222 second address: CC223A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34B2F1F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5E39A second address: C5E3A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jo 00007F7F34CEB132h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5E3A7 second address: C5E3AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCE808 second address: CCE80E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCE80E second address: CCE812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCE952 second address: CCE95C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCEACA second address: CCEACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C61A80 second address: C61A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jno 00007F7F34CEB12Ch 0x0000000b pushad 0x0000000c ja 00007F7F34CEB126h 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD8409 second address: CD840D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDE2CE second address: CDE2EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F7F34CEB12Ch 0x00000012 jbe 00007F7F34CEB128h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDDAD8 second address: CDDAE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7F34B2F1E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE247F second address: CE2483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE2483 second address: CE249F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7F34B2F1F6h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE249F second address: CE24AF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop ebx 0x00000008 jo 00007F7F34CEB12Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC1D9 second address: CAC1DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CACABE second address: CACAC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CACCAC second address: CACCB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CACCB2 second address: CACCB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CACCB7 second address: CACCBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CACCBD second address: CACD03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov di, E741h 0x0000000e push 00000004h 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F7F34CEB128h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a nop 0x0000002b pushad 0x0000002c jbe 00007F7F34CEB12Ch 0x00000032 jc 00007F7F34CEB126h 0x00000038 push eax 0x00000039 push edx 0x0000003a push ebx 0x0000003b pop ebx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAD0A6 second address: CAD0B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F7F34B2F1E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAD271 second address: CAD277 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAD277 second address: CAD291 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34B2F1EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAD291 second address: CAD297 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAD43E second address: CAD442 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAD442 second address: CAD468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7F34CEB131h 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 jc 00007F7F34CEB126h 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAD513 second address: CAD519 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAD519 second address: CAD53F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b sub edx, dword ptr [ebp+1248187Bh] 0x00000011 lea eax, dword ptr [ebp+12481FFCh] 0x00000017 mov cx, 0D24h 0x0000001b nop 0x0000001c push eax 0x0000001d push edx 0x0000001e push edi 0x0000001f jo 00007F7F34CEB126h 0x00000025 pop edi 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAD53F second address: CAD546 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAD546 second address: CAD5DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F7F34CEB136h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F7F34CEB128h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 jno 00007F7F34CEB128h 0x0000002e lea eax, dword ptr [ebp+12481FB8h] 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 call 00007F7F34CEB128h 0x0000003c pop eax 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 add dword ptr [esp+04h], 0000001Dh 0x00000049 inc eax 0x0000004a push eax 0x0000004b ret 0x0000004c pop eax 0x0000004d ret 0x0000004e xor cx, E62Ah 0x00000053 nop 0x00000054 push esi 0x00000055 pushad 0x00000056 js 00007F7F34CEB126h 0x0000005c push edx 0x0000005d pop edx 0x0000005e popad 0x0000005f pop esi 0x00000060 push eax 0x00000061 jp 00007F7F34CEB132h 0x00000067 jbe 00007F7F34CEB12Ch 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C66C45 second address: C66C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE28DE second address: CE28E4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE28E4 second address: CE28F0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7F34B2F1EEh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE2A1E second address: CE2A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE2E30 second address: CE2E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE2FAD second address: CE2FB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE2FB3 second address: CE2FB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8869D second address: C886A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE7B6C second address: CE7B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F34B2F1EAh 0x00000009 pop edi 0x0000000a jmp 00007F7F34B2F1F2h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE7B91 second address: CE7B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE7E1C second address: CE7E3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34B2F1EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jng 00007F7F34B2F1E6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE7E3E second address: CE7E42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE7E42 second address: CE7E48 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE8127 second address: CE812B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE812B second address: CE8130 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE8130 second address: CE8138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE8EC2 second address: CE8EC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4C5D second address: CF4CB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7F34CEB12Bh 0x0000000b popad 0x0000000c je 00007F7F34CEB16Dh 0x00000012 pushad 0x00000013 jmp 00007F7F34CEB136h 0x00000018 jmp 00007F7F34CEB133h 0x0000001d jmp 00007F7F34CEB136h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4041 second address: CF4057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F7F34B2F1F1h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4642 second address: CF465E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F34CEB138h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF465E second address: CF4668 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7F34B2F1E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4668 second address: CF466E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF492E second address: CF4934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4934 second address: CF493E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF493E second address: CF4943 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7863 second address: CF7867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7867 second address: CF7872 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA73B second address: CFA744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA8FD second address: CFA903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFAC36 second address: CFAC3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFAC3A second address: CFAC68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34B2F1ECh 0x00000007 js 00007F7F34B2F1E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F7F34B2F1F1h 0x00000014 popad 0x00000015 push eax 0x00000016 push esi 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0131A second address: D01324 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F7F34CEB126h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D01324 second address: D01328 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D00734 second address: D0074F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7F34CEB126h 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007F7F34CEB126h 0x00000015 jbe 00007F7F34CEB126h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0074F second address: D0076F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34B2F1EEh 0x00000007 jnc 00007F7F34B2F1E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jng 00007F7F34B2F1F2h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0076F second address: D007A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F7F34CEB126h 0x0000000a pushad 0x0000000b jnp 00007F7F34CEB126h 0x00000011 jmp 00007F7F34CEB12Bh 0x00000016 jg 00007F7F34CEB126h 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F7F34CEB12Bh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D008F7 second address: D008FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D008FB second address: D0090A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F7F34CEB126h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D00C0A second address: D00C1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34B2F1EAh 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D042D6 second address: D042E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F7F34CEB126h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D042E0 second address: D042F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34B2F1EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F7F34B2F1EEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D03A46 second address: D03A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D03A4A second address: D03A4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D03A4E second address: D03A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F7F34CEB136h 0x0000000c push ecx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D03FFE second address: D04002 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D04002 second address: D04008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D08A3C second address: D08A46 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7F34B2F1E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D08A46 second address: D08A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D08BC0 second address: D08BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F34B2F1F0h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jmp 00007F7F34B2F1F9h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CACECF second address: CACF34 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F7F34CEB128h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 mov ebx, dword ptr [ebp+12481FF7h] 0x0000002b mov dword ptr [ebp+122D32B6h], ecx 0x00000031 mov cx, di 0x00000034 add eax, ebx 0x00000036 nop 0x00000037 push edi 0x00000038 jmp 00007F7F34CEB136h 0x0000003d pop edi 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jnl 00007F7F34CEB128h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CACF34 second address: CACF78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34B2F1EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dx, ax 0x0000000d push 00000004h 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F7F34B2F1E8h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 push eax 0x0000002a jbe 00007F7F34B2F1F4h 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 pop eax 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D092F8 second address: D0931B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34CEB139h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0931B second address: D0932B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7F34B2F1E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D09E40 second address: D09E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D09E46 second address: D09E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D09E4C second address: D09E5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34CEB12Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D09E5F second address: D09E8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7F34B2F1F8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 jo 00007F7F34B2F1E6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D09E8B second address: D09E9D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 ja 00007F7F34CEB126h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D09E9D second address: D09EB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34B2F1EBh 0x00000007 pushad 0x00000008 je 00007F7F34B2F1E6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1142D second address: D11466 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7F34CEB128h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7F34CEB137h 0x00000011 jmp 00007F7F34CEB136h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D11466 second address: D1146A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D11592 second address: D115B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b jmp 00007F7F34CEB139h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D118C5 second address: D118C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D118C9 second address: D118E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34CEB12Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F7F34CEB126h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D118E5 second address: D118EB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D118EB second address: D118F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F7F34CEB126h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12CC3 second address: D12CDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F34B2F1F0h 0x00000009 jp 00007F7F34B2F1E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1BC56 second address: D1BC5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1BC5C second address: D1BC60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1BC60 second address: D1BC64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1BC64 second address: D1BC70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1BC70 second address: D1BC81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F34CEB12Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1BC81 second address: D1BC92 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7F34B2F1E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1ADBD second address: D1ADC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1B07A second address: D1B099 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34B2F1F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F7F34B2F1E6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1B099 second address: D1B09D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1B33B second address: D1B36C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F7F34B2F1E8h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F7F34B2F1F3h 0x00000013 popad 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 js 00007F7F34B2F1E6h 0x0000001d jno 00007F7F34B2F1E6h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1B36C second address: D1B377 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1B4E9 second address: D1B4EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1B4EF second address: D1B505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F7F34CEB12Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1B505 second address: D1B52E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F34B2F1F0h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7F34B2F1F0h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1B52E second address: D1B534 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1B686 second address: D1B68C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D247CB second address: D247FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34CEB131h 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F7F34CEB126h 0x0000000f jmp 00007F7F34CEB135h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D247FB second address: D247FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22B21 second address: D22B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F7F34CEB12Eh 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007F7F34CEB139h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22B5E second address: D22B62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22B62 second address: D22B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22B68 second address: D22B6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22E40 second address: D22E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22E47 second address: D22E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jc 00007F7F34B2F1ECh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22F7A second address: D22F7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22F7E second address: D22F97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F34B2F1F3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2325C second address: D23262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23262 second address: D23266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23266 second address: D23282 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34CEB12Ch 0x00000007 jnl 00007F7F34CEB126h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D233CE second address: D23407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F34B2F1F4h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F7F34B2F1F7h 0x00000010 jns 00007F7F34B2F1E6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23407 second address: D23412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7F34CEB126h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23E26 second address: D23E32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B26D second address: D2B271 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2AF64 second address: D2AF79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jno 00007F7F34B2F1E8h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36EFF second address: D36F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F7F34CEB126h 0x0000000a popad 0x0000000b jns 00007F7F34CEB13Dh 0x00000011 push edx 0x00000012 jmp 00007F7F34CEB136h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36932 second address: D36936 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3CB87 second address: D3CB96 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7F34CEB126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D418C8 second address: D418CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D40400 second address: D40404 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D40404 second address: D4040A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4040A second address: D40410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4053A second address: D40564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F34B2F1EDh 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c jmp 00007F7F34B2F1EDh 0x00000011 push eax 0x00000012 jnp 00007F7F34B2F1E6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BAE7 second address: D4BAEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BAEB second address: D4BAF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BAF7 second address: D4BAFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4D0FF second address: D4D109 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7F34B2F1E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4D109 second address: D4D11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F7F34CEB128h 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4D11A second address: D4D129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 js 00007F7F34B2F1F0h 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54491 second address: D5449D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F7F34CEB126h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54139 second address: D5413E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5918C second address: D59190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5B24A second address: D5B24E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5AD9C second address: D5ADAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F34CEB12Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5AF0D second address: D5AF11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5AF11 second address: D5AF6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F7F34CEB139h 0x0000000a je 00007F7F34CEB126h 0x00000010 popad 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 pop ecx 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push edi 0x0000001a ja 00007F7F34CEB13Ah 0x00000020 jmp 00007F7F34CEB12Eh 0x00000025 jl 00007F7F34CEB126h 0x0000002b pushad 0x0000002c push edi 0x0000002d pop edi 0x0000002e jmp 00007F7F34CEB130h 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D3D0 second address: D5D3E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007F7F34B2F1ECh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D3E5 second address: D5D41A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F34CEB137h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7F34CEB130h 0x00000010 jl 00007F7F34CEB128h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D41A second address: D5D435 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F34B2F1F7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6506C second address: C65074 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C65074 second address: C65078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C65078 second address: C6507C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6507C second address: C65082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C65082 second address: C6508D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D688D3 second address: D688D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D688D9 second address: D688DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D688DF second address: D688E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7698E second address: D76994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76994 second address: D769A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F34B2F1EAh 0x00000009 popad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76B12 second address: D76B16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76B16 second address: D76B1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76B1A second address: D76B32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F7F34CEB126h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007F7F34CEB12Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76B32 second address: D76B48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F34B2F1F0h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D6BC second address: D7D6C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D6C0 second address: D7D6C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D847 second address: D7D84B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7DB30 second address: D7DB34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8106E second address: D81097 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7F34CEB12Dh 0x00000008 jmp 00007F7F34CEB135h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D87A45 second address: D87A4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D87A4C second address: D87A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007F7F34CEB12Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D898A4 second address: D898A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89400 second address: D8940D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jng 00007F7F34CEB12Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8B43E second address: D8B443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8B443 second address: D8B449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80C6E second address: D80C74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80EE0 second address: D80F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F7F34CEB126h 0x0000000d jmp 00007F7F34CEB133h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8205C second address: D82071 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7F34B2F1E6h 0x00000008 jg 00007F7F34B2F1E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AFDBB6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C9AC30 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CAC387 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AFDCA1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D2C776 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5060000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5350000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5060000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7A027 rdtsc 0_2_00C7A027
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7164Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1952902356.0000000000C79000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1952902356.0000000000C79000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7A027 rdtsc 0_2_00C7A027
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFB998 LdrInitializeThunk,0_2_00AFB998
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, 00000000.00000002.1953231385.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping641
Security Software Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		261
Virtualization/Sandbox Evasion		Security Account Manager261
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS22
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Software Packing		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Bypass User Account Control		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1562760
Start date and time:2024-11-26 00:24:05 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 25s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: file.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.504390763224444
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'754'048 bytes
MD5:1d51ecc205590f39930d9c4685aed827
SHA1:eeb3ef56179a8534e6a8f3279491a59d6afc5ffe
SHA256:8b3ca7da6a1d9976e10e0b1913b91ef8916d2852f04fb39f8a9875f6bfe50bbb
SHA512:5b60c9ef97931818351780b7a56cfb46087d6483226f8757151c9faebe9d621b81f2a7aea821cc456979b115111cdd7f13103be117f8dd9be51f0af8f4ca6ef3
SSDEEP:49152:rcHc7K7tTUzlmvmO2TUT95lN+vl+NhrfyOM1k4b:rcHc7KxTUhmvmOZ91yl+Nh81
TLSH:18D54AF2B509B1CFD8CA2274A567CD46695D07F90F1608C3A86CB4B9BEB3CD225B5C24
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............*.. ...`....@.. ........................*.......+...`................................

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x6a8000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F7F3502671Ah
pmulhuw mm5, qword ptr [ecx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [edi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx+00000080h], dh
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x1200edf7d5a8329b4e4794c5e32169457a79False0.9348958333333334data7.821919776172025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
gowrbknw0xa0000x29c0000x29a60095b75d66f0d72234fd637df137cacde4unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
knmkcqxr0x2a60000x20000x4009b68903aba9751cfda51cf8e0c162688False0.791015625data6.18867043758266IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2a80000x40000x220050eb562c4869c7089b945f0c3efa1848False0.06456801470588236DOS executable (COM)0.7109920907460233IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:18:25:06
Start date:25/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0xaf0000
File size:2'754'048 bytes
MD5 hash:1D51ECC205590F39930D9C4685AED827
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:3.8%
    Dynamic/Decrypted Code Coverage:13.8%
    Signature Coverage:0%
    Total number of Nodes:65
    Total number of Limit Nodes:3
    execution_graph 5259 cc9eec 5260 cc9ef8 5259->5260 5261 cc9f60 MapViewOfFileEx 5260->5261 5262 cc9f11 5260->5262 5261->5262 5291 cc949c 5293 cc94a8 5291->5293 5294 cc94b4 5293->5294 5295 cc94d4 5294->5295 5297 cc93a8 5294->5297 5299 cc93b4 5297->5299 5300 cc93c8 5299->5300 5301 cc93f5 5300->5301 5310 cc92c1 5300->5310 5304 cc93fd 5301->5304 5308 cc9366 IsBadWritePtr 5301->5308 5305 cc944e CreateFileW 5304->5305 5306 cc9471 CreateFileA 5304->5306 5307 cc9438 5304->5307 5305->5307 5306->5307 5309 cc9388 5308->5309 5309->5304 5312 cc92d0 GetWindowsDirectoryA 5310->5312 5313 cc92fa 5312->5313 5314 c7d836 LoadLibraryA 5315 c7e082 5314->5315 5263 cc9d8e 5265 cc9d9a 5263->5265 5266 cc9db2 5265->5266 5268 cc9ddc 5266->5268 5269 cc9cc8 5266->5269 5271 cc9cd4 5269->5271 5272 cc9ce7 5271->5272 5273 cc9d65 CreateFileMappingA 5272->5273 5274 cc9d01 5272->5274 5273->5274 5275 afeaeb 5276 afeb86 VirtualAlloc 5275->5276 5278 aff2c0 5276->5278 5316 cc95b8 5317 cc95c4 5316->5317 5318 cc9614 ReadFile 5317->5318 5319 cc95dd 5317->5319 5318->5319 5320 5251510 5321 5251558 ControlService 5320->5321 5322 525158f 5321->5322 5323 cc9235 5325 cc9241 5323->5325 5326 cc924d 5325->5326 5328 cc926d 5326->5328 5329 cc918c 5326->5329 5331 cc9198 5329->5331 5332 cc91ac 5331->5332 5333 cc921c GetFileAttributesA 5332->5333 5334 cc920b GetFileAttributesW 5332->5334 5335 cc91ef 5332->5335 5333->5335 5334->5335 5336 afed14 VirtualAlloc 5337 afed54 5336->5337 5279 cc8d20 5280 cc8d2c GetCurrentProcess 5279->5280 5282 cc8d3c 5280->5282 5281 cc8d7d DuplicateHandle 5283 cc8d67 5281->5283 5282->5281 5282->5283 5284 5251308 5285 5251349 ImpersonateLoggedOnUser 5284->5285 5286 5251376 5285->5286 5287 5250d48 5288 5250d93 OpenSCManagerW 5287->5288 5290 5250ddc 5288->5290

    Executed Functions

    Function 00AFB998 Relevance: .1, Instructions: 145COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1952695516.0000000000AFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
    • Associated: 00000000.00000002.1952652719.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952667009.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952681649.0000000000AF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952710537.0000000000B04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952723651.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952739416.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952831763.0000000000C53000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952845994.0000000000C55000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952931614.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952943881.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952956752.0000000000C8E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952969130.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952990635.0000000000C92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953102425.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953147885.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953164597.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953178306.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953231385.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953246100.0000000000CCD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953259790.0000000000CD0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953313991.0000000000CE7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953327744.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953340303.0000000000CF0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953353060.0000000000CF5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953369454.0000000000D05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953382183.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953397607.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953411754.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953425562.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953439313.0000000000D1D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953453072.0000000000D24000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953466811.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953532215.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953546111.0000000000D98000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_af0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b18c37d8425cb23ddbb97c4f2a72a5b9e50a2b75dc89804a1a6cd769b6e4e066
    • Instruction ID: f8043c15dba6020b6f52c18834333054dd6a0de4ff14c9bcfe3d75e250405c1a
    • Opcode Fuzzy Hash: b18c37d8425cb23ddbb97c4f2a72a5b9e50a2b75dc89804a1a6cd769b6e4e066
    • Instruction Fuzzy Hash: 4D4146739249298FDB21AFA8C8413B6B770EB04750F1D8561FE829B78AD3756C40C3E8
    Function 00CC9198 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 cc9198-cc91a6 1 cc91ac-cc91b3 0->1 2 cc91b8 0->2 3 cc91bf-cc91d5 1->3 2->3 6 cc91db-cc91e9 3->6 7 cc91f4 3->7 11 cc91ef 6->11 12 cc9200-cc9205 6->12 8 cc91f8-cc91fb 7->8 10 cc922b-cc9232 8->10 11->8 13 cc921c-cc921f GetFileAttributesA 12->13 14 cc920b-cc9217 GetFileAttributesW 12->14 16 cc9225-cc9226 13->16 14->16 16->10
    APIs
    • GetFileAttributesW.KERNELBASE(010E11A4,-117D5FEC), ref: 00CC9211
    • GetFileAttributesA.KERNEL32(00000000,-117D5FEC), ref: 00CC921F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1953178306.0000000000CC8000.00000080.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
    • Associated: 00000000.00000002.1952652719.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952667009.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952681649.0000000000AF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952695516.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952710537.0000000000B04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952723651.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952739416.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952831763.0000000000C53000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952845994.0000000000C55000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952931614.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952943881.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952956752.0000000000C8E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952969130.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952990635.0000000000C92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953102425.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953147885.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953164597.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953231385.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953246100.0000000000CCD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953259790.0000000000CD0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953313991.0000000000CE7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953327744.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953340303.0000000000CF0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953353060.0000000000CF5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953369454.0000000000D05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953382183.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953397607.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953411754.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953425562.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953439313.0000000000D1D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953453072.0000000000D24000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953466811.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953532215.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953546111.0000000000D98000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_af0000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 0bd702f64851adbabd13d80968de5bbc6daf4a4e6e095d54fcad9c3b3e605267
    • Instruction ID: a53c9b92563c7257cd99219e45657fc01b081ed983d499c463755804881ea66c
    • Opcode Fuzzy Hash: 0bd702f64851adbabd13d80968de5bbc6daf4a4e6e095d54fcad9c3b3e605267
    • Instruction Fuzzy Hash: 3F01697050060BFAEF21AF64D90EF9C7E71EF05344F24816CE402A50A1C7B09AE0EB84
    Function 00CC93B4 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 17 cc93b4-cc93c2 18 cc93c8-cc93cf 17->18 19 cc93d4 17->19 20 cc93db-cc93e7 18->20 19->20 22 cc93ed-cc93f7 call cc92c1 20->22 23 cc9402-cc9412 call cc9366 20->23 22->23 30 cc93fd 22->30 28 cc9418-cc941f 23->28 29 cc9424-cc9432 23->29 31 cc9443-cc9448 28->31 29->31 35 cc9438 29->35 30->31 33 cc944e-cc946c CreateFileW 31->33 34 cc9471-cc9486 CreateFileA 31->34 36 cc948c-cc948d 33->36 34->36 38 cc943e 35->38 37 cc9492-cc9499 36->37 38->37
    APIs
    • CreateFileW.KERNELBASE(010E11A4,?,-117D5FEC,?,?,?,?,-117D5FEC), ref: 00CC9466
      • Part of subcall function 00CC9366: IsBadWritePtr.KERNEL32(?,00000004), ref: 00CC9374
    • CreateFileA.KERNEL32(?,?,-117D5FEC,?,?,?,?,-117D5FEC), ref: 00CC9486
    Memory Dump Source
    • Source File: 00000000.00000002.1953178306.0000000000CC8000.00000080.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
    • Associated: 00000000.00000002.1952652719.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952667009.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952681649.0000000000AF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952695516.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952710537.0000000000B04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952723651.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952739416.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952831763.0000000000C53000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952845994.0000000000C55000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952931614.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952943881.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952956752.0000000000C8E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952969130.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952990635.0000000000C92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953102425.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953147885.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953164597.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953231385.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953246100.0000000000CCD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953259790.0000000000CD0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953313991.0000000000CE7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953327744.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953340303.0000000000CF0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953353060.0000000000CF5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953369454.0000000000D05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953382183.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953397607.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953411754.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953425562.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953439313.0000000000D1D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953453072.0000000000D24000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953466811.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953532215.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953546111.0000000000D98000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_af0000_file.jbxd
    Similarity
    • API ID: CreateFile$Write
    • String ID:
    • API String ID: 1125675974-0
    • Opcode ID: 26ceeb5ac0ae8685f77377b0952ad05a2283e3ff82abe0fbee03e3fd2178d77c
    • Instruction ID: 5b0d67badeea88d33bd8b07ac84efd50f161117ea565aa5a114d254dd789f608
    • Opcode Fuzzy Hash: 26ceeb5ac0ae8685f77377b0952ad05a2283e3ff82abe0fbee03e3fd2178d77c
    • Instruction Fuzzy Hash: 4E11E23210418AFADF269FA0DA09F9D3A72FF08344F148119F916644B1C776CAA2EB41
    Function 00CC8D20 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 40 cc8d20-cc8d36 GetCurrentProcess 42 cc8d3c-cc8d3f 40->42 43 cc8d78-cc8d9a DuplicateHandle 40->43 42->43 44 cc8d45-cc8d48 42->44 47 cc8da4-cc8da6 43->47 44->43 46 cc8d4e-cc8d61 44->46 46->43 49 cc8d67-cc8d9f 46->49 49->47
    APIs
    • GetCurrentProcess.KERNEL32(-117D5FEC), ref: 00CC8D2D
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CC8D93
    Memory Dump Source
    • Source File: 00000000.00000002.1953178306.0000000000CC8000.00000080.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
    • Associated: 00000000.00000002.1952652719.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952667009.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952681649.0000000000AF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952695516.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952710537.0000000000B04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952723651.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952739416.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952831763.0000000000C53000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952845994.0000000000C55000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952931614.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952943881.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952956752.0000000000C8E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952969130.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952990635.0000000000C92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953102425.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953147885.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953164597.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953231385.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953246100.0000000000CCD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953259790.0000000000CD0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953313991.0000000000CE7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953327744.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953340303.0000000000CF0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953353060.0000000000CF5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953369454.0000000000D05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953382183.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953397607.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953411754.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953425562.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953439313.0000000000D1D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953453072.0000000000D24000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953466811.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953532215.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953546111.0000000000D98000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_af0000_file.jbxd
    Similarity
    • API ID: CurrentDuplicateHandleProcess
    • String ID:
    • API String ID: 1009649615-0
    • Opcode ID: cfc8ae109a961e35c46755708a83e5f87a045ba3af32255990846bccda448869
    • Instruction ID: 8c36ffdecbf75fae111d03e1552fa22d2aad5f7105a37f7c342144a50b3a3efb
    • Opcode Fuzzy Hash: cfc8ae109a961e35c46755708a83e5f87a045ba3af32255990846bccda448869
    • Instruction Fuzzy Hash: 3701F63210054BEB8F22AFA4DD08EEF3B7ABFA83517148619F91290055CB36D5A5FB21
    Function 05250D41 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 68 5250d41-5250d97 70 5250d9f-5250da3 68->70 71 5250d99-5250d9c 68->71 72 5250da5-5250da8 70->72 73 5250dab-5250dda OpenSCManagerW 70->73 71->70 72->73 74 5250de3-5250df7 73->74 75 5250ddc-5250de2 73->75 75->74
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05250DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1954977272.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5250000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: cab3673aae1c9705483fdb5a9d7a8fcfb932d4b0f16c9e3f61a8cddfe60792e4
    • Instruction ID: e236fb43bfab586981f5adc51bfff15aa0c0953e59d4de02336819fd8884b41b
    • Opcode Fuzzy Hash: cab3673aae1c9705483fdb5a9d7a8fcfb932d4b0f16c9e3f61a8cddfe60792e4
    • Instruction Fuzzy Hash: 9A2138B6C11219DFCB50DF99D885ADEFBB0FF88320F14852AD908AB244D774A541CBA4
    Function 05250D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 77 5250d48-5250d97 79 5250d9f-5250da3 77->79 80 5250d99-5250d9c 77->80 81 5250da5-5250da8 79->81 82 5250dab-5250dda OpenSCManagerW 79->82 80->79 81->82 83 5250de3-5250df7 82->83 84 5250ddc-5250de2 82->84 84->83
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05250DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1954977272.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5250000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 50deca27a940b5c37bbae5538a499a4865305e1d7b21ad3ccaac0f39cda9a281
    • Instruction ID: 84a5815ce1c35ba673367ac688e391dfcbbf4f6ae1cb5e6b95cd6343ebd5a180
    • Opcode Fuzzy Hash: 50deca27a940b5c37bbae5538a499a4865305e1d7b21ad3ccaac0f39cda9a281
    • Instruction Fuzzy Hash: EA2115B6C11219DFCB50CF99D888ADEFBF4FF88320F14855AD909AB204D774A544CBA4
    Function 05251509 Relevance: 1.6, APIs: 1, Instructions: 56serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 86 5251509-5251550 87 5251558-525158d ControlService 86->87 88 5251596-52515b7 87->88 89 525158f-5251595 87->89 89->88
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05251580
    Memory Dump Source
    • Source File: 00000000.00000002.1954977272.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5250000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 4108efc1d3f5de1b06944d4310b8ec3cf35c3e8ad4503033a7c751a0fd0bca28
    • Instruction ID: 2838ebb4f9bc63a1b0af6a41724e22a7db788318bdfd0c076f9662480479249e
    • Opcode Fuzzy Hash: 4108efc1d3f5de1b06944d4310b8ec3cf35c3e8ad4503033a7c751a0fd0bca28
    • Instruction Fuzzy Hash: 282114B1D00249DFCB10CF9AD484BDEFBF4EB48320F10842AE959A7250D378A644CFA5
    Function 05251510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 91 5251510-525158d ControlService 93 5251596-52515b7 91->93 94 525158f-5251595 91->94 94->93
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05251580
    Memory Dump Source
    • Source File: 00000000.00000002.1954977272.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5250000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 113e3273b33a554e559ab573044ac57eaa06ac7b4652ad0399405cbaa3642bc7
    • Instruction ID: b55e36a828beffde702f9da1e57b6d1387e6745cdbff3f0acc5349c496af7d0f
    • Opcode Fuzzy Hash: 113e3273b33a554e559ab573044ac57eaa06ac7b4652ad0399405cbaa3642bc7
    • Instruction Fuzzy Hash: 9A11E4B5D00249DFDB10CF9AD584BDEFBF4EB48320F10802AE959A7250D378A644CFA5
    Function 00CC9EEC Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 96 cc9eec-cc9f0b 99 cc9f5b-cc9f81 MapViewOfFileEx 96->99 100 cc9f11-cc9f17 96->100 106 cc9f8d 99->106 107 cc9f87-cc9f88 call cc9e83 99->107 101 cc9f1d-cc9f20 100->101 102 cc9f44-cc9f56 100->102 104 cc9f3d-cc9f3f 101->104 105 cc9f26-cc9f38 101->105 108 cc9f92 102->108 104->108 105->108 111 cc9f97-cc9f99 106->111 107->106 108->111
    APIs
    • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?), ref: 00CC9F73
    Memory Dump Source
    • Source File: 00000000.00000002.1953178306.0000000000CC8000.00000080.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
    • Associated: 00000000.00000002.1952652719.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952667009.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952681649.0000000000AF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952695516.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952710537.0000000000B04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952723651.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952739416.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952831763.0000000000C53000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952845994.0000000000C55000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952931614.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952943881.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952956752.0000000000C8E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952969130.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952990635.0000000000C92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953102425.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953147885.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953164597.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953231385.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953246100.0000000000CCD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953259790.0000000000CD0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953313991.0000000000CE7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953327744.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953340303.0000000000CF0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953353060.0000000000CF5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953369454.0000000000D05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953382183.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953397607.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953411754.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953425562.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953439313.0000000000D1D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953453072.0000000000D24000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953466811.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953532215.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953546111.0000000000D98000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_af0000_file.jbxd
    Similarity
    • API ID: FileView
    • String ID:
    • API String ID: 3314676101-0
    • Opcode ID: db2587d7c0f9520a74019e0af7764fb86d3c61a9166b660c329e8109f80c8373
    • Instruction ID: 693590970c58b798b6d32e159d2175ff0bb262ada9ca4ad65dc998c99b0344f5
    • Opcode Fuzzy Hash: db2587d7c0f9520a74019e0af7764fb86d3c61a9166b660c329e8109f80c8373
    • Instruction Fuzzy Hash: 6A11E23210010AEECF12AFE4DC09E9E3A66EF88350B04851DF91295421C7368972FB61
    Function 00CC9CD4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 113 cc9cd4-cc9ceb 115 cc9d0c-cc9d1f 113->115 116 cc9cf1-cc9cfb 113->116 119 cc9d25-cc9d2c 115->119 120 cc9d60-cc9d7f CreateFileMappingA 115->120 116->115 121 cc9d01-cc9d07 116->121 122 cc9d39-cc9d3f 119->122 123 cc9d32 119->123 129 cc9d89-cc9d8b 120->129 128 cc9d84 121->128 124 cc9d4c-cc9d55 122->124 125 cc9d45-cc9d47 122->125 123->122 130 cc9d5b 124->130 125->128 128->129 130->128
    Memory Dump Source
    • Source File: 00000000.00000002.1953178306.0000000000CC8000.00000080.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
    • Associated: 00000000.00000002.1952652719.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952667009.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952681649.0000000000AF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952695516.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952710537.0000000000B04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952723651.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952739416.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952831763.0000000000C53000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952845994.0000000000C55000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952931614.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952943881.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952956752.0000000000C8E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952969130.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952990635.0000000000C92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953102425.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953147885.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953164597.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953231385.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953246100.0000000000CCD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953259790.0000000000CD0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953313991.0000000000CE7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953327744.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953340303.0000000000CF0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953353060.0000000000CF5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953369454.0000000000D05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953382183.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953397607.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953411754.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953425562.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953439313.0000000000D1D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953453072.0000000000D24000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953466811.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953532215.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953546111.0000000000D98000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_af0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 02b27ed5b8cdf91975d87bae40ebcc0a88d91c6cf01aaa51581329cdb7959932
    • Instruction ID: bc957de0d876d36f84d28859caf42b967cc4f9af1f2d02da09d74d1419148e59
    • Opcode Fuzzy Hash: 02b27ed5b8cdf91975d87bae40ebcc0a88d91c6cf01aaa51581329cdb7959932
    • Instruction Fuzzy Hash: 46112D3210020AEACF16AFA5DD0DF9E3B75FF48344F148519F912A6062D735CA61FB90
    Function 05251301 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 131 5251301-5251341 132 5251349-5251374 ImpersonateLoggedOnUser 131->132 133 5251376-525137c 132->133 134 525137d-525139e 132->134 133->134
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05251367
    Memory Dump Source
    • Source File: 00000000.00000002.1954977272.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5250000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 427a456e87f49dabff50cb0672c6397a088b09f89b4697539369bb2ba67530f4
    • Instruction ID: 9acdd3b24b35391f495ac3f067038c0813b0b465e115acb76da6b6254ccfa599
    • Opcode Fuzzy Hash: 427a456e87f49dabff50cb0672c6397a088b09f89b4697539369bb2ba67530f4
    • Instruction Fuzzy Hash: FE113AB1900249CFDB10CF9AD544BDEFBF4EF48320F24846AD958A7250D778A645CFA5
    Function 05251308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 136 5251308-5251374 ImpersonateLoggedOnUser 138 5251376-525137c 136->138 139 525137d-525139e 136->139 138->139
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05251367
    Memory Dump Source
    • Source File: 00000000.00000002.1954977272.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5250000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: ae8fb4dca50c71d034f9aa5635d694dce943baa2e1c65dfa73d597270a89d85e
    • Instruction ID: 7f0c14dcd2fe67f1d61e84fbba07d42438c9eed3d993af8f0f4f36c49f166fc8
    • Opcode Fuzzy Hash: ae8fb4dca50c71d034f9aa5635d694dce943baa2e1c65dfa73d597270a89d85e
    • Instruction Fuzzy Hash: 021133B1800249CFDB10CF9AD444BDEFBF8EF48320F20842AD958A7250D778A984CFA5
    Function 00CC95B8 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 141 cc95b8-cc95d7 144 cc95dd-cc95e3 141->144 145 cc960f-cc962b ReadFile 141->145 146 cc95e9-cc95ee 144->146 147 cc95f3-cc960a 144->147 151 cc9635-cc9637 145->151 149 cc9630 146->149 147->149 149->151
    APIs
    • ReadFile.KERNELBASE(?,?,?,?,?), ref: 00CC9624
    Memory Dump Source
    • Source File: 00000000.00000002.1953178306.0000000000CC8000.00000080.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
    • Associated: 00000000.00000002.1952652719.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952667009.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952681649.0000000000AF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952695516.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952710537.0000000000B04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952723651.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952739416.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952831763.0000000000C53000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952845994.0000000000C55000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952931614.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952943881.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952956752.0000000000C8E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952969130.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952990635.0000000000C92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953102425.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953147885.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953164597.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953231385.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953246100.0000000000CCD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953259790.0000000000CD0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953313991.0000000000CE7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953327744.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953340303.0000000000CF0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953353060.0000000000CF5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953369454.0000000000D05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953382183.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953397607.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953411754.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953425562.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953439313.0000000000D1D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953453072.0000000000D24000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953466811.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953532215.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953546111.0000000000D98000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_af0000_file.jbxd
    Similarity
    • API ID: FileRead
    • String ID:
    • API String ID: 2738559852-0
    • Opcode ID: e17f66f7f500e3c0768f41b56129e3d2acdda5bd9dba5f17761a2b59c916208d
    • Instruction ID: d0dc7a0fd54dc63fe44014b9b8a0314e84f35f651a74fc47876903f62538a491
    • Opcode Fuzzy Hash: e17f66f7f500e3c0768f41b56129e3d2acdda5bd9dba5f17761a2b59c916208d
    • Instruction Fuzzy Hash: C3F0C43210014AEBCF12AF98D909F9E3B76FF49350F148519FA168A061C732C9B1FB61
    Function 00C7D836 Relevance: 1.5, APIs: 1, Instructions: 25libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 152 c7d836-c7d87a LoadLibraryA 153 c7e082 152->153
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1952902356.0000000000C79000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
    • Associated: 00000000.00000002.1952652719.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952667009.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952681649.0000000000AF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952695516.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952710537.0000000000B04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952723651.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952739416.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952831763.0000000000C53000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952845994.0000000000C55000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952931614.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952943881.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952956752.0000000000C8E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952969130.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952990635.0000000000C92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953102425.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953147885.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953164597.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953178306.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953231385.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953246100.0000000000CCD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953259790.0000000000CD0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953313991.0000000000CE7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953327744.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953340303.0000000000CF0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953353060.0000000000CF5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953369454.0000000000D05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953382183.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953397607.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953411754.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953425562.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953439313.0000000000D1D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953453072.0000000000D24000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953466811.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953532215.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953546111.0000000000D98000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_af0000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 9d586a26da37566db69fa6c90bb35bb738452624ef09f6ecb40104697e09b3d3
    • Instruction ID: 500ec800ff0d0f9351e946ce90e72b903ea3468288736235a7912a1b4f4721f9
    • Opcode Fuzzy Hash: 9d586a26da37566db69fa6c90bb35bb738452624ef09f6ecb40104697e09b3d3
    • Instruction Fuzzy Hash: F4F0F2B280C2009FEB047F28D54667EBBE4EF24210F06096DDAC643300E67668649B83
    Function 00AFEAEB Relevance: 1.3, APIs: 1, Instructions: 39memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 00AFF2A8
    Memory Dump Source
    • Source File: 00000000.00000002.1952695516.0000000000AFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
    • Associated: 00000000.00000002.1952652719.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952667009.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952681649.0000000000AF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952710537.0000000000B04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952723651.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952739416.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952831763.0000000000C53000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952845994.0000000000C55000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952931614.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952943881.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952956752.0000000000C8E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952969130.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952990635.0000000000C92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953102425.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953147885.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953164597.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953178306.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953231385.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953246100.0000000000CCD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953259790.0000000000CD0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953313991.0000000000CE7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953327744.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953340303.0000000000CF0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953353060.0000000000CF5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953369454.0000000000D05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953382183.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953397607.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953411754.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953425562.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953439313.0000000000D1D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953453072.0000000000D24000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953466811.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953532215.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953546111.0000000000D98000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_af0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 1d20ea67445fe1b663a3febd4e08eb6e30efc98f856ba94cdab7a6be99d731d0
    • Instruction ID: 3919806c1026e87b025d17eb6687dc2ce27b07d61f1aac7e1c23507974247ca9
    • Opcode Fuzzy Hash: 1d20ea67445fe1b663a3febd4e08eb6e30efc98f856ba94cdab7a6be99d731d0
    • Instruction Fuzzy Hash: CFF0AFB645C7599FC701AF6CE8806B97BE4EF08B20F16063EAAC5CB740D671099096D6
    Function 00AFED14 Relevance: 1.3, APIs: 1, Instructions: 22memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 00AFED42
    Memory Dump Source
    • Source File: 00000000.00000002.1952695516.0000000000AFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
    • Associated: 00000000.00000002.1952652719.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952667009.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952681649.0000000000AF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952710537.0000000000B04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952723651.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952739416.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952831763.0000000000C53000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952845994.0000000000C55000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952931614.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952943881.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952956752.0000000000C8E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952969130.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952990635.0000000000C92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953102425.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953147885.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953164597.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953178306.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953231385.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953246100.0000000000CCD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953259790.0000000000CD0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953313991.0000000000CE7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953327744.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953340303.0000000000CF0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953353060.0000000000CF5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953369454.0000000000D05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953382183.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953397607.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953411754.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953425562.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953439313.0000000000D1D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953453072.0000000000D24000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953466811.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953532215.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953546111.0000000000D98000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_af0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 928baf5971f6679a75dfd33be7182a4cf6e908dd4e234922215497049f598950
    • Instruction ID: f3e1a50c05a6c4b7347b648d115b1b678ba86035a2c87ab0c690542b30b98893
    • Opcode Fuzzy Hash: 928baf5971f6679a75dfd33be7182a4cf6e908dd4e234922215497049f598950
    • Instruction Fuzzy Hash: F7F0157010C60A8FDB88AFA4D44817EBBF0FF44721F12092DE8D6CA690EB708C80CB16

    Non-executed Functions

    Function 00C6D004 Relevance: 1.7, Strings: 1, Instructions: 489COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1952902356.0000000000C6D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
    • Associated: 00000000.00000002.1952652719.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952667009.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952681649.0000000000AF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952695516.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952710537.0000000000B04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952723651.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952739416.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952831763.0000000000C53000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952845994.0000000000C55000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952931614.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952943881.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952956752.0000000000C8E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952969130.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952990635.0000000000C92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953102425.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953147885.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953164597.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953178306.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953231385.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953246100.0000000000CCD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953259790.0000000000CD0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953313991.0000000000CE7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953327744.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953340303.0000000000CF0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953353060.0000000000CF5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953369454.0000000000D05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953382183.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953397607.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953411754.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953425562.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953439313.0000000000D1D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953453072.0000000000D24000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953466811.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953532215.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953546111.0000000000D98000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_af0000_file.jbxd
    Similarity
    • API ID:
    • String ID: l9[>
    • API String ID: 0-3810578572
    • Opcode ID: 8ab64ee0300fd9469ea8df48a25b17406342bb89fc278ac032b285f9af54a0d2
    • Instruction ID: 85746f04daf84e96ab0dc94aaf07cb8716b4eb1d28219b1eae9cd9d4ef46ea81
    • Opcode Fuzzy Hash: 8ab64ee0300fd9469ea8df48a25b17406342bb89fc278ac032b285f9af54a0d2
    • Instruction Fuzzy Hash: B6E1F6F3A0C2109FE3046E29EC8167AB7E9EF94320F164A3DEAD5D3340E63558058797
    Function 00CC9C70 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 00CC9CB7
    Memory Dump Source
    • Source File: 00000000.00000002.1953178306.0000000000CC8000.00000080.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
    • Associated: 00000000.00000002.1952652719.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952667009.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952681649.0000000000AF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952695516.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952710537.0000000000B04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952723651.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952739416.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952831763.0000000000C53000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952845994.0000000000C55000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952931614.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952943881.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952956752.0000000000C8E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952969130.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952990635.0000000000C92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953102425.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953147885.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953164597.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953231385.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953246100.0000000000CCD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953259790.0000000000CD0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953313991.0000000000CE7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953327744.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953340303.0000000000CF0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953353060.0000000000CF5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953369454.0000000000D05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953382183.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953397607.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953411754.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953425562.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953439313.0000000000D1D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953453072.0000000000D24000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953466811.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953532215.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953546111.0000000000D98000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_af0000_file.jbxd
    Similarity
    • API ID: CryptSignatureVerify
    • String ID:
    • API String ID: 1015439381-0
    • Opcode ID: 28d79ce1ffb0f5dd1a28029b1b4ccb3ee88b408615e540f477c151eff11dd6f0
    • Instruction ID: 7e10b585e58a89b9b999c2bce6a08696bb170f7643ff73bbdcb83627cf5f5be7
    • Opcode Fuzzy Hash: 28d79ce1ffb0f5dd1a28029b1b4ccb3ee88b408615e540f477c151eff11dd6f0
    • Instruction Fuzzy Hash: 19F0983260424AFFDF11CFA4C948A8DBBB1FF58345B10C129F91A96250D776D6A1EF44
    Function 00C7A027 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1952902356.0000000000C79000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
    • Associated: 00000000.00000002.1952652719.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952667009.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952681649.0000000000AF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952695516.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952710537.0000000000B04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952723651.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952739416.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952831763.0000000000C53000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952845994.0000000000C55000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952931614.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952943881.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952956752.0000000000C8E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952969130.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952990635.0000000000C92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953102425.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953147885.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953164597.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953178306.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953231385.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953246100.0000000000CCD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953259790.0000000000CD0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953313991.0000000000CE7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953327744.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953340303.0000000000CF0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953353060.0000000000CF5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953369454.0000000000D05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953382183.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953397607.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953411754.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953425562.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953439313.0000000000D1D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953453072.0000000000D24000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953466811.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953532215.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953546111.0000000000D98000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_af0000_file.jbxd
    Similarity
    • API ID:
    • String ID: :O
    • API String ID: 0-810060183
    • Opcode ID: 37af9f0fd78896032ecfdff9e1fc345a845e8db64afbb45d0efe6c93ad024a71
    • Instruction ID: f20dd8c3c5044a67226aee4b132f7c3016808eef28cf73f2b456d8cafa72905c
    • Opcode Fuzzy Hash: 37af9f0fd78896032ecfdff9e1fc345a845e8db64afbb45d0efe6c93ad024a71
    • Instruction Fuzzy Hash: 20718DB640C380AFE302AB34D8556AAFFF1FF96210F1A899ED9C587292D3345455CB93
    Function 00C705DB Relevance: 1.4, Strings: 1, Instructions: 122COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1952902356.0000000000C6D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
    • Associated: 00000000.00000002.1952652719.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952667009.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952681649.0000000000AF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952695516.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952710537.0000000000B04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952723651.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952739416.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952831763.0000000000C53000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952845994.0000000000C55000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952931614.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952943881.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952956752.0000000000C8E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952969130.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952990635.0000000000C92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953102425.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953147885.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953164597.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953178306.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953231385.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953246100.0000000000CCD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953259790.0000000000CD0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953313991.0000000000CE7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953327744.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953340303.0000000000CF0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953353060.0000000000CF5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953369454.0000000000D05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953382183.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953397607.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953411754.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953425562.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953439313.0000000000D1D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953453072.0000000000D24000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953466811.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953532215.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953546111.0000000000D98000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_af0000_file.jbxd
    Similarity
    • API ID:
    • String ID: b4N
    • API String ID: 0-542000533
    • Opcode ID: fa6dd3f1e7122c749736d58d1dbc0fd53a068fbbcd3b23587c2272ddda60d417
    • Instruction ID: a6857b145afaa044a194e457eb05c1925a4b062b2a0b4278aa8d6f13ad29f5e5
    • Opcode Fuzzy Hash: fa6dd3f1e7122c749736d58d1dbc0fd53a068fbbcd3b23587c2272ddda60d417
    • Instruction Fuzzy Hash: 0E41AFB250C704EFE309AF29DC5167EFBE9FB98320F25892EE1C582650E73498408B47
    Function 00C705F7 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1952902356.0000000000C6D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
    • Associated: 00000000.00000002.1952652719.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952667009.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952681649.0000000000AF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952695516.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952710537.0000000000B04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952723651.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952739416.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952831763.0000000000C53000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952845994.0000000000C55000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952931614.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952943881.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952956752.0000000000C8E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952969130.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952990635.0000000000C92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953102425.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953147885.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953164597.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953178306.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953231385.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953246100.0000000000CCD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953259790.0000000000CD0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953313991.0000000000CE7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953327744.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953340303.0000000000CF0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953353060.0000000000CF5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953369454.0000000000D05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953382183.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953397607.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953411754.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953425562.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953439313.0000000000D1D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953453072.0000000000D24000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953466811.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953532215.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953546111.0000000000D98000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_af0000_file.jbxd
    Similarity
    • API ID:
    • String ID: b4N
    • API String ID: 0-542000533
    • Opcode ID: 75f77ae1e72e9828b26f4ea89674a2832c81b0b07cc323a98f58f3789349f4b6
    • Instruction ID: e4d3bfdb88a99547656bb6e04a43d5e64841fba7c98d7bc5c9e08d843d3bac66
    • Opcode Fuzzy Hash: 75f77ae1e72e9828b26f4ea89674a2832c81b0b07cc323a98f58f3789349f4b6
    • Instruction Fuzzy Hash: 87417CB250C704EFE309AF19DC5567EFBE5EB98710F15892DE2C582654E73198408B47
    Function 00CC82E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00CC9366: IsBadWritePtr.KERNEL32(?,00000004), ref: 00CC9374
    • wsprintfA.USER32 ref: 00CC832E
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 00CC83F2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1953178306.0000000000CC8000.00000080.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
    • Associated: 00000000.00000002.1952652719.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952667009.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952681649.0000000000AF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952695516.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952710537.0000000000B04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952723651.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952739416.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952831763.0000000000C53000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952845994.0000000000C55000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952931614.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952943881.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952956752.0000000000C8E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952969130.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952990635.0000000000C92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953102425.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953147885.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953164597.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953231385.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953246100.0000000000CCD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953259790.0000000000CD0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953313991.0000000000CE7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953327744.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953340303.0000000000CF0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953353060.0000000000CF5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953369454.0000000000D05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953382183.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953397607.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953411754.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953425562.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953439313.0000000000D1D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953453072.0000000000D24000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953466811.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953532215.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953546111.0000000000D98000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_af0000_file.jbxd
    Similarity
    • API ID: ImageLoadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 416453052-2046107164
    • Opcode ID: 20685558b4d75307fba3af926b6dd8105704ff6a8082bc200ef069a5e796caf5
    • Instruction ID: 13369d5cd77c9844c398bf78662ab446f5cca7fd19c78d2f42217e2cf327d084
    • Opcode Fuzzy Hash: 20685558b4d75307fba3af926b6dd8105704ff6a8082bc200ef069a5e796caf5
    • Instruction Fuzzy Hash: 7431043190010AFFCF119F94DD49FAEBB79FF88710F108129F911A61A1D7719A62EB60
    Function 00CC8EB9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(010E11A4,00004020,00000000,-117D5FEC), ref: 00CC8FA6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1953178306.0000000000CC8000.00000080.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true
    • Associated: 00000000.00000002.1952652719.0000000000AF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952667009.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952681649.0000000000AF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952695516.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952710537.0000000000B04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952723651.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952739416.0000000000B06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952831763.0000000000C53000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952845994.0000000000C55000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952902356.0000000000C79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952931614.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952943881.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952956752.0000000000C8E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952969130.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1952990635.0000000000C92000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953102425.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953147885.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953164597.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953231385.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953246100.0000000000CCD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953259790.0000000000CD0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953313991.0000000000CE7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953327744.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953340303.0000000000CF0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953353060.0000000000CF5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953369454.0000000000D05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953382183.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953397607.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953411754.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953425562.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953439313.0000000000D1D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953453072.0000000000D24000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953466811.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953499646.0000000000D85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953532215.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1953546111.0000000000D98000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_af0000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 0da0da1b8e8d5a6521b522d88ba517abcfd7b5df2b73168a85069a6db7152df3
    • Instruction ID: 350598fea0d18957b5cba49208f9bae3646dbf7cd9615bf1a9779a1eac0f6de8
    • Opcode Fuzzy Hash: 0da0da1b8e8d5a6521b522d88ba517abcfd7b5df2b73168a85069a6db7152df3
    • Instruction Fuzzy Hash: B6318D71904705EFDF258F84C844B9EBBB1FF08350F10851DE95667650C7B5AAA8DB80